TinyMCE, AntiXSS, MVC3 and GetSafeHtmlFragment

Question

I've read through lots of postings on SO regarding XSS and how to deal. Generally, the consensus is whitelist over blacklist and avoid using Regular Expressions (too many variants to deal with).

I'm working on an ASP.Net MVC3 application. I need to be able to display HTML from the user entry (ex. < strong >, < ul >, < li >, etc...) but I don't want any XSS risks.

I'm using the AntiXSS package via Nuget. In my model, I have

[AllowHtml]
public string UserDetails{ get; set; }

In my view, I have TinyMCE hooked into the textarea.

In my controller, I get the post from the View and sanitize it:

using Microsoft.Security.Application;
...
string SanitizedDetails = Sanitizer.GetSafeHtmlFragment(model.UserDetails);

My question: Did I do it right? Am I protected from most XSS issues or am I barking up the wrong tree?

Answer 1

You are posted against certain forms. Allowing html is a dangerous operation as it is, so you are trying to mitigate it the best you can. Your approach is pretty good here.

There are other options to help but unfortunately not everything is production ready. There are the Content Security Policy headers that are partially supported by various browsers. Ex: http://www.w3.org/TR/CSP/

So what you have is decent, but you could enhance this a little bit if you want to venture into content security policy (for one)

I go over quite a few XSS attacks here if you are interested. http://www.pluralsight-training.net/microsoft/Courses/TableOfContents?courseName=hack-proofing-dotnet-app

You may want to include an additional sanitize prior to rendering (and before saving) in case another attack (sql injection for example) has inserted xss code into your html.

Answer 2

When we use Sanitizer.GetSafeHtmlFragment(model.UserDetails); with the help of Whitelist it will not allow any tags to execute through it. For example when

model.UserDetails = "Testdata `<script>alert('Malicious Code');</script>`"

It is an Injection Code, the SafeHtmlFragment method does not allow the <script> tag to execute.

model.UserDetails = "Testdata `<a href="www.google.com">Google <a/>`"

It is a safe Code where it should return a text and the Google hyperlink to navigate to google.com.

When the model.UseDetails only return the Testdata as it's output.