<%@ Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="ScriptInjection" ValidateRequest="false"%>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.1//EN" "http://www.w3.org/TR/xhtml11/DTD/xhtml11.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
</head>
<body>
<form id="form1" runat="server">
<asp:TextBox id="txtInput" runat="server" Width="298px"><script>alert('Script Injection');</script></asp:TextBox>
<asp:Button id="cmdSubmit" runat="server" Text="Submit" OnClick="cmdSubmit_Click"></asp:Button>
<asp:Label id="lblInfo" runat="server"></asp:Label>
</form>
</body>
</html>
File: Default.aspx.cs
using System;
using System.Data;
using System.Configuration;
using System.Collections;
using System.Web;
using System.Web.Security;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.Web.UI.WebControls.WebParts;
using System.Web.UI.HtmlControls;
public partial class ScriptInjection : System.Web.UI.Page
{
protected void cmdSubmit_Click(object sender, EventArgs e)
{
lblInfo.Text = txtInput.Text;
}
}
|