Cross Site Scripting Attacks (XSS Attacks) are a real problem, don't make the mistake of thinking they aren't in widespread use or that you are not vulnerable. During the development of your project you need to explicitly take steps to avoid exposing your sites visitors to this serious issue. You can use the Microsoft Web Protection Library to reduce the risk of XSS attacks, get it here http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651
Recently I developed a simple generic method that I can pass objects to which will loop over the properties and automatically HTML encode any that are strings. This is useful when you use ORM systems such as Linq2Sql or ADO.NET Entity Framework, which generate an object model of your database which often include properties of type String.
Here is how to call the method:
HtmlEncodeAllStringProperties<YourClassObjectHere>(YourVariableHere);
Here is the code:
public static void HtmlEncodeAllStringProperties<T>(T objectToSanitize) where T : class
{
//we CANNOT TRUST anything entered by the user, WE NEED TO ENCODE ALL STRING DATA using the Microsoft.Security.Application namespace
//methods, to do this we find all the properties on this object that are strings and can be written to and we encode the values
foreach (var x in (typeof(T)).GetProperties())
{
//check to see if the property has a Get on it (ie. it can be read)
if (x.CanRead)
{
var MatchingItemProperty = typeof(T).GetProperty(x.Name);
if (MatchingItemProperty != null && MatchingItemProperty.CanWrite)
{
//convert the input type into the value type your saving to
//in order to avoid runtime Type Mismatch errors
var ObjectPropertyValue = x.GetValue(objectToSanitize, null);
var p = typeof(T).GetProperty(MatchingItemProperty.Name);
var type = p.PropertyType;
if (type == typeof(String))
{
//use the Microsoft AntiXss library to HTML encode the string values
var SanitizedObject = Microsoft.Security.Application.Encoder.HtmlEncode(ObjectPropertyValue.ToString());
//you have to convert it to the type of the property you are setting to avoid runtime errors
var ConvertedProperty = Convert.ChangeType(SanitizedObject, type);
MatchingItemProperty.SetValue(objectToSanitize, ConvertedProperty, null);
}
}
}
}
}
}