2

Users on my site have a page they can write their own html to. I want this to be used for things like ordered lists, styling, and so on, but some people will try to insert script, which I can't allow.

The mechanism for updating a user's description is through ajax. From javascript, I send a request to a file ajax.ashx, which calls a function in ajaxMethods.cs. In the function I update the sql server with the user's new description.

How can I validate the input in the function, before the description is submited to the server? I want to take out anything to do with scripting, but leave the normal html tags like <p>. Are there any tools that will handle all of this?

Improve this question

2 Answers 2

Reset to default
1
+50

Why not allow users to use a custom format / language instead (for example Markdown) and then parse this server side to HTML? This way you know that any script / html code you find within the actual request is invalid and can be stripped (or encoded). This also gives you the advantage of only allow a predetermined list of tags. It would basically give you the same functionality as StackOverflow has.

Improve this answer
Sign up to request clarification or add additional context in comments.

Comments

0

I recommend you HttpServerUtility.HtmlEncode your output. Trying to parse out the script tags and not the HTML is not a good approach. See reference below:

XSS (Cross Site Scripting) Cheat Sheet

Improve this answer

2 Comments

I don't think it's possible to use HtmlEncode because that encodes all the tags, while I need some tags to remain, but script tags to be removed.
I am just telling you if you try to parse HTML to only remove script tags you will run into problems and your solution won't stop common XSS attacks. There is a reason ASP.NET MVC encodes all output by default. :)

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.