[{"data":1,"prerenderedAt":610},["ShallowReactive",2],{"blog:2007:5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection":3,"blogMore-Development":596,"comments-5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection":609},{"id":4,"title":5,"body":6,"category":574,"commentCount":575,"date":576,"description":577,"excerpt":578,"extension":579,"filenames":580,"hidden":581,"image":580,"meta":582,"minutes":101,"navigation":583,"path":584,"seo":585,"showCategory":580,"stem":586,"tags":587,"updated":580,"url":593,"wordCount":594,"__hash__":595},"content\u002Fblog\u002F2007\u002F5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection.md","5 signs your ASP.NET application may be vulnerable to HTML injection",{"type":7,"value":8,"toc":566},"minimark",[9,19,27,38,43,50,117,121,128,251,255,258,261,366,370,373,376,447,450,454,457,464,528,532,545,548,554,562],[10,11,12,13,18],"p",{},"If you don’t encode data when using any of the following methods to output to HTML your application could be compromised by unexpected HTML turning up in the page and modifying everything from formatting though to capturing and interfering with form data via remote scripts (XSS). Such vulnerabilities are ",[14,15,17],"a",{"href":16},"\u002Fblog\u002F2007\u002Fhow-dangerous-is-html-injection\u002F","incredibly dangerous",".",[10,20,21,22,26],{},"Using MonoRail or Microsoft’s MVC does not make you automatically immune; use ",[23,24,25],"code",{},"{! }"," in MonoRail’s Brail engine and the HtmlHelpers in Microsoft’s MVC to ensure correct encoding.",[10,28,29,30,33,34,37],{},"Just imagine ",[23,31,32],{},"post.Author ","contains ",[23,35,36],{},"\">\u003Cscript src=\"http:\u002F\u002Fabadsite.com\">\u003C\u002Fscript>"," after an unscrupulous user entered that into a field your application uses and it got into the database. The following typical ASP.NET techniques would leave you open.",[39,40,42],"h2",{"id":41},"_1-you-use-or-tags-to-output-data","1. You use \u003C%= %> or \u003C%# %> tags to output data",[10,44,45,46,49],{},"Example showing outputting literals with ",[23,47,48],{},"\u003C%= %>"," :",[51,52,57],"pre",{"className":53,"code":54,"language":55,"meta":56,"style":56},"language-jsx shiki shiki-themes everforest-light dracula","\u002F\u002F Vulnerable\n\u003Cp>Posted by \u003C%= post.Author %>\u003C\u002Fp>\n\u002F\u002F Secure\n\u003Cp>Posted by \u003C%= HttpUtility.HtmlEncode(post.Author) %>\u003C\u002Fp>\n","jsx","",[23,58,59,68,93,99],{"__ignoreMap":56},[60,61,64],"span",{"class":62,"line":63},"line",1,[60,65,67],{"class":66},"sSX4p","\u002F\u002F Vulnerable\n",[60,69,71,75,78,81,85,88,90],{"class":62,"line":70},2,[60,72,74],{"class":73},"sNvvj","\u003C",[60,76,10],{"class":77},"s9HRq",[60,79,80],{"class":73},">",[60,82,84],{"class":83},"s6Vpi","Posted by \u003C%= post.Author %>",[60,86,87],{"class":73},"\u003C\u002F",[60,89,10],{"class":77},[60,91,92],{"class":73},">\n",[60,94,96],{"class":62,"line":95},3,[60,97,98],{"class":66},"\u002F\u002F Secure\n",[60,100,102,104,106,108,111,113,115],{"class":62,"line":101},4,[60,103,74],{"class":73},[60,105,10],{"class":77},[60,107,80],{"class":73},[60,109,110],{"class":83},"Posted by \u003C%= HttpUtility.HtmlEncode(post.Author) %>",[60,112,87],{"class":73},[60,114,10],{"class":77},[60,116,92],{"class":73},[39,118,120],{"id":119},"_2-you-use-responsewrite","2. You use Response.Write",[10,122,123,124,127],{},"Example showing writing out attributes with Response.Write and String.Format, again post.Author could contain ",[23,125,126],{},"\u003Cscript>",":",[51,129,133],{"className":130,"code":131,"language":132,"meta":56,"style":56},"language-csharp shiki shiki-themes everforest-light dracula","\u002F\u002F Vulnerable\nResponse.Write(String.Format(\"\u003Cinput type=\\\"text\\\" value=\\\"{0}\\\" \u002F>\", post.Author);\n\u002F\u002F Secure\nResponse.Write(String.Format(\"\u003Cinput type=\\\"text\\\" value=\\\"{0}\\\" \u002F>\", HttpUtility.HtmlAttributeEncode(post.Author));\n","csharp",[23,134,135,139,199,203],{"__ignoreMap":56},[60,136,137],{"class":62,"line":63},[60,138,67],{"class":66},[60,140,141,144,148,151,154,157,161,165,169,172,174,177,179,182,184,187,189,192,196],{"class":62,"line":70},[60,142,143],{"class":83},"Response.",[60,145,147],{"class":146},"sS4Kt","Write",[60,149,150],{"class":83},"(String.",[60,152,153],{"class":146},"Format",[60,155,156],{"class":83},"(",[60,158,160],{"class":159},"sciFF","\"",[60,162,164],{"class":163},"sJQOs","\u003Cinput type=",[60,166,168],{"class":167},"smfUS","\\\"",[60,170,171],{"class":163},"text",[60,173,168],{"class":167},[60,175,176],{"class":163}," value=",[60,178,168],{"class":167},[60,180,181],{"class":163},"{0}",[60,183,168],{"class":167},[60,185,186],{"class":163}," \u002F>",[60,188,160],{"class":159},[60,190,191],{"class":83},", post.",[60,193,195],{"class":194},"sSKRk","Author",[60,197,198],{"class":83},");\n",[60,200,201],{"class":62,"line":95},[60,202,98],{"class":66},[60,204,205,207,209,211,213,215,217,219,221,223,225,227,229,231,233,235,237,240,243,246,248],{"class":62,"line":101},[60,206,143],{"class":83},[60,208,147],{"class":146},[60,210,150],{"class":83},[60,212,153],{"class":146},[60,214,156],{"class":83},[60,216,160],{"class":159},[60,218,164],{"class":163},[60,220,168],{"class":167},[60,222,171],{"class":163},[60,224,168],{"class":167},[60,226,176],{"class":163},[60,228,168],{"class":167},[60,230,181],{"class":163},[60,232,168],{"class":167},[60,234,186],{"class":163},[60,236,160],{"class":159},[60,238,239],{"class":83},", HttpUtility.",[60,241,242],{"class":146},"HtmlAttributeEncode",[60,244,245],{"class":83},"(post.",[60,247,195],{"class":194},[60,249,250],{"class":83},"));\n",[39,252,254],{"id":253},"_3-you-set-href-or-src-on-htmlanchor-htmlimage-or-htmlnputimage-controls","3. You set HRef or Src on HtmlAnchor, HtmlImage or HtmlnputImage controls",[10,256,257],{},"In general the HtmlControls namespace are very well behaved with encoding but there is a bug in the code that attempts to adjust the relative url’s for href and src attributes which causes those properties to bypass encoding (I’ve reported this to Microsoft).",[10,259,260],{},"Example showing anchor HRef attribute abuse:",[51,262,264],{"className":130,"code":263,"language":132,"meta":56,"style":56},"\u002F\u002F Vulnerable\noutputDiv.Controls.Add(new HtmlAnchor() { Text = \"Test\", HRef = post.Author } );\n\u002F\u002F Secure\noutputDiv.Controls.Add(new HtmlAnchor() { Text = \"Test\", HRef = HttpUtility.HtmlAttributeEncode(post.Author) } );\n",[23,265,266,270,320,324],{"__ignoreMap":56},[60,267,268],{"class":62,"line":63},[60,269,67],{"class":66},[60,271,272,275,278,280,283,285,289,293,296,299,302,305,307,310,312,315,317],{"class":62,"line":70},[60,273,274],{"class":83},"outputDiv.",[60,276,277],{"class":194},"Controls",[60,279,18],{"class":83},[60,281,282],{"class":146},"Add",[60,284,156],{"class":83},[60,286,288],{"class":287},"smiwp","new",[60,290,292],{"class":291},"snuxY"," HtmlAnchor",[60,294,295],{"class":83},"() { Text ",[60,297,298],{"class":77},"=",[60,300,301],{"class":159}," \"",[60,303,304],{"class":163},"Test",[60,306,160],{"class":159},[60,308,309],{"class":83},", HRef ",[60,311,298],{"class":77},[60,313,314],{"class":83}," post.",[60,316,195],{"class":194},[60,318,319],{"class":83}," } );\n",[60,321,322],{"class":62,"line":95},[60,323,98],{"class":66},[60,325,326,328,330,332,334,336,338,340,342,344,346,348,350,352,354,357,359,361,363],{"class":62,"line":101},[60,327,274],{"class":83},[60,329,277],{"class":194},[60,331,18],{"class":83},[60,333,282],{"class":146},[60,335,156],{"class":83},[60,337,288],{"class":287},[60,339,292],{"class":291},[60,341,295],{"class":83},[60,343,298],{"class":77},[60,345,301],{"class":159},[60,347,304],{"class":163},[60,349,160],{"class":159},[60,351,309],{"class":83},[60,353,298],{"class":77},[60,355,356],{"class":83}," HttpUtility.",[60,358,242],{"class":146},[60,360,245],{"class":83},[60,362,195],{"class":194},[60,364,365],{"class":83},") } );\n",[39,367,369],{"id":368},"_4-you-set-the-text-property-of-webcontrolswebforms","4. You set the Text property of WebControls\u002FWebForms",[10,371,372],{},"You would imagine the high-level WebForms controls would take care of encoding and you’d be wrong.",[10,374,375],{},"Example showing the Label control being so easily taken advantage of:",[51,377,379],{"className":130,"code":378,"language":132,"meta":56,"style":56},"\u002F\u002F Vulnerable\noutputDiv.Controls.Add(new Label() { Text = post.Author } );\n\u002F\u002F Secure\noutputDiv.Controls.Add(new Label() { Text = HttpUtility.HtmlEncode(post.Author) } );\n",[23,380,381,385,412,416],{"__ignoreMap":56},[60,382,383],{"class":62,"line":63},[60,384,67],{"class":66},[60,386,387,389,391,393,395,397,399,402,404,406,408,410],{"class":62,"line":70},[60,388,274],{"class":83},[60,390,277],{"class":194},[60,392,18],{"class":83},[60,394,282],{"class":146},[60,396,156],{"class":83},[60,398,288],{"class":287},[60,400,401],{"class":291}," Label",[60,403,295],{"class":83},[60,405,298],{"class":77},[60,407,314],{"class":83},[60,409,195],{"class":194},[60,411,319],{"class":83},[60,413,414],{"class":62,"line":95},[60,415,98],{"class":66},[60,417,418,420,422,424,426,428,430,432,434,436,438,441,443,445],{"class":62,"line":101},[60,419,274],{"class":83},[60,421,277],{"class":194},[60,423,18],{"class":83},[60,425,282],{"class":146},[60,427,156],{"class":83},[60,429,288],{"class":287},[60,431,401],{"class":291},[60,433,295],{"class":83},[60,435,298],{"class":77},[60,437,356],{"class":83},[60,439,440],{"class":146},"HtmlEncode",[60,442,245],{"class":83},[60,444,195],{"class":194},[60,446,365],{"class":83},[10,448,449],{},"The one exception to this is the Text property of input controls, as they put the value into an attribute and therefore call HttpUtility.HtmlAttributeEncode for you.",[39,451,453],{"id":452},"_5-you-use-the-literalcontrol","5. You use the LiteralControl",[10,455,456],{},"LiteralControl is a useful control for adding text to the output stream that doesn’t require it’s own tag. It also helpfully, and uncharacteristically, provides a useful constructor. Unfortunately it fails encode the output.",[10,458,459,460,463],{},"Example showing poor ",[23,461,462],{},"LiteralControl"," wide open:",[51,465,467],{"className":130,"code":466,"language":132,"meta":56,"style":56},"\u002F\u002F Vulnerable\noutputDiv.Controls.Add(new LiteralControl(post.Author));\n\u002F\u002F Secure\noutputDiv.Controls.Add(new LiteralControl(HttpUtility.HtmlEncode(post.Author)));\n",[23,468,469,473,496,500],{"__ignoreMap":56},[60,470,471],{"class":62,"line":63},[60,472,67],{"class":66},[60,474,475,477,479,481,483,485,487,490,492,494],{"class":62,"line":70},[60,476,274],{"class":83},[60,478,277],{"class":194},[60,480,18],{"class":83},[60,482,282],{"class":146},[60,484,156],{"class":83},[60,486,288],{"class":287},[60,488,489],{"class":291}," LiteralControl",[60,491,245],{"class":83},[60,493,195],{"class":194},[60,495,250],{"class":83},[60,497,498],{"class":62,"line":95},[60,499,98],{"class":66},[60,501,502,504,506,508,510,512,514,516,519,521,523,525],{"class":62,"line":101},[60,503,274],{"class":83},[60,505,277],{"class":194},[60,507,18],{"class":83},[60,509,282],{"class":146},[60,511,156],{"class":83},[60,513,288],{"class":287},[60,515,489],{"class":291},[60,517,518],{"class":83},"(HttpUtility.",[60,520,440],{"class":146},[60,522,245],{"class":83},[60,524,195],{"class":194},[60,526,527],{"class":83},")));\n",[39,529,531],{"id":530},"warning-do-not","Warning! Do not:",[533,534,535,539,542],"ol",{},[536,537,538],"li",{},"Encode data in the database: your contaminated data will be difficult to use elsewhere and will end up double-encoded",[536,540,541],{},"Look for script on submit: you won’t catch every combination and it might prevent valid data",[536,543,544],{},"Trap entry with client-side code: it is trivially bypassed",[10,546,547],{},"Just encode the output.",[10,549,550],{},[551,552,553],"em",{},"[)amien",[10,555,556,557,561],{},"PS: The samples use ",[14,558,560],{"href":559},"\u002Fblog\u002F2007\u002Fobject-initializers-in-net-35\u002F",".NET 3.5 object initializer syntax"," for brevity as many affected controls do not have useful constructors",[563,564,565],"style",{},"html pre.shiki code .sSX4p, html code.shiki .sSX4p{--shiki-default:#939F91;--shiki-default-font-style:italic;--shiki-dark:#6272A4;--shiki-dark-font-style:inherit}html pre.shiki code .s6Vpi, html code.shiki .s6Vpi{--shiki-default:#5C6A72;--shiki-dark:#F8F8F2}html pre.shiki code .sS4Kt, html code.shiki .sS4Kt{--shiki-default:#8DA101;--shiki-dark:#50FA7B}html pre.shiki code .sciFF, html code.shiki .sciFF{--shiki-default:#8DA101;--shiki-dark:#E9F284}html pre.shiki code .sJQOs, html code.shiki .sJQOs{--shiki-default:#8DA101;--shiki-dark:#F1FA8C}html pre.shiki code .smfUS, html code.shiki .smfUS{--shiki-default:#DFA000;--shiki-dark:#FF79C6}html pre.shiki code .sSKRk, html code.shiki .sSKRk{--shiki-default:#35A77C;--shiki-dark:#F8F8F2}html .default .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .shiki span {color: var(--shiki-default);background: var(--shiki-default-bg);font-style: var(--shiki-default-font-style);font-weight: var(--shiki-default-font-weight);text-decoration: var(--shiki-default-text-decoration);}html .dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html.dark .shiki span {color: var(--shiki-dark);background: var(--shiki-dark-bg);font-style: var(--shiki-dark-font-style);font-weight: var(--shiki-dark-font-weight);text-decoration: var(--shiki-dark-text-decoration);}html pre.shiki code .smiwp, html code.shiki .smiwp{--shiki-default:#F85552;--shiki-dark:#FF79C6}html pre.shiki code .snuxY, html code.shiki .snuxY{--shiki-default:#3A94C5;--shiki-default-font-style:inherit;--shiki-dark:#8BE9FD;--shiki-dark-font-style:italic}html pre.shiki code .s9HRq, html code.shiki .s9HRq{--shiki-default:#F57D26;--shiki-dark:#FF79C6}html pre.shiki code .sNvvj, html code.shiki .sNvvj{--shiki-default:#8DA101;--shiki-dark:#F8F8F2}",{"title":56,"searchDepth":70,"depth":70,"links":567},[568,569,570,571,572,573],{"id":41,"depth":70,"text":42},{"id":119,"depth":70,"text":120},{"id":253,"depth":70,"text":254},{"id":368,"depth":70,"text":369},{"id":452,"depth":70,"text":453},{"id":530,"depth":70,"text":531},"Development",12,"2007-12-18T01:37:58+00:00","If you don’t encode data when using any of the following methods to output to HTML your application could be compromised by unexpected HTML turning up in the page and modifying everything from formatting though to capturing and interfering with form data via remote scripts (XSS). Such vulnerabilities are incredibly dangerous.","[object Object]","md",null,false,{},true,"\u002Fblog\u002F2007\u002F5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection",{"title":5,"description":577},"blog\u002F2007\u002F5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection",[588,589,590,591,592],".NET","ASP.NET","security","C#","webdev","\u002Fblog\u002F2007\u002F5-signs-your-aspnet-application-may-be-vulnerable-to-html-injection\u002F",677,"yH30_azLNdehaIVjtrlGe9lMAVvHU8PYM8EfYce52uQ",[597,601,605],{"title":598,"date":599,"url":600},"Transactions in the MongoDB EF Core Provider","2025-10-25","\u002Fblog\u002F2025\u002Fmongodb-explicit-transactions\u002F",{"title":602,"date":603,"url":604},"Queryable Encryption with the MongoDB EF Core Provider","2025-09-22","\u002Fblog\u002F2025\u002Fmongodb-queryable-encryption\u002F",{"title":606,"date":607,"url":608},"Lazy Loading with EF Core Proxies","2025-04-02","\u002Fblog\u002F2025\u002Fef-proxies\u002F",[],1780900529393]