locked
How to sanitize inputs for Html.Raw on server side RRS feed

  • Question

  • User-501297529 posted

    I have several views where I use @Html.Raw and would like to sanitize rich text inputs. Possibly what the Rich Text Box may emit and take a white list type of approach to the tags/attributes that the server-side will accept. I'm not sure how to do this or where to look to do this.

                                @foreach (var dorItem in catGroup)
                                {
                                    <tr>
                                        <td class="view-dor">@Html.Raw(dorItem.Responsibility)</td>
                                        <td class="view-dor-description">
                                            @Html.Raw(dorItem.Description)
                                            <div class="verticalspace"></div>
                                            @foreach (var dorResponse in dorItem.DorItemResponses)
                                            {
                                                <div style=" border: solid black 1px; background-color: #eeeeee;">
    
                                                    <b>@dorResponse.Date.ToString("MM/dd/yyyy") @dorResponse.Title</b>
                                                    <div class="verticalspace"></div>
                                                    @Html.Raw(dorResponse.Response)
                                                </div>
                                            }
                                        </td>
                                        @if (@dorItem.Status.Color.Name == "Yellow")
                                        {
                                            <td class="view-dor">
                                                <font class="dor-status-dark"
                                                      color="@dorItem.Status.Color.Name"><b>@dorItem.Status.Name</b></font>
                                                </td>
                                            }
                                            else
                                            {
                                                <td class="view-dor">
                                                    <font color="@dorItem.Status.Color.Name"><b>@dorItem.Status.Name</b></font>
                                                </td>
                                            }
                                    </tr>
                                }
                           
                        

    Tuesday, April 14, 2020 6:30 PM

Answers

  • User-501297529 posted

    Sherry Chen

    Hi bootzilla ,

    What is the specific logic you want to sanitize , use a reset button in the view? What are the conditions on the page to choose to sanitize?

    Could you explain in more details the effect you want to achieve ?

    Best Regards,

    Sherry

    I want to sanitize the output from what I put in the rich text editor when I add or edit on a view. For example if I add 'This is a test' in a rich text input and then on a page that shows the output it shows as This<br>is<br>a<br>test. Or if I bold it will show as <b>This<br>is<br>a<br>test</b> I don't want that to show like that with those html tags.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 22, 2020 5:38 PM

All replies

  • User-474980206 posted

    this is considerably more complex than you imagine.  Hackers know all the special codes and variance to defeat white lists. You should pick a well tested and hardened html sanitizer.

    the safest bet is to parse to an html tree, than prune undesired attributes and nodes.

    Tuesday, April 14, 2020 7:34 PM
  • User-854763662 posted

    Hi bootzilla ,

    What is the specific logic you want to sanitize , use a reset button in the view? What are the conditions on the page to choose to sanitize?

    Could you explain in more details the effect you want to achieve ?

    Best Regards,

    Sherry

    Thursday, April 16, 2020 9:41 AM
  • User-501297529 posted

    Sherry Chen

    Hi bootzilla ,

    What is the specific logic you want to sanitize , use a reset button in the view? What are the conditions on the page to choose to sanitize?

    Could you explain in more details the effect you want to achieve ?

    Best Regards,

    Sherry

    I want to sanitize the output from what I put in the rich text editor when I add or edit on a view. For example if I add 'This is a test' in a rich text input and then on a page that shows the output it shows as This<br>is<br>a<br>test. Or if I bold it will show as <b>This<br>is<br>a<br>test</b> I don't want that to show like that with those html tags.

    • Marked as answer by Anonymous Thursday, October 7, 2021 12:00 AM
    Wednesday, April 22, 2020 5:38 PM