Solved

How to prevent XSS while allowing HTML input

Posted on 2013-10-30
5
269 Views
Last Modified: 2013-11-09
Hello,

How do I prevent xss attack in html input?

I don't want to use Microsoft antixss library for now.

Thanks.
0
Comment
Question by:levbao
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 43

Assisted Solution

by:Rob
Rob earned 500 total points
ID: 39616394
Been asked before I believe: http://www.experts-exchange.com/Programming/Languages/.NET/ASP.NET/Q_28043678.html

Some good links here: http://www.experts-exchange.com/Security/Vulnerabilities/Q_27816671.html

My personal opinion is do you want your users to be able to enter HTML?  I just wouldn't allow it.  BBCode at the most.
0
 
LVL 43

Expert Comment

by:Rob
ID: 39616399
0
 

Accepted Solution

by:
levbao earned 0 total points
ID: 39618166
Hi Tagit,

Thank you for your responding.

I basically create a function to filter the input html based on a potential blacklist of javascript:

public static bool isCleanHtmlInput(string htmlInput)
{
            string[] inputBlacklist = {
             "javascript","onclick","onmouseover","onmouseout","onload","onunload","ondblclick","onresize","onscroll",
             "&lt","<object","<iframe","<script","<embed","<link","<style"
             };

            bool flag = false;
            foreach (string inputBL in inputBlacklist)
            {
                htmlInput = htmlInput.Replace(" ", "");
                Regex regX = new Regex(inputBL);
                if (regX.IsMatch(HttpUtility.HtmlDecode(htmlInput.ToLower())))
                {
                    flag = true;
                    break;
                }
            }
            if (!flag) return true;
            else return false;
 }

if (!isCleanHtmlInput(txtTemplate.Text))
{
             //potential javascript in html input
 }

It does solve my problem when a user tries to put in some kind of javascript.  I don't know if it's efficient though.

Thanks.
0
 
LVL 43

Expert Comment

by:Rob
ID: 39618191
I can't see an issue with it either. The post I was referring to in another post said:
SPHttpUtility.UrlKeyValueEncode() and SPHttpUtility.UrlKeyValueDecode() worked well to remove this threat.
I'll get another experts to comment on this thread
0
 

Author Closing Comment

by:levbao
ID: 39635467
Thank you for your reference links.  The function does stop some javascript inject.  I'll need to add more on the blacklist.
0

Featured Post

On Demand Webinar - Networking for the Cloud Era

This webinar discusses:
-Common barriers companies experience when moving to the cloud
-How SD-WAN changes the way we look at networks
-Best practices customers should employ moving forward with cloud migration
-What happens behind the scenes of SteelConnect’s one-click button

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this Article, I will provide a few tips in problem and solution manner. Opening an ASPX page in Visual studio 2003 is very slow. To make it fast, please do follow below steps:   Open the Solution/Project. Right click the ASPX file to b…
International Data Corporation (IDC) prognosticates that before the current the year gets over disbursing on IT framework products to be sent in cloud environs will be $37.1B.
Are you ready to implement Active Directory best practices without reading 300+ pages? You're in luck. In this webinar hosted by Skyport Systems, you gain insight into Microsoft's latest comprehensive guide, with tips on the best and easiest way…

730 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question