?
Solved

How to prevent XSS while allowing HTML input

Posted on 2013-10-30
5
Medium Priority
?
277 Views
Last Modified: 2013-11-09
Hello,

How do I prevent xss attack in html input?

I don't want to use Microsoft antixss library for now.

Thanks.
0
Comment
Question by:levbao
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 3
  • 2
5 Comments
 
LVL 43

Assisted Solution

by:Rob
Rob earned 1500 total points
ID: 39616394
Been asked before I believe: http://www.experts-exchange.com/Programming/Languages/.NET/ASP.NET/Q_28043678.html

Some good links here: http://www.experts-exchange.com/Security/Vulnerabilities/Q_27816671.html

My personal opinion is do you want your users to be able to enter HTML?  I just wouldn't allow it.  BBCode at the most.
0
 
LVL 43

Expert Comment

by:Rob
ID: 39616399
0
 

Accepted Solution

by:
levbao earned 0 total points
ID: 39618166
Hi Tagit,

Thank you for your responding.

I basically create a function to filter the input html based on a potential blacklist of javascript:

public static bool isCleanHtmlInput(string htmlInput)
{
            string[] inputBlacklist = {
             "javascript","onclick","onmouseover","onmouseout","onload","onunload","ondblclick","onresize","onscroll",
             "&lt","<object","<iframe","<script","<embed","<link","<style"
             };

            bool flag = false;
            foreach (string inputBL in inputBlacklist)
            {
                htmlInput = htmlInput.Replace(" ", "");
                Regex regX = new Regex(inputBL);
                if (regX.IsMatch(HttpUtility.HtmlDecode(htmlInput.ToLower())))
                {
                    flag = true;
                    break;
                }
            }
            if (!flag) return true;
            else return false;
 }

if (!isCleanHtmlInput(txtTemplate.Text))
{
             //potential javascript in html input
 }

It does solve my problem when a user tries to put in some kind of javascript.  I don't know if it's efficient though.

Thanks.
0
 
LVL 43

Expert Comment

by:Rob
ID: 39618191
I can't see an issue with it either. The post I was referring to in another post said:
SPHttpUtility.UrlKeyValueEncode() and SPHttpUtility.UrlKeyValueDecode() worked well to remove this threat.
I'll get another experts to comment on this thread
0
 

Author Closing Comment

by:levbao
ID: 39635467
Thank you for your reference links.  The function does stop some javascript inject.  I'll need to add more on the blacklist.
0

Featured Post

VIDEO: THE CONCERTO CLOUD FOR HEALTHCARE

Modern healthcare requires a modern cloud. View this brief video to understand how the Concerto Cloud for Healthcare can help your organization.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Just a quick little trick I learned recently.  Now that I'm using jQuery with abandon in my asp.net applications, I have grown tired of the following syntax:      (CODE) I suppose it just offends my sense of decency to put inline VBScript on a…
A quick way to get a menu to work on our website, is using the Menu control and assign it to a web.sitemap using SiteMapDataSource. Example of web.sitemap file: (CODE) Sample code to add to the page menu: (CODE) Running the application, we wi…
In this brief tutorial Pawel from AdRem Software explains how you can quickly find out which services are running on your network, or what are the IP addresses of servers responsible for each service. Software used is freeware NetCrunch Tools (https…
In this video you will find out how to export Office 365 mailboxes using the built in eDiscovery tool. Bear in mind that although this method might be useful in some cases, using PST files as Office 365 backup is troublesome in a long run (more on t…
Suggested Courses
Course of the Month13 days, 1 hour left to enroll

777 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question