HTML decoding in EPiServer

Vote:
 

Hi,

On a UserControl in an EPiServer project I place this encoded html:

<script>alert('Potensial XSS attempt')&60;/script&#62

When I load it into a browser the code is executed:

<script>alert('Potensial XSS attempt')</script>

alert('Potential XSS attempt')

Why? It seams kind of silly that EPiServer would decode it, so the browser can execute the script, because when I do the same on a non EPiServer project, the result is correct ??

Also if I place the same code into an attribute, for example:

<a blabla="&#60;script&#62;alert&#40;&#39;Potensial xss attempt&#39;&#60;&#47;script&#62;" />

 

The attribute is NOT decoded?


#22675
Aug 12, 2008 8:01
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.