.NET Tutorials, Forums, Interview Questions And Answers
Welcome :Guest
Sign In
Win Surprise Gifts!!!

Top 5 Contributors of the Month
Gaurav Pal
Post New Web Links

Prevent from Cross-Site Scripting Attack

Posted By:      Posted Date: October 15, 2010    Points: 0   Category :ASP.Net

Hi All

I am really facing a major problem from Cross-Site Scripting Attack, Could anybody help me it would be really grateful. Below is sample script which automatically gets inserted into my HTML and ASPX Pages.

"<script src=http://avidmarketing.ie/images/rc3/companybuttonwhite.php ></script>"

Thanks in Advance


View Complete Post

More Related Resource Links

Preventing cross-site scripting and encoding a single quote


I'm trying to prevent possible cross-site scripting attacks for our internal use app (but available publicly outside the firewall).

One feature of our app is a javascript based breadcrumb that keeps track of prior urls (via nice titles). Everytime, a new page is loaded in the current workflow, when that page renders as the browser, it includes some javascript (generated server side in C# and put into the page) to add itself to the breadcrumb trail. Currently, the url that is launched is given directly to that javascript function. However, if that url contains a single quote it is possible to inject some custom javascript, ie, one would just need to append    ');alert('yeah!');       to their url.

I tried encoding/escaping but they skip the single quote. This is a case where I'm just passing the url through. But theoretically, if an attacker tricked somebody into launching his site when they are in ours, then I guess he could get script to execute in our page.

I don't see any method that takes a COMPLETE url and encodes/escapes JUST the parameters. So for now, I'm tearing down the url, and rebuilding it from the ground up, but encoding the parameter names and values.  This basically prevents the script from running, but I do still end up with at least a javascript error because of

HttpRequestValidationException, handling Cross Site Scripting (XSS)


First of all, this exception is caused by entering scripts or disallowed text as "<script>", "<h1>" by the user. This exception will be thrown while processing the request.

After searching and trying, most of the solutions were to:

1- disable request validation in the page header (validateRequest="false") or in the pages section in web.config.

I dont see this is a solution, the XSS problem is still there, it just does not throw the exception.

2- To encode the text and decode it using Server.HtmlEncode and Server.HtmlDecode.

This is a good one, but have to go every single textbox and call this method (Server.Encode(txtAddress.Text)), but this require alot of effort to change the whole site, and some of them may be forgotten.

I was thinking of creating a new TextBox control (MyTextBox) to inherit from System.Web.UI.WebControls.TextBox and override the Text property, then Encode base.Text in the get accessor, and Decode base.Text in the set accessor.

This will also require to change the whole site, to use MyTextBox instead of TextBox.

Any suggestions?

A Simple XML-driven Tool: Monitor Your Web Site's Activity with COM and Active Scripting


This article describes a simple Web site monitoring tool built with XML, JScript, Windows Script Host, and COM objects. Although it is not intended to replace complete Web site monitoring software products, it has many useful features that help to keep Web servers up and running. An XML configuration file specifies which Web sites to monitor and the actions to be taken if the site isn't functioning properly. In addition, the tool can be scheduled to run at any specified interval using the Windows Task Scheduler. Functions that probe the sites, log events, and send e-mail notifications are written in JScript.

Panos Kougiouris

MSDN Magazine July 2000

Work around cross scripting issue (iframe)

I want to know how I can get the button in the iframe to send the selected item in the dropdown box to a text box that is out side of the iframe. The setup is as follows This is the source of the Php page. The iframe receives the controls from the aspx page on another website. 2 separate websites. The asp.net site sends a dropdown box a label and a button to the page below (php page):<iframe id="hdnFrm" name="hdnFrm" src="" scrolling="no" marginwidth="0" marginheight="0" frameborder="0" vspace="0" hspace="0" style="width:90%; height:50px"></iframe> <form action='http://www.link-exchangers.com/adv_links_addbycustomer.aspx' target='hdnFrm' method='post'> <table width=90% align=center cellpadding=2 cellspacing=0 border=0> <tr><td valign=top>Contact email: </td><td><input type=text name=web_email value="" style='width:250px'></td></tr> <tr><td valign=top>Web site title: </td><td><input type=text name=web_title value="" style='width:250px'></td></tr> <tr><td valign=top>Your url: </td><td><input type=text name=web_url value="http://" style='width:

cross site-collection content query wp

Hi,How can i override the Content query wp so i can query data from other site collection? Is it possible?How? Recommended ways? alternatives? references?the site collection is under another site collectioni did some googling and only found a comercial wp for this..tks

Xsltlistviewwebpart social tagging error on cross site list

Hi! I have exported an xsltslistviewwebpart through SPD 2010 and when asked if I want to show a specific list or parent path I choose specfic. I then import the webpart file on another site and this show the list perfect with ribbon and everything. But when I click the social tagging & notes I get a new popup with a error message in: "The page you selected contains a list that does not exist.  It may have been deleted by another user.<nativehr>0x81020026</nativehr><nativestack></nativestack>" This is the same error that I get if I try to import a xsltlistviewwebpart without making the correct export. If I click this button on the original listview I dont get the error and I can add tags. The same problems goes for the I like button.Findwise AB

Prevent XSS attack

I have a web form that needs to accept XML/HTML codes.  The default requestValidation is disabled (because that will prevent ANY XML tag.)  The site is internal only and only a few people have access to that form, but I still want to include protection against XSS.  My question is, what should I look for to filter out?Strings that begin with <script is an obvious one.I supposed javascript: is also bad.What else?

Cross browser audio playback on membership auth. site...


Using VS2005, VB code behind,

I have a page that contains the following object tag...

        <object id="mediaPlayer" classid="CLSID:6BF52A52-394A-11d3-B153-00C04F79FAA6" codebase="https://activex.microsoft.com/activex/controls/mplayer/en/nsmp2inf.cab#Version=5,1,52,701" standby="Loading Microsoft Windows® Media Player components..." type="application/x-oleobject" width="0" height="0"> 
            <param name="url" value="" /> 
            <param name="animationatStart" value="false" /> 
            <param name="transparentatStart" value="true" /> 
            <param name="autoStart" value="true" /> 
            <param name="autoSize" value="false" /> 
            <param name="showControls" value="false" /> 
            <param name="volume" value="100" /> 
            <embed type="application/x-mplayer2" pluginspage="https://www.microsoft.com/Windows/MediaPlayer/" src="" 
                  name="mediaPlayer" autostart="true" autosize="false" showcontrols="false" volume

# string with cross site lookup field value of List in datasheet view in moss 2007

I am getting appended # code value with cross site lookup field value of List in datasheet view, and also i am getting this value while export to Spreadsheet. How to remove this value.....

# string with cross site lookup field value of List in datasheet view in moss 2007


I am getting appended # code value with cross site lookup field value of List in datasheet view. I dont want that hash coded value, i need actual value. Please provide me the solution.



Rajanikanth Rayala

Cross site lookup field value contains the parent list item id and the title field separated by ;# i

Actually we are using third party component for cross site lookup and facing the problem with cross site lookup field value. Its showing the correct value in default list view mode, but in "Edit in Datasheet" and "Export to Datasheet" view cross site lookup field value contains the parent list item id and the title field separated by ;#. I need the actual value in "Edit in Datasheet" and "Export to Datasheet" view as shown in default list value, i dont want that appended parent list item id and separated by ;#.

Is there any OutOfBox soluiton for this. Please suggest me for the same.


WSS 3.0 Cross Site-Collection List Lookup


Hi all

New to Sharepoint here, so apologies if the question is unclear.

We would like to store centralised reference data in a dedicated site-collection and allow it to be accessed from other site-collections using list lookups. Can anyone recommend a webpart that would allow us to do this? I've found lots of cross-site list webparts, but not for crossing SC boundaries. Is there an OOTB feature that we could extend to achieve the same thing?




If you have found this post helpful, please click the 'Vote as Helpful' link (the green triangle and number on the top-left).

If this post answers your question, click the 'Mark As Answered' link below. It helps others who experience the same issue in future to find the solution.

Cross site lookups?


Has anyone found an addon for using cross site lookup columns in 2010? I see there are suggestions on creating custom solutions, but seeing as this is quite a common problem I would think that someone has created something already.



Calculated Cross-site lookup



I have 2 sites. SiteA and SiteB.
SiteA has a list called ListA with 3 columns(FirstName, LastName and email address).
SiteB has 5 columns (FirstName, LastName, email address, Project Name and Project Status)

When I want to enter FirstName in ListB, I want this information to be looked-up in ListA and auto-fill/auto-populate LastName and Email Address in ListB by doing a lookup in ListA.

How may I do this calculated cross-site lookup?

It is not possible OOTB so I am happy to purchase a tool.

Thank you

cross-site list lookup using sharepoint 2010


Hi All,

Just want to ask how can I cross-site list lookup using sharepoint 2010.

 I’ve created two Sites. TestSite1 that has a list called List1 and TestSite2 that has a list called List2. The problem is when I tried to create a lookup column in List2 so I could see the List column in TestSite1 I could not find it.

How can I do this using the OOTB SharePoint 2010?


Thank you in advance.

cross site, within collection, Lookup column

Is it possible, through the UI or with  Designer 2007, do create a Lookup column that gets its data from another site within the same site collection?  If not, can you recommend any FREE third party tools to do this?  Thank you.
There are no mistakes; every result tells you something of value about what your are trying to accomplish.

Infopath Web Part cross-site


I love the Infopath Web Part but want to be able to use it "cross-site" and cross-site collection. The scenario is that we have an extranet on the Internet which we want to publish data to our intranet (different site collection). We would like to present on the extranet an Infopath form which writes to a SP list in the Intranet, or at least publishes the form to a Form Library in the Intranet.

Additionally we would like to allow users to actually be able to edit their entries, using the Data View / List View web part connected to the Infopath Web Part.

I haven't been able to figure out a way to accomplish either of these goals as the Infopath Web Part is limited to the current site. Any ideas?

ASP.NetWindows Application  .NET Framework  C#  VB.Net  ADO.Net  
Sql Server  SharePoint  Silverlight  Others  All   

Hall of Fame    Twitter   Terms of Service    Privacy Policy    Contact Us    Archives   Tell A Friend