All geek questions in one place

TinyMCE, AntiXSS, MVC3 and GetSafeHtmlFragment

I read a lot of posts about SO regarding XSS and how to deal. As a rule, consensus is a “white list” of the “black list” and avoids the use of regular expressions (there are too many options to solve).

I am working on an ASP.Net MVC3 application. I need to be able to display HTML from a user record (e.g. <strong>, <ul>, <li>, etc.), but I don't need the risks of XSS.

I am using the AntiXSS package through Nuget. In my model I have

[AllowHtml] public string UserDetails{ get; set; }

In my opinion, I have TinyMCE connected to the text area.

In my controller, I get the message from the view and sanitize it:

 using Microsoft.Security.Application; ... string SanitizedDetails = Sanitizer.GetSafeHtmlFragment(model.UserDetails);

My question is: did I do everything right? Am I protected from most XSS issues, or am I barking the wrong tree?

+6
source share
2 answers

You publish in certain forms. Html permission is a dangerous operation as you try to soften it as much as you can. Your approach here is pretty good.

There are other options for help, but, unfortunately, not everything is ready for production. There are content security policy headers that are partially supported by various browsers. Example: http://www.w3.org/TR/CSP/

So, you have a decent one, but you can improve it a bit if you want to take a chance in the content security policy (for one)

I spend a few XSS attacks here if you are interested. http://www.pluralsight-training.net/microsoft/Courses/TableOfContents?courseName=hack-proofing-dotnet-app

You can enable additional disinfection before rendering (and before saving) if another attack (for example, SQL injection) inserted the xss code into your html.

+4
source

When we use Sanitizer.GetSafeHtmlFragment(model.UserDetails); using Whitelist, it will not allow any tags to be executed through it. For example, if

 model.UserDetails = "Testdata `<script>alert('Malicious Code');</script>`"

This is an injection code, the SafeHtmlFragment method does not allow the <script> to execute.

 model.UserDetails = "Testdata `<a href="www.google.com">Google <a/>`"

This is a safe code in which it must return the text and Google hyperlink to go to google.com.

When model.UseDetails returns only Testdata strong> as it is released.

0
source

Source: https://habr.com/ru/post/917333/

More articles:


All Articles