C# Tips

C# Tip Article

How to check potential XSS characters


How to check if query string in URL contains potential XSS characters?


Query string in URL can contain potential XSS characters such as <, >. For example, the following URL shows an example of potential XSS script.

To check dangerous <, > characters, we not only check <, > characters but also need to check various variants of <, > characters as follows.

public static bool HasXssFilterChars(string s)
	if (string.IsNullOrEmpty(s)) return false;	
	s = s.ToLower();
	return s.Contains("<") || s.Contains(">") || 
		   s.Contains("%3c") || s.Contains("%3e") ||
		   s.Contains("<") || s.Contains(">") ||
		   s.Contains("%ef%bc%9c") || s.Contains("%ef%bc%9e");