1

I am inserting html in database for the first time so I need some advice am I making it right and safe.
I have class with property:

[AllowHtml] public property Description {get;set}

In View I have a tinyMCE (on text area) where user input his data.
When I display that html later I use:

@Html.Raw(Model.Description)

I don't know should I do something else to prevent some attack on site.
I have tried to input:

<script>alert('attack');</script>

but nothing happens it saves it in database and display as a normal text later.
Also I wonder if user leave some tag unclosed can he break my layout somehow.
What are smart steps when dealing with scenario like this?

Improve this question

2 Answers 2

Reset to default
1

What should happen is that the html should be encoded before it is written to the database. If you look in your database you should see something like this (or at least if things are safe you should):

&lt;script&gt;alert(&#39;attack&#39;);&lt;/script&gt;

Now when this is written to the page by html raw, it appear on screen as it did when it was submitted, but if you inspect the page you will still see the same thing.

ASP.Net actually makes it very difficult to write code that opens your site up to abuse, so you should generally be fine. It is worth doing some more reading around the topic though as it's good stuff to be aware of especially if mentoring others.

Some links:

Preventing Javascript and XSS attacks

http://msdn.microsoft.com/en-us/library/ff649310.aspx

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

1

You can use the Microsoft AntiXSS from the Windows Protection Library.

TinyMCE, AntiXSS, MVC3 and GetSafeHtmlFragment

Cheers.

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.