From 785fa814501d66e94d07a872d5ff69e26baf413d Mon Sep 17 00:00:00 2001 From: xue <> Date: Sat, 28 Jan 2006 05:56:18 +0000 Subject: Added ViewState protection and cross site scripting prevention tutorial pages. --- demos/quickstart/protected/pages/Security/XSS.page | 13 +++++++++++++ 1 file changed, 13 insertions(+) create mode 100644 demos/quickstart/protected/pages/Security/XSS.page (limited to 'demos/quickstart/protected/pages/Security/XSS.page') diff --git a/demos/quickstart/protected/pages/Security/XSS.page b/demos/quickstart/protected/pages/Security/XSS.page new file mode 100644 index 00000000..fedd2a38 --- /dev/null +++ b/demos/quickstart/protected/pages/Security/XSS.page @@ -0,0 +1,13 @@ + + +

Cross Site Scripting Prevention

+

+Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool other application users and gather data from them. For example, a poorly design forum system may display user input in forum posts without any checking. An attacker can then inject a piece of malicious JavaScript code into a post so that when other users read this post, the JavaScript runs unexpectedly on their computers. +

+

+One of the most important measures to prevent XSS attacks is to check user input before displaying them. One can do HTML-encoding with the user input to achieve this goal. However, in some situations, HTML-encoding may not be preferrable because it disables all HTML tags. +

+

+PRADO incorporates the work of SafeHTML and provides developers with a useful component called TSafeHtml. By enclosing content within a TSafeHtml component tag, the enclosed content are ensured to be safe to end users. In addition, the commonly used TTextBox has a SafeText property which contains user input that are ensured to be safe if displayed directly to end users. +

+ \ No newline at end of file -- cgit v1.2.3