How To: Prevent Cross-Site Scripting in ASP.NET
http://msdn.microsoft.com/library/ms998274.aspx

How To: Prevent Cross-Site Scripting in ASP.NET

• How To: Protect From Injection Attacks in ASP.NET
• Design Guidelines for Secure Web Applications
• How To: Use Regular Expressions to Constrain Input in ASP.NET

Microsoft Anti-Cross Site Scripting Library V1.5: Protecting the Contoso Bookmark Pagehttp://msdn.microsoft.com/en-us/library/aa973813.aspx

1、.NET AntiXSS Library https://www.owasp.org/index.php/.NET_AntiXSS_Library

2、Anti-Cross Site Scripting Library

http://msdn.microsoft.com/en-us/security/aa973814.aspx

 

3、各种攻击手段XSS Filter Evasion Cheat Sheet
https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet

4、XSS解决方案系列之一：淘宝、百度、腾讯的解决方案之瑕疵

http://www.freebuf.com/articles/web/9928.html

5、 XSS与字符编码的那些事儿 —科普文 http://drops.wooyun.org/tips/689#yjs_add_arg=16549

附 XSS Encode插件打包

6、Browser Security-超文本标记语言（HTML）

js中escape,encodeURI,encodeURIComponent三个函数的区别 http://www.cnblogs.com/goody9807/archive/2009/01/16/1376913.html

最多使用的应为encodeURIComponent，它是将中文、韩文等特殊字符转换成utf-8格式的url编码，所以如果给后台传递参数需要使用encodeURIComponent时需要后台解码对utf-8支持（form中的编码方式和当前页面编码方式相同）

escape不编码字符有69个：*，+，-，.，/，@，_，0-9，a-z，A-Z

encodeURI不编码字符有82个：!，#，$，&，’，(，)，*，+，,，-，.，/，:，;，=，?，@，_，~，0-9，a-z，A-Z

encodeURIComponent不编码字符有71个：!， ‘，(，)，*，-，.，_，~，0-9，a-z，A-Z

http://drops.wooyun.org/tips/147

解决XSS问题需要遵循的最基本的原则是：
1. 避免用户输入的脚本再次展示于客户端之时非设计预期的执行
2. 任何时候不应该改变用户的输入
3. 何时展示何时解决

 

Guidelines

The two most important countermeasures to prevent cross-site scripting attacks are to:

• Constrain input.
• Encode output.

Constrain Input

Start by assuming that all input is malicious. Validate input type, length, format, and range.

• To constrain input supplied through server controls, use ASP.NET validator controls such as RegularExpressionValidator and RangeValidator.
• To constrain input supplied through client-side HTML input controls or input from other sources such as query strings or cookies, use the System.Text.RegularExpressions.Regex class in your server-side code to check for expected using regular expressions.
• To validate types such as integers, doubles, dates, and currency amounts, convert the input data to the equivalent .NET Framework data type and handle any resulting conversion errors.

For more information about and examples of how to constrain input, see How To: Protect From Injection Attacks in ASP.NET.

Check for valid input as follows:

• Constrain: Check for known good data by validating the type, length, format, and range. To constrain input from server controls, use the ASP.NET validator controls. To constrain input from other sources, use regular expressions and custom validation.
• Reject: Check for any known bad data and reject bad input.
• Sanitize: Sometimes you also need to sanitize input and make potentially malicious input safe. For example, if your application supports free-format input fields, such as comment fields, you might want to permit certain safe HTML elements, such as <b> and <i>, and eliminate any other HTML elements.

Encode Output

Use the HttpUtility.HtmlEncode method to encode output if it contains input from the user or from other sources such as databases. HtmlEncode replaces characters that have special meaning in HTML-to-HTML variables that represent those characters. For example, < is replaced with &lt; and “ is replaced with &quot;. Encoded data does not cause the browser to execute code. Instead, the data is rendered as harmless HTML.

Similarly, use HttpUtility.UrlEncode to encode output URLs if they are constructed from input.