Proper handling of user input

So I'm setting up my form validation, inputs, error messages etc... and then realized a lot of the info that I'm collecting will need to be output again at some point.

So I wrapped my inputs in:

Server.HtmlEncode(txtbox.text);

What else should I be doing to ensure that i avoid XSS ty开发者_Go百科pes of attacks? Should I be be doing something when I write the data to the page as well?

From a security point of view, our Web forms are naked and 100% vulnerable. We need to look at all the ways data is passed to them and test as appropriate:

* Form Fields
* URL Query Strings
* Cookies
* Database
* ViewState

MSDN Design Guidelines for Secure Web Applications: http://msdn.microsoft.com/en-us/library/aa302420.aspx

Microsoft Anti-Cross Site Scripting Library: http://msdn.microsoft.com/en-us/security/aa973814.aspx

The Code Analysis Tool (CAT.NET): http://www.microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en

ASP.NET Data Input Validation: http://www.codersbarn.com/post/2008/11/01/ASPNET-Data-Input-Validation.aspx:

EDIT: Coming soon, the new Web Protection Library CTP: http://blogs.msdn.com/securitytools/archive/2009/10/17/web-protection-library-ctp-release-coming-soon.aspx

I suggest to HtmlEncode when you output data to the page, not when you collect it. From Stack Overflow podcast #58:

Don’t HTML encode data that’s stored in your database! Take the good advice of Damien Guard and Joel Spolsky! You can choose to store both representations, but don’t store just the HTML; go with the raw data at the highest level of precision.

Links

• 5 signs your ASP.NET application may be vulnerable to HTML injection
• How To: Prevent Cross-Site Scripting in ASP.NET - specific for .NET 1.0/2.0
• XSS (Cross Site Scripting) Cheat Sheet
• Safe HTML and XSS