On a UserControl in an EPiServer project I place this encoded html:
<script>alert('Potensial XSS attempt')&60;/script>
When I load it into a browser the code is executed:
<script>alert('Potensial XSS attempt')</script>
alert('Potential XSS attempt')
Why? It seams kind of silly that EPiServer would decode it, so the browser can execute the script, because when I do the same on a non EPiServer project, the result is correct ??
Also if I place the same code into an attribute, for example:
<a blabla="<script>alert('Potensial xss attempt'</script>" />
The attribute is NOT decoded?