I'm trying to make sure my webforms ASP.NET application is as secure as possible, it receives and stores user input data to a SQL database (the usual stuff) only for users with a login, so not available to the general public.
By disabling ValidateRequest for input pages, I appreciate there's a risk of XSS attacks - All the SQL queries are parameterised, so are safe from SQL Injection (correct?).
Rather than using the Anti-XSS libary, can I just use HTMLencode on the input text? Do I then store the HTMLencoded string?
Or am I looking at it the wrong way? Should I store the users input verbatim, and then HTMLencode or XSS-HTMLencode anytime it is output to a browser?
OK, reading around it appears that common wisdom is to store the input verbatim, make no adjustments what-so-ever, simply parameterise to protect against SQL Injections.
Some good comments here: What are the best practices for avoiding xss attacks in a PHP site
Then either HTML Encode (seems vunerable), or use the XSS-Library to encode the output - As said in the link above, the destination for the data may not be a browser at some later point.
Then using the example of XSS attacks here: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet input some of these to the database, and read back to the browser. With the right encoding you should see the text, and not have a script executed.