>Hello Naomi,
>
>you don't have to clean the database, to ensure that no malicious <script> tags can be embedded into your pages
>you have to encode the data before output.
>
>so instead of
>Response.Write(databasereader.GetString(1));
>you write
>Response.Write(HttpUtility.HtmlEncode(databasereader.GetString(1)));
>
>this way the content of the database does not matter, everthing is html encoded and will just be displayed as plain text.
>
>p.s.: the UT is also not protected
removed.
>
>Regards
>Christian
We're not using Response.Write too much, we're using ASP.NET controls such as GridView, FormView, etc.
BTW, I was quite surprised to get "Hello, World" :)
If it's not broken, fix it until it is.
My Blog