Use the antixss. htmlencode method to prevent cross-site scripting attacks.

It seems necessary to explain clearlyAntixss. htmlencodeAndHttputility. htmlencodeAndServer. htmlencodeThe specific differences between them are a bit difficult, but they can basically be used to prevent the site from being attacked by malicious script injection. According to msdn, htmlencode can only be used to escape '<', '>', '&', and '"'. It also contains ASCII codes greater than 0x80, however, this depends on the server environment. Different versions of IIS Escape may vary. For example, publishing a site to IIS6 is different from publishing it to iis7. In addition, if you only debug Web applications onProgram, Htmlencode escape conditions are also different.

What is a cross-site scripting attack and why is it necessary to prevent cross-site scripting attacks? You can refer to this blogArticleHttp://www.cnblogs.com/alilang/archive/2013/01/28/2879589.html

RelatedAntixss. dllThe introduction, you can refer to the msdn http://msdn.microsoft.com/en-us/library/aa973813.aspx of this Article

Consider the following scenario:

    Br  />     IMG   id   = 'img <% = server. htmlencode (request. querystring ["userid"]) %  > 'src = '/image.gif'/>   Br  />     Br  />   an attacker cocould inject client-side script here by setting userid: 'onload = alert ('xss') alt = '    Br  />  

In some specific environments, the preceding htmlCodeThere is a risk of injection script attacks. For example, the user passes the following parameter after the URL of the Request page:? Userid = 'onload = alert (XSS) alt'

The injected script is successfully executed on the page! The reason may be thatServer. htmlencodeIt cannot effectively filter out malicious characters in user input. The same situation may also occur in httputility. htmlencode. When this happens, consider replacing itAntixss. htmlencodeMethod.