ASP.NET Core

Cross-Site Scripting (XSS) is a security vulnerability that enables an attacker to place client side scripts (usually JavaScript) into web pages. When other users load affected pages, the attacker's scripts run, enabling the attacker to steal cookies and session tokens, change the contents of the web page through DOM manipulation, or redirect the browser to another page. XSS vulnerabilities generally occur when an application takes user input and outputs it to a page without validating, encoding or escaping it. This article applies primarily to ASP.NET Core MVC with views, Razor Pages, and other apps that return HTML that may be vulnerable to XSS. Web APIs that return data in the form of HTML, XML, or JSON can trigger XSS attacks in their client apps if they don't properly sanitize user input, depending on how much trust the client app places in the API. For example, if an API accepts user-generated content and returns it in an HTML response, an attacker could inject malicious ...