Minimizing script injection with Server.HtmlEncode

In some occasions part of your web application might need to have validateRequest turned off to allow users to input specific tags needed for their business. This composes a security risk that needs to be treated. One way to solve this is to use the Server.HtmlEncode().

In this small example we have an aspx page that has its valiateRequest turned off:



With the following desing:



If we type in a java script block and presses "Unsafe submit" button, the script will execute.



Code behind:



To prevent the injected script from running we can use Server.HtmlEncode() as follows :



Now when pressing button "Safe submit" the script will be encoded to html and will be unharm for the user:

For complete source code click here.