Why is this Javascript warning?
I am in the business of preventing XSS attacks and so I encode the values ββwhen they are returned to the client. This works great, but when a value is put into the input of the .NET runat server and it is displayed as shown below on the client, a warning is thrown even though the javascript has been encoded.
<input name="ctl00$body$buildTitle" type="text" value="&lt;script&gt;alert(&#39;Hola&#39;)&lt;/script&gt;" />
Can someone explain why?
+3
source to share