Prevent Cross-Site Scripting (XSS) Attacks
- 2 minutes to read
Cross-Site Scripting (XSS) attacks allow threat actors to inject malicious scripts into a web page. Once users open an infected page, injected scripts execute and can steal cookies/session tokens, modify web page content, or redirect to a “phishing” page. Web apps may be vulnerable to XSS attacks if user input is not validated or encoded (to learn more about XSS attacks, refer to the following Microsoft advisory: Prevent Cross-Site Scripting (XSS) in ASP.NET Core).
Microsoft Blazor includes a built-in XSS protection system to help prevent against cross-site scripting attacks. This system encodes all strings defined with standard razor syntax (the @
directive). To display HTML code as text, the system replaces service characters (for instance, <
and >
) with character entity references (<
and >
).
Important
The Markup
DevExpress UI components for Blazor use Microsoft’s built-in XSS protection system to encode content and values. You should always follow security-related best practices to minimize risks and security-related threats. For more information, refer to the following help topics: