Virtual Happy Hour this month, Jun 28, we'll be getting a sneak preview at our soon to launch SaaS CMS!

Try our conversational search powered by Generative AI!

HTML decoding in EPiServer



On a UserControl in an EPiServer project I place this encoded html:

<script>alert('Potensial XSS attempt')&60;/script&#62

When I load it into a browser the code is executed:

<script>alert('Potensial XSS attempt')</script>

alert('Potential XSS attempt')

Why? It seams kind of silly that EPiServer would decode it, so the browser can execute the script, because when I do the same on a non EPiServer project, the result is correct ??

Also if I place the same code into an attribute, for example:

<a blabla="&#60;script&#62;alert&#40;&#39;Potensial xss attempt&#39;&#60;&#47;script&#62;" />


The attribute is NOT decoded?

Aug 12, 2008 8:01
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.