Click here to Skip to main content
14,937,932 members
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
Could you please assist on the security vulnerability of DataTable or DataSet in which is binding to Gridview.DataSource = dataset;

What I have tried:

I have tried to HttpUtility.HtmlEncode but working for dataset
Posted
Updated 11-Oct-20 9:31am
v3

1 solution

Reference: eval - Prevent Cross site scripting attack in asp.net C#[^]

To prevent XSS when using TemplateField on .NET Frameworks 4.0 or older you can use Microsoft Web Protection Library[^] on the aspx page. On .NET Framework 4.5 and above, it is already integrated with the Frameworks.
Frameworks 4.0 or older.
ASP.NET
<ItemTemplate>
<asp:Label ID="Name" runat="server" 
     Text='<%#Microsoft.Security.Application.Encoder.HtmlEncode(Eval("Name").ToString()) %>'> 
</asp:Label>

Frameworks 4.5 and above:
ASP.NET
<ItemTemplate>
<asp:Label ID="Name" runat="server" 
     Text='<%#System.Web.Security.AntiXss.AntiXssEncoder.HtmlEncode(Eval("Name").ToString(),true) %>'> 
</asp:Label>

This will encode your label when they rendered. Use it only for the ItemTemplate, EditItemTemplate render has html input text and it will be encoded by the framework by default.

Another article that would be a good read: Preventing XSS in ASP.Net Made Easy[^]
   
Comments
BillWoodruff 12-Oct-20 1:12am
   
+5

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)




CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900