Step 1) Add 3 controls to a WebPage (default.aspx)
1.1) TextBox
1.2) Button control & Event handler
1.3) Label
As shown below
<form id="form1" runat="server">
<div>
<asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
<asp:button ID="Button1" runat="server" text="Button" onclick="Button1_Click" />
<asp:Label ID="Label1" runat="server" Text="Label"></asp:Label>
</div>
</form>
Step 2) Add Button control event handler as shown below
protected void Button1_Click(object sender, EventArgs e)
{
Label1.Text = TextBox1.Text;
}
Step 3) Run the Application/Press F5
In the text box:ENTER <script>alert("Hello");</script>
click on button -> alert box will be displayed.
Javascript can be used to call web services/wcf/any resource on the webserver.
Otherwise output would be
ENABLE CROSS-SITE SCRIPTING
1) PAGE CLASS ValidateRequest="FALSE"
2) web.config file
<SYSTEM.WEB>
<pages validateRequest="false">
</pages>
<httpRuntime requestValidationMode="2.0"/>
</SYSTEM.WEB>
DISABLE CROSS-SITE SCRIPTING
FOLLOW REVERSE SHOWN ABOVE.
Step 4) Encoding Text in ASP.NET WEB APPLICATIONS
even though cross-site enabled in an web applictaion. User can encode the textbox content by using
protected void Button1_Click(object sender, EventArgs e)
{
Label1.Text = System.Web.HttpUtility.HtmlEncode(TextBox1.Text);
}
Now the output would be. After encoding text, user'S javascript code never execute.
1.1) TextBox
1.2) Button control & Event handler
1.3) Label
As shown below
<form id="form1" runat="server">
<div>
<asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
<asp:button ID="Button1" runat="server" text="Button" onclick="Button1_Click" />
<asp:Label ID="Label1" runat="server" Text="Label"></asp:Label>
</div>
</form>
Step 2) Add Button control event handler as shown below
protected void Button1_Click(object sender, EventArgs e)
{
Label1.Text = TextBox1.Text;
}
Step 3) Run the Application/Press F5
In the text box:ENTER <script>alert("Hello");</script>
click on button -> alert box will be displayed.
Javascript can be used to call web services/wcf/any resource on the webserver.
Otherwise output would be
ENABLE CROSS-SITE SCRIPTING
1) PAGE CLASS ValidateRequest="FALSE"
2) web.config file
<SYSTEM.WEB>
<pages validateRequest="false">
</pages>
<httpRuntime requestValidationMode="2.0"/>
</SYSTEM.WEB>
DISABLE CROSS-SITE SCRIPTING
FOLLOW REVERSE SHOWN ABOVE.
Step 4) Encoding Text in ASP.NET WEB APPLICATIONS
even though cross-site enabled in an web applictaion. User can encode the textbox content by using
protected void Button1_Click(object sender, EventArgs e)
{
Label1.Text = System.Web.HttpUtility.HtmlEncode(TextBox1.Text);
}
Now the output would be. After encoding text, user'S javascript code never execute.
No comments:
Post a Comment