Solved

How to prevent XSS while allowing HTML input

Posted on 2013-10-30
5
267 Views
Last Modified: 2013-11-09
Hello,

How do I prevent xss attack in html input?

I don't want to use Microsoft antixss library for now.

Thanks.
0
Comment
Question by:levbao
  • 3
  • 2
5 Comments
 
LVL 43

Assisted Solution

by:Rob
Rob earned 500 total points
ID: 39616394
Been asked before I believe: http://www.experts-exchange.com/Programming/Languages/.NET/ASP.NET/Q_28043678.html

Some good links here: http://www.experts-exchange.com/Security/Vulnerabilities/Q_27816671.html

My personal opinion is do you want your users to be able to enter HTML?  I just wouldn't allow it.  BBCode at the most.
0
 
LVL 43

Expert Comment

by:Rob
ID: 39616399
0
 

Accepted Solution

by:
levbao earned 0 total points
ID: 39618166
Hi Tagit,

Thank you for your responding.

I basically create a function to filter the input html based on a potential blacklist of javascript:

public static bool isCleanHtmlInput(string htmlInput)
{
            string[] inputBlacklist = {
             "javascript","onclick","onmouseover","onmouseout","onload","onunload","ondblclick","onresize","onscroll",
             "&lt","<object","<iframe","<script","<embed","<link","<style"
             };

            bool flag = false;
            foreach (string inputBL in inputBlacklist)
            {
                htmlInput = htmlInput.Replace(" ", "");
                Regex regX = new Regex(inputBL);
                if (regX.IsMatch(HttpUtility.HtmlDecode(htmlInput.ToLower())))
                {
                    flag = true;
                    break;
                }
            }
            if (!flag) return true;
            else return false;
 }

if (!isCleanHtmlInput(txtTemplate.Text))
{
             //potential javascript in html input
 }

It does solve my problem when a user tries to put in some kind of javascript.  I don't know if it's efficient though.

Thanks.
0
 
LVL 43

Expert Comment

by:Rob
ID: 39618191
I can't see an issue with it either. The post I was referring to in another post said:
SPHttpUtility.UrlKeyValueEncode() and SPHttpUtility.UrlKeyValueDecode() worked well to remove this threat.
I'll get another experts to comment on this thread
0
 

Author Closing Comment

by:levbao
ID: 39635467
Thank you for your reference links.  The function does stop some javascript inject.  I'll need to add more on the blacklist.
0

Featured Post

Free Tool: Site Down Detector

Helpful to verify reports of your own downtime, or to double check a downed website you are trying to access.

One of a set of tools we are providing to everyone as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Lots of people ask this question on how to extend the “MembershipProvider” to make use of custom authentication like using existing database or make use of some other way of authentication. Many blogs show you how to extend the membership provider c…
User art_snob (http://www.experts-exchange.com/M_6114203.html) encountered strange behavior of Android Web browser on his Mobile Web site. It took a while to find the true cause. It happens so, that the Android Web browser (at least up to OS ver. 2.…
This video shows how to use Hyena, from SystemTools Software, to bulk import 100 user accounts from an external text file. View in 1080p for best video quality.

790 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question