So I'm setting up my form validation, inputs, error messages etc... and then realized a lot of the info that I'm collecting will need to be output again at some point.
So I wrapped my inputs in:
Server.HtmlEncode(txtbox.text);
What else should I be doing to ensure that i avoid XSS types of attacks? Should I be be doing something when I write the data to the page as well?
From a security point of view, our Web forms are naked and 100% vulnerable. We need to look at all the ways data is passed to them and test as appropriate:
* Form Fields
* URL Query Strings
* Cookies
* Database
* ViewState
MSDN Design Guidelines for Secure Web Applications: http://msdn.microsoft.com/en-us/library/aa302420.aspx
Microsoft Anti-Cross Site Scripting Library: http://msdn.microsoft.com/en-us/security/aa973814.aspx
The Code Analysis Tool (CAT.NET): http://www.microsoft.com/downloads/details.aspx?FamilyId=0178e2ef-9da8-445e-9348-c93f24cc9f9d&displaylang=en
ASP.NET Data Input Validation: http://www.codersbarn.com/post/2008/11/01/ASPNET-Data-Input-Validation.aspx:
EDIT: Coming soon, the new Web Protection Library CTP: http://blogs.msdn.com/securitytools/archive/2009/10/17/web-protection-library-ctp-release-coming-soon.aspx