I'm trying to make sure my webforms ASP.NET application is as secure as possible, it receives and stores user input data to a SQL database (the usual stuff) only for users with a login, so not available to the general public.
By disabling ValidateRequest
for input pages, I appreciate there's a risk of XSS attacks - All the SQL queries are parameterised, so are safe from SQL Injection (correct?).
Rather than using the Anti-XSS libary, can I just use HTMLencode
on the input text? Do I then store the HTMLencode
d string?
Or am I looking at it the wrong way? Should I store the users input verbatim, and then HTMLencode
or XSS-HTMLencode
anytime it is output to a browser?