Skip to main content
BuyLog In
Blazor
Search in…
Docs > Security Considerations > Prevent Cross-Site Scripting Attacks
All docs
V23.2
Blazor Components
Prerequisites
Supported Browsers
Get Started
Demos
Examples
Videos
Common Concepts
Components
Styling and Themes
Security Considerations
Content Security Policy
Validate User Input
Prevent Cross-Site Scripting Attacks
Troubleshooting
Blazor & WinForms App UI Framework (Powered by EF Core)
Maintenance Mode
API Reference
Download CHM

Prevent Cross-Site Scripting (XSS) Attacks

  • 2 minutes to read

Cross-Site Scripting (XSS) attacks allow threat actors to inject malicious scripts into a web page. Once users open an infected page, injected scripts execute and can steal cookies/session tokens, modify web page content, or redirect to a “phishing” page. Web apps may be vulnerable to XSS attacks if user input is not validated or encoded (to learn more about XSS attacks, refer to the following Microsoft advisory: Prevent Cross-Site Scripting (XSS) in ASP.NET Core).

Microsoft Blazor includes a built-in XSS protection system to help prevent against cross-site scripting attacks. This system encodes all strings defined with standard razor syntax (the @ directive). To display HTML code as text, the system replaces service characters (for instance, < and >) with character entity references (&lt; and &gt;).

Important

The MarkupString class allows you to bypass HTML encoding and render a string value as HTML markup. For security reasons, you should not use this class to display values from an untrusted source (such as user input).

DevExpress UI components for Blazor use Microsoft’s built-in XSS protection system to encode content and values. You should always follow security-related best practices to minimize risks and security-related threats. For more information, refer to the following help topics: