stackoom
  简体   繁体   中英

Securing against JS injection with ASP.NET MVC

 原文  2011-02-16 11:46:15       javascript/ asp.net-mvc/ validationattribute

Question

I would like to allow users to post HTML to a site but need to ensure that no Javascript is injected into the site.

So far I have created a validation attribute to check the incoming html for dodgy doings 

[AttributeUsage(AttributeTargets.Property, 
    AllowMultiple = false, Inherited = true)]
public class CheckHtml : ValidationAttribute, IMetadataAware {

    private static Regex _check = new Regex(
        @"<script[^>]*>.*?<\/script>|<[^>]*(click|mousedown|mouseup|mousemove|keypress|keydown|keyup)[^>]*>",
        RegexOptions.Singleline|RegexOptions.IgnoreCase|RegexOptions.Compiled);

    protected override ValidationResult IsValid(
        object value, ValidationContext validationContext) {

        if(value!=null
            && _check.IsMatch(value.ToString())){

            return new ValidationResult("Content is not acceptable");
        }

        return ValidationResult.Success;
    }

    /// <summary>
    /// <para>Allow Html</para>
    /// </summary>
    public void OnMetadataCreated(ModelMetadata metadata) {
        if (metadata == null) {
            throw new ArgumentNullException("metadata");
        }
        metadata.RequestValidationEnabled = false;
    }
}

Is this going to be enough? What do you do to check for such naughtyness?

3 answers

solution1
 3 ACCPTED  2011-02-16 12:30:17

Take a look at the Microsoft AntiXSS library . It boasts a AntiXSS.GetSafeHtmlFragment() method which returns the HTML stripped of all the XSS-badness.

As David has pointed out, a white list is always the way to go. AntiXSS uses a whitelist of HTML elements/attributes that are safe against XSS / filters out JavaScript.

solution2
 2  2011-02-16 12:02:58

Is this going to be enough?

No. It is a blacklist. A blacklist is never enough.

No. It is a regular expression. Regular expressions are rubbish at dealing with arbitrary HTML.

What do you do to check for such naughtyness?

A proper HTML parser combined with a whitelist.

solution3
 0  2011-02-16 11:58:05

Jeff Atwood had a nice discussion of this topic over on refactor my code. Definitely worth the time to check it out: http://refactormycode.com/codes/333-sanitize-html

The final refactored version should be pretty solid. Security is never a 100% type of thing but this is probably better than most other examples floating around.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question Securing JSON and ASP.NET MVC2 handle javascript injection in asp.net mvc Securing Asp.NET Core Uppy.js Endpoint ASP.NET Securing Cookie on HTTP and HTTPS ASP.Net MVC slow JS load minification Of JS And CSS In Asp.Net MVC ASP.NET MVC 4 JS Minification Error SyntaxError with .js and .css - ASP.NET MVC 5 ASP.NET MVC - Including JS file ASP.NET MVC3 model binder data is invalid when a getter is used against the collection
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM