C# Tips

Today's C# Tip

How to check potential XSS characters


How to check if query string in URL contains potential XSS characters?


Query string in URL can contain potential XSS characters such as <, >. For example, the following URL shows an example of potential XSS script.

To check dangerous <, > characters, we not only check <, > characters but also need to check various variants of <, > characters as follows.

public static bool HasXssFilterChars(string s)
	if (string.IsNullOrEmpty(s)) return false;	
	s = s.ToLower();
	return s.Contains("<") || s.Contains(">") || 
		   s.Contains("%3c") || s.Contains("%3e") ||
		   s.Contains("<") || s.Contains(">") ||
		   s.Contains("%ef%bc%9c") || s.Contains("%ef%bc%9e");