Preventing XSS (Cross-site Scripting)
Question
Let's say I have a simple ASP.NET MVC blog application and I want to allow readers to add comments to a blog post. If I want to prevent any type of XSS shenanigans, I could HTML encode all comments so that they become harmless when rendered. However, what if I wanted to some basic functionality like hyperlinks, bolding, italics, etc?
I know that StackOverflow uses the WMD Markdown Editor , which seems like a great choice for what I'm trying to accomplish, if not for the fact that it supports both HTML and Markdown which leaves it open to XSS attacks .
7 answers
solution1
8 ACCPTED 2009-01-15 15:21:22
If you are not looking to use an editor you might consider OWASP's AntiSamy .
You can run an example here: http://www.antisamy.net/
solution2
3 2009-01-15 00:15:10
How much HTML are you going to support? Just bold/italics/the basic stuff? In that case, you can convert those to markdown syntax and then strip the rest of the HTML.
The stripping needs to be done server side, before you store it. You need to validate the input on the server as well, when checking for SQL-vulnerabilities and other unwanted stuff.
solution3
2 2009-01-16 01:43:59
如果您需要在浏览器中执行此操作: http : //code.google.com/p/google-caja/wiki/JsHtmlSanitizer
solution4
1 2009-01-15 00:20:53
I'd suggest you only submit the markdown syntax. On the front end, the client can type markdown and have an HTML preview (same as SO), but only submit the markdown syntax server-side. Then you can validate it, generate the HTML, escape it and store it.
I believe that's the way most of us do it. In either case, markdown is there to alleviate anyone from writing structured HTML code and give power to those who wouldn't even know how to.
If there's something specific you'd like to do with the HTML, then you can tweak it with some CSS inheritance '.comment a { color: #F0F; }', front end JS or just traverse over the generated HTML from parsing markdown before you store it.
solution5
1 2009-01-15 00:41:04
Why don't you use Jeff's code ? http://refactormycode.com/codes/333-sanitize-html
solution6
1 2009-01-15 00:47:19
我会投票支持FCKEditor的,但你必须做一些额外的步骤到返回的输出过。
solution7
0 2009-01-15 00:47:07
You could use an HTML whitelist so that certain tags can still be used, but everything else is blocked.
There are tools that can do this for you. SO uses the code that Slough linked .
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.