Solved

How to prevent XSS while allowing HTML input

Posted on 2013-10-30
5
261 Views
Last Modified: 2013-11-09
Hello,

How do I prevent xss attack in html input?

I don't want to use Microsoft antixss library for now.

Thanks.
0
Comment
Question by:levbao
  • 3
  • 2
5 Comments
 
LVL 42

Assisted Solution

by:Rob Jurd, EE MVE
Rob Jurd, EE MVE earned 500 total points
ID: 39616394
Been asked before I believe: http://www.experts-exchange.com/Programming/Languages/.NET/ASP.NET/Q_28043678.html

Some good links here: http://www.experts-exchange.com/Security/Vulnerabilities/Q_27816671.html

My personal opinion is do you want your users to be able to enter HTML?  I just wouldn't allow it.  BBCode at the most.
0
 
LVL 42

Expert Comment

by:Rob Jurd, EE MVE
ID: 39616399
0
 

Accepted Solution

by:
levbao earned 0 total points
ID: 39618166
Hi Tagit,

Thank you for your responding.

I basically create a function to filter the input html based on a potential blacklist of javascript:

public static bool isCleanHtmlInput(string htmlInput)
{
            string[] inputBlacklist = {
             "javascript","onclick","onmouseover","onmouseout","onload","onunload","ondblclick","onresize","onscroll",
             "&lt","<object","<iframe","<script","<embed","<link","<style"
             };

            bool flag = false;
            foreach (string inputBL in inputBlacklist)
            {
                htmlInput = htmlInput.Replace(" ", "");
                Regex regX = new Regex(inputBL);
                if (regX.IsMatch(HttpUtility.HtmlDecode(htmlInput.ToLower())))
                {
                    flag = true;
                    break;
                }
            }
            if (!flag) return true;
            else return false;
 }

if (!isCleanHtmlInput(txtTemplate.Text))
{
             //potential javascript in html input
 }

It does solve my problem when a user tries to put in some kind of javascript.  I don't know if it's efficient though.

Thanks.
0
 
LVL 42

Expert Comment

by:Rob Jurd, EE MVE
ID: 39618191
I can't see an issue with it either. The post I was referring to in another post said:
SPHttpUtility.UrlKeyValueEncode() and SPHttpUtility.UrlKeyValueDecode() worked well to remove this threat.
I'll get another experts to comment on this thread
0
 

Author Closing Comment

by:levbao
ID: 39635467
Thank you for your reference links.  The function does stop some javascript inject.  I'll need to add more on the blacklist.
0

Featured Post

Highfive Gives IT Their Time Back

Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

Join & Write a Comment

One of the pain points with developing AJAX, JavaScript, JQuery, and other client-side behaviors is that JavaScript doesn’t allow for cross domain request for pulling content. For example, JavaScript code on www.johnchapman.name could not pull conte…
User art_snob (http://www.experts-exchange.com/M_6114203.html) encountered strange behavior of Android Web browser on his Mobile Web site. It took a while to find the true cause. It happens so, that the Android Web browser (at least up to OS ver. 2.…
Internet Business Fax to Email Made Easy - With eFax Corporate (http://www.enterprise.efax.com), you'll receive a dedicated online fax number, which is used the same way as a typical analog fax number. You'll receive secure faxes in your email, fr…
Get a first impression of how PRTG looks and learn how it works.   This video is a short introduction to PRTG, as an initial overview or as a quick start for new PRTG users.

758 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now