When Should I Encode?

Posted by on September 25, 2011 · Comments Off on When Should I Encode?
Filed under: Security 

A common question I hear from developers is when should they encode their data.  Protecting against cross-site scripting can actually be difficult, and it is good to hear the enthusiasm to properly encode.  I have seen developers HTML encode their data before storing it in the database, right as they pull it from the database, ...

Commenting Server Controls in ASP.Net

Posted by on September 12, 2011 · Comments Off on Commenting Server Controls in ASP.Net
Filed under: Security 

How often do you just use an HTML comment to remove old code, or new functionality that isn’t ready yet?  Are HTML comments effective for ASP.Net server controls?  From a pure development context, they probably are.  When we factor in security, they no longer provide the functionality that was intended.  This post will explain an ...

XSS Validation vs. Encoding

Posted by on September 9, 2011 · Comments Off on XSS Validation vs. Encoding
Filed under: Security 

I came across an excellent post by Chris Schmidt on this topic which can be found at http://yet-another-dev.blogspot.com/2011/09/xss-validation-vs-encoding.html.  I think he has done an excellent job describing the problem and his point and I recommend you read his post.  I would like to take a moment to add some additional thoughts around ...