I know of several ways to do this, but they all have some downside. Is there an "accepted" way of doing it, that is considered the best?
I used to use the
<script> block like this:
<script> var myVariable = '<%=thisIsWrong %>'; </script>
Then in this context
</script> was to be rendered in a script tag in an attempt to close the HTML script tag ready for an XSS attack, it would be rendered as:
If you don't make sure that closing script tags are not rendered, then an attack like so is possible. Imagine this is the input to your application:
which the renders in the browser as
and the browser will interpret the script tag ending at
alert('</script> and simply execute what is in the new script tag.
which does not contain
</script> for the browser to interpret.
Some of the other encoding functions in .NET do use blacklist methods, however in my own testing
Except for alphanumeric characters, escape all characters less than 256 with the \xHH format to prevent switching out of the data value into the script context or into another attribute.
so you could easily write your own to comply with this.
Note that if you want to include code in attribute tags:
<a href="http://example.com" onclick="alert('<%=wrong>')">Click</a>
then the OWASP method means you don't have to take care of HTML encoding too (because no HTML characters with special meaning are actually output). Without (e.g. with