I'm currently doing some encoding work to protect a site from XSS attacks. We've stuck a bunch of <script>debugger;</script> tags in the db. Dispite my best efforts, the strings I've encoded to stop the debugger getting hit (to prevent an XSS attack), are still getting hit in developer tools.

Is there a chance that double encoding something could cause this to happen or is that not possible?

Thanks in advance!

Edited by JamesCherrill: Moved to web development section

4 Months
Discussion Span
Last Post by ChrisHunter

We solved this by adding a new method to the string object to replace any <script> tags in a string to defuse it.

This solution removes any potential script tags and will prevent any html tags from being encoded (useful when you're trying to render out html from a string.

Have something to contribute to this discussion? Please be thoughtful, detailed and courteous, and be sure to adhere to our posting rules.