asp.net XSS protection

[Aaron]

Is asp.net immune to XSS exploits out of the box? or is this only true for
VS shipped web controls?

 

[Brock Allen]

ASP.NET can't possibly protect from all XSS attacks, but "out of the box"
attempts to help by doing a check on all post data and failing when the post
data contains certain "suspicious" characters (like '<'). You can diable
this, but then you're on your own. Here's the config setting docs (see validateRequest):

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/cpgenref/html/gngrfPagesSection.asp

-Brock
DevelopMentor
http://staff.develop.com/ballen