I'm current trying to secure my site from XSS attacks in the Url. For example if the attacker is using Firefox they can do the following
myxsssite.com/mypage.aspx?d"><script class="none&>alert(1);</script clas="none&><!--=1
And the script will be run. I've been searching around for a couple days now and can't seem to find a solution that works. Currently I've tried the AntiXSS library from MS. I don't think it's working correctly I'm encoding the whole url like so
Mircosoft.Security.Application.Encoder.HtmlEncode(path);
I've tried all the other methods in this class as well and the script is still being executed before the page loads. I'm using ASP.net 3.5 with Webforms, and I can't upgrade.
https://www.microsoft.com/en-us/download/details.aspx?id=28589
they have this dll, that basically all you need to do is use the sanitize method, and if there is a change between the original value and the sanitized value that means that there might be an attempt for XSS, and you either throw it all or just use the sanitized value.
dont use any encoding method, there is a method called something with "sanitize".
EDIT: code example
val = Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(val);
val = System.Web.HttpUtility.HtmlDecode(val);
EDIT 2: https://www.nuget.org/packages/HtmlSanitizationLibrary/
the dll i am using is HtmlSanitizationLibrary.dll