How to fix Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)?
Question
How to fix Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS)?
@Html.Raw(Model.FooterHtml)
1 answers
solution1
0 2022-05-17 22:59:11
Without seeing an explicit example of an HTML string you'd want to sanitize and the anticipated output post-sanitization, I can only provide a general suggestion that you leverage an HTML sanitization library.
It's a good idea to sanitize raw HTML when you receive it and before you store it, but if you're about to render HTML that is untrusted and has already been stored, you can perform sanitization in your controller when you generate your model and before you return it to your view.
https://github.com/mganss/HtmlSanitizer
Usage
Install the HtmlSanitizer NuGet package. Then:
var sanitizer = new HtmlSanitizer(); var html = @"<script>alert('xss')</script><div onload=""alert('xss')""" + @"style=""background-color: test"">Test<img src=""test.gif""" + @"style=""background-image: url(javascript:alert('xss')); margin: 10px""></div>"; var sanitized = sanitizer.Sanitize(html, "http://www.example.com"); Assert.That(sanitized, Is.EqualTo(@"<div style=""background-color: test"">" + @"Test<img style=""margin: 10px"" src=""http://www.example.com/test.gif""></div>"));
The above library offers a demo at https://xss.ganss.org/ and a Fiddle at https://dotnetfiddle.net/892nOk
The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.