Friday, May 24, 2013

Preventing javascript as a query parameter, ASP

Suppose your web page is using this controller action

public string Browse(string queryParam)
{
     string message = HttpUtility.HtmlEncode("user.id = " + queryParam);
     return message;
}

Here HttpUtility.HtmlEncode utility is used to avoid illegal user input. For example, if someone deliberately uses: /home/user?queryParam=<script>window.location='http://myworld.com'</script> then this utility will prevent such access.

No comments:

Post a Comment