locked
Using AntiXss in @Html.Raw RRS feed

  • Question

  • User-737375806 posted

    Hi,

    I want to handle XSS. So, I am using below sample code

    C# Code

    viewModel.RequestSiteLiveButtonHtml = "<a href='#' id='site' class='btn' data-content='{&quot;RowId&quot;:714886,&quot;SequenceNumber&quot;:1,&quot;Order&quot;:0}' data-assettypeid='1' onclick='ECL.RequestButton(this); return false;'>Sample</a>";

    CSHtml View Code

    @Html.Raw(Microsoft.Security.Application.Sanitizer.GetSafeHtml(Model.RequestButtonHtml))

    But Microsoft.Security.Application.Sanitizer.GetSafeHtml(Model.RequestButtonHtml) is returning the HTML as below

    <a href='#' id='site' class='btn'>Sample</a>

    So, how can I handle XSS without losing any attribute value

    I am using other encoding methods but @Html.Raw is not returning HTML, its returning encoded string.

    So, please help me to handle this XSS

    Thanks in advance.

    Thursday, December 20, 2018 3:43 PM

All replies

  • User475983607 posted

    Your question is a bit confusing.  First this is HTML encoded.

    viewModel.RequestSiteLiveButtonHtml = "<a href='#' id='site' class='btn' data-content='{&quot;RowId&quot;:714886,&quot;SequenceNumber&quot;:1,&quot;Order&quot;:0}' data-assettypeid='1' onclick='ECL.RequestButton(this); return false;'>Sample</a>";

    Decode the string first as @Html.Raw() will render as is.

    Using @Html.Raw() means that you trust the HTML. 

    If you do not trust the HTML then do NOT use @Html.Raw() and rethink the design.

    Thursday, December 20, 2018 3:58 PM
  • User-474980206 posted

    the point of the XSS filter is to remove all script and non-standard elements from the html and thus make user typed html safe. 

    Thursday, December 20, 2018 8:52 PM
  • User1520731567 posted

    Hi KumarJalli,

     If you use AntiXss,

    This is the inevitable result of filtering with AntiXss.

    The purpose of AntiXss is to filter untrusted user enter.

    I think that using validation with regular expressions against the user enter is the proper countermeasure.

    Best Regards.

    Yuki Tao

    Friday, December 21, 2018 7:15 AM