.net - Is PagesSection.ValidateRequest enough to prevent XSS in asp.Net

Question

In asp.net is the PagesSection.ValidateRequest method enough to prevent all XSS attacks or is there something more that needs to be done?

Can anyone point me to a more thorough resource on this topic specifically for asp.net as Google mainly returns MSDN articles and I'd like to verify that we're doing enough.

Answer 1

Here is one example: HttpRequestValidationException and cross-site scripting XSS

The request validation simply tries to stop requests containing a very small set of bad letters. And this is not enough to stop XSS, as there are several examples of XSS that falls outside that set of letters. One such example is jumping out of an existing html attribute and into a new one:

<input type="text" value="BAD_DATA">

If the BAD_DATA is " autofocus onfocus="alert(1) this becomes

<input type="text" value="" autofocus onfocus="alert(1)">

which will popup the alert box.

So while request validation will stop simple XSS attacks, it will not stop all. I have also seen the need to switch it off on login forms, as it will reject users having a < in their password.