Which two techniques should you use?

You are creating an ASP.NET application by using the .NET Framework 3.5.

You perform a security review on the application to identify the vulnerabilities to the cross-site scripting attacks.

You need to reduce the potential attack surface.

Which two techniques should you use? (Each correct answer presents part of the solution.
Choose two.)

A.
Use the innerHTML property instead of the innerText property.

B.
Use HitpUtility.HtmlEncodeO

C.
Set the character encoding explicitly.

D.
Ensure that the ASP.NET request validation is disabled to allow for the custom-handling of the
input.

Explanation:
http://msdn.microsoft.com/en-us/library/ff649310.aspx

A. You should use the INNERTEXT Property Instead of INNERHTML – wrong
B. Use HitpUtility.HtmlEncod() to prevent script and executed – CORRECT
C. Set the Correct Character Encoding(1) CORRECT
D. Check That ASP.NET Request Validation Is ENABLED(2) – wrong

(1) To successfully restrict valid data for your Web pages, you should limit the ways in which the input data can be represented. This prevents malicious users from using canonicalization and multi-byte escape sequences to trick your input validation routines. A multi-byte escape sequence attack is a subtle manipulation that uses the fact that character encodings, such as uniform translation format-8 (UTF-8), use multi-byte sequences to represent non-ASCII characters. Some byte sequences are not legitimate UTF-8, but they may be accepted by some UTF-8 decoders, thus providing an exploitable security hole.

(2) By default, request validation is enabled in Machine.config. Verify that request validation is currently enabled in your server’s Machine.config file and that your application does not override this setting in its Web.config file.