Why is this Javascript warning?

Question

Why is this Javascript warning?

I am in the business of preventing XSS attacks and so I encode the values when they are returned to the client. This works great, but when a value is put into the input of the .NET runat server and it is displayed as shown below on the client, a warning is thrown even though the javascript has been encoded.

<input name="ctl00$body$buildTitle" type="text" value="&amp;lt;script&amp;gt;alert(&amp;#39;Hola&amp;#39;)&amp;lt;/script&amp;gt;" />

Can someone explain why?

+3

javascript asp.net xss

DavidB Dec 17. 14 at 10:08

source to share

1 answer

Ravindra · Answer 1 · 2015-01-24T14:29:34+0000

Because you selected the Script block in the client browser. Regardless of where you placed the Script browser browser, execute the script.

Why is this Javascript warning?

More articles: