• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 284
  • Last Modified:

How to prevent XSS while allowing HTML input

Hello,

How do I prevent xss attack in html input?

I don't want to use Microsoft antixss library for now.

Thanks.
0
levbao
Asked:
levbao
  • 3
  • 2
2 Solutions
 
RobOwner (Aidellio)Commented:
Been asked before I believe: http://www.experts-exchange.com/Programming/Languages/.NET/ASP.NET/Q_28043678.html

Some good links here: http://www.experts-exchange.com/Security/Vulnerabilities/Q_27816671.html

My personal opinion is do you want your users to be able to enter HTML?  I just wouldn't allow it.  BBCode at the most.
0
 
RobOwner (Aidellio)Commented:
0
 
levbaoAuthor Commented:
Hi Tagit,

Thank you for your responding.

I basically create a function to filter the input html based on a potential blacklist of javascript:

public static bool isCleanHtmlInput(string htmlInput)
{
            string[] inputBlacklist = {
             "javascript","onclick","onmouseover","onmouseout","onload","onunload","ondblclick","onresize","onscroll",
             "&lt","<object","<iframe","<script","<embed","<link","<style"
             };

            bool flag = false;
            foreach (string inputBL in inputBlacklist)
            {
                htmlInput = htmlInput.Replace(" ", "");
                Regex regX = new Regex(inputBL);
                if (regX.IsMatch(HttpUtility.HtmlDecode(htmlInput.ToLower())))
                {
                    flag = true;
                    break;
                }
            }
            if (!flag) return true;
            else return false;
 }

if (!isCleanHtmlInput(txtTemplate.Text))
{
             //potential javascript in html input
 }

It does solve my problem when a user tries to put in some kind of javascript.  I don't know if it's efficient though.

Thanks.
0
 
RobOwner (Aidellio)Commented:
I can't see an issue with it either. The post I was referring to in another post said:
SPHttpUtility.UrlKeyValueEncode() and SPHttpUtility.UrlKeyValueDecode() worked well to remove this threat.
I'll get another experts to comment on this thread
0
 
levbaoAuthor Commented:
Thank you for your reference links.  The function does stop some javascript inject.  I'll need to add more on the blacklist.
0

Featured Post

2018 Annual Membership Survey

Here at Experts Exchange, we strive to give members the best experience. Help us improve the site by taking this survey today! (Bonus: Be entered to win a great tech prize for participating!)

  • 3
  • 2
Tackle projects and never again get stuck behind a technical roadblock.
Join Now