Does an ASP.NET application protect against cross-site scripting by default? I have read that the machine.config file has an attribute that is set to on by default and this protects against cross-site scripting? Is this true?
<system.web>
<pages buffer="true" validateRequest="true" />
</system.web>
you can use antxss library as addition