Cross-Site Scripting attacks are very common on the Internet these days. The sad thing is these attacks can easily be thwarted with a little extra analysis and architecting before programming begins.
Far too many Web Sites do not make the effort to stop common attacks and thus are wide open to attack. This can allow hackers to do just about anything from altering the content of your site or extracting private information from a database. Worse yet they can also wipe an entire database off the face of the earth in a few minutes flat. Yes it can be as bad as the Hollywood movies dramaticise it.
Fortunately most of these attacks can easily be stopped with a little extra effort in the application design and programming phases. ASP.NET comes with some built-in protection, which is turned on by default. But attacks can change and prevention algorithms need to constantly be updated to be more efficient. This is why Microsoft create the Anti-Cross Site Scripting Library.
This library provides seven static (C#) or Share (VB.NET) methods that can be used to stop many attacks dead in their tracks.
HtmlEncode - Encodes strings for use in HTML
HtmlAttributeEncode- Encodes strings for use in HTML Attributes
JavaScriptEncode - Encodes strings used in JavaScript
URLEncode - Encodes strings used in a URL
VisualBasicScriptEncode - Encodes strings used in Visual Basic Script
XMLEncode - Encodes Strings used in XML
XMLAttributeEncode- Encodes Strings used in XML Attributes
Basically anytime you gather text from a user and echo it back on a page it needs to be encoded. While there are utility methods built into the ASP.NET framework, the library steps above and beyond them.
I will be demonstrating the use of each one over the next few weeks. But I encourage you to download the library and start examining how to integrate it into your framework and architecture.