We have an asp.net application with lots of .aspx forms and it was built using .net framework 4.0
We have a form where user can enter text in the textbox and we are validating the textbox with validation controls ...the value user enters will be save in the sql server on button click. And it will be feteched and displayed in the screen. So far good.
Now what happens is user enter the text in the textbox and click on save button and the payload will be captured in the fiddler and it will modified by injecting javascript.
Lets say user enters welcome in the textbox but in the fiddler we are appending script payload like
"welcome %uff1cscript%uff1ealert(XSS);%uff1c/script%uff1e"
Before saving it into textbox we are encoding the above and saving it into database..while displaying we are decoding it and show it in the UI
and in the UI it shows "welcome<script>alert(xss)</script> and it is not showing any alert since we are doing encoding and decoding.
But we dont want to show the injected value..
How to prevent that...
1) Is it possible to invalid the request if it is modified by the fiddler ..If yes how can we check whether the request payload is modified or not
2)We want to redirect it to error page if the script payload is injected with actual payload because we dont want to save that in database.
3)Is it possible to validate whether injected happened or not in the code behind
4)How can we check whether the text has html and javascript..Is there any regular expression available to validate the text has javascipt or html
Please help