Skip to main content
All docs
V24.2

Prevent Cross-Site Scripting (XSS) Attacks

  • 2 minutes to read

Cross-Site Scripting (XSS) attacks allow threat actors to inject malicious scripts into a web page. Once users open an infected page, injected scripts execute and can steal cookies/session tokens, modify web page content, or redirect to a “phishing” page. Web apps may be vulnerable to XSS attacks if user input is not validated or encoded (to learn more about XSS attacks, refer to the following Microsoft advisory: Prevent Cross-Site Scripting (XSS) in ASP.NET Core).

Microsoft Blazor includes a built-in XSS protection system to help prevent against cross-site scripting attacks. This system encodes all strings defined with standard razor syntax (the @ directive). To display HTML code as text, the system replaces service characters (for instance, < and >) with character entity references (&lt; and &gt;).

Important

The MarkupString class allows you to bypass HTML encoding and render a string value as HTML markup. For security reasons, you should not use this class to display values from an untrusted source (such as user input).

DevExpress UI components for Blazor use Microsoft’s built-in XSS protection system to encode content and values. You should always follow security-related best practices to minimize risks and security-related threats. For more information, refer to the following help topics: