can you recommend how to handle anti xss input from html editor?

Question

User-1312778766 posted

hello

net.4 c# vs2012 express

can you recommend how to handle anti xss server input from html editor?

so in the nature  of things i have to allow the html tags, href, img, background:....

i found 2 links to handle that input http://techbrij.com/xss-attack-prevention-html-editor

and this one http://eksith.wordpress.com/2012/02/13/antixss-4-2-breaks-everything/

i will be happy to hear what do you think about there coverage .

any other suggestions will be welcome

thanks

Answer 1

User399763608 posted

Hi,

I'm not familiar with those html editors you've linked but if you're new to XSS you should make sure you read these resources. 

https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)

http://en.wikipedia.org/wiki/Cross-site_scripting

You could possibly use this maybe: http://www.asp.net/ajaxLibrary/AjaxControlToolkitSampleSite/HtmlEditorExtender/HTMLEditorExtender.aspx

Answer 2

User71929859 posted

can you recommend how to handle anti xss server input from html editor?

Use HtmlEncode method to encode the HTML.

Have a look at the below video

http://www.asp.net/web-forms/videos/how-do-i/how-do-i-understand-and-defend-against-script-injection-attacks-in-aspnet

i will be happy to hear what do you think about there coverage .

Those are sanitizing user input which is good.