3

I have added a Htmleditorextender ajax control to my asp.net web application with putting XSS sanitizer in it for XSS security but now when I retrieve the text from Htmleditorextender the sanitizer removes HTML5
from it and the all input comes in a single. I Searched on internet and found that this is happening because XSS sanitizer recognizes HTML5 tags as unknown unsafe tags and thats why all HTML5 tags gets removed from formatted HTML of htmleditorextender now i am using htmleditorextender by making EnableSanitization="false"
Should I remove XSS sanitizer from my project or I should go for

  1. TinyMCE or
  2. CKEditor


but both of these are not configured for image upload and user hava to add their own third party image uploader.
Please Tell me how can i prevent my site from XSS attacks without loosing html tags formatted in htmleditorextender.

3 Answers3

1

Were you aware that the newest HtmlEditorExtender offers an alternative sanitizer for this reason? It's called the HtmlAgilityPackSanitizerProvider. Not sure if it's included if you use Nuget to download, but if you download the zip from CodePlex, it contains a folder called "SanitizerProviders" that contains the dll's you need for the alternate sanitizer. You can then specify the alternate sanitizer (which is included in the download) in the config file.

Here is a link to Stephen Walther's blog where he explains this: http://stephenwalther.com/archive/2012/06/25/announcing-the-june-2012-release-of-the-ajax-control-toolkit.aspx

I'm not sure if this solves your issue or if updating to the latest toolkit is an option, but you didn't mention trying this out so it sounds like it's worth a shot.

swannee
  • 3,346
  • 2
  • 24
  • 40
  • thanks for replying, few minutes ago i checked that issue in IE10, safari and chrome, in all 3 everything works fine because they use div for new paragraphs and lines but when i hit enter in htmleditor in firefox a
    tag is created and on submission of html text all
    tags gets removed by sanitizer and that's why new line break is not appearing in firefox, can you now help me in resolving this issue.     –  Jul 09 '12 at 18:03
  • Did you look at what I posted? If you follow the instructions I posted it should resolve this. – swannee Jul 09 '12 at 20:47
  • Yes I followed your post but its not resolving, in [this stackoverflow thread](http://stackoverflow.com/questions/10665549/antixss-htmlencode-textarea-line-break-loss?rq=1) someone described this issue but no one answered him please read there. Please tell me can i remove the sanitizer recommended by Stephen Walther with `Microsoft.security.application.sanitizer(input);`, are these two do same thing or i am going in wrong direction because if I use this than I can scan all my inputs for XSS attacks. Please help me. –  Jul 10 '12 at 01:59
0

as a workaround for this issue I'm replacing all <br> tags with an unknown phrase before sanitisation. and put them back in place on PreRender(). it works for me with all major browsers.

in aspx page:

<asp:TextBox runat="server" ID="txtSign" TextMode="MultiLine"/>
<ajaxToolkit:HtmlEditorExtender TargetControlID="txtSign" OnPreRender="htmlEditorExtender1_PreRender"  ID="htmlEditorExtender1" runat="server" />

in code behind:

protected void Page_Load(object sender, EventArgs e)
{
   if (IsPostBack)       
      txtSign.Text = Server.HtmlDecode(txtSign.Text.Replace("&lt;br&gt;", "~_!_~"));           
}

protected void htmlEditorExtender1_PreRender(object sender, EventArgs e)
{
   txtSign.Text = txtSign.Text.Replace("~_!_~", "<br>");
}
Amin
  • 99
  • 4
-3

Write your very own sanitizer:

There're lot's of parsers online for example: White List Sanitizer Code.

  • Get a good white list to start with.
  • A white list is a list of valid html tags i.e. br.
  • Update your white list to conform to HTML5 and any new w3c standards and/or your Orgs coding standards.
  • Don't rely on Microsoft to hold your hands as you develop solutions.
  • Take some initative as a good developer and think outside the box.

Example:

  • I created my own sanitizer with a *cached white list * which is available to be used where I see fit not just with ajax controls. :)

  • Reviewed the Ajax htmlagilitypack Provider source code for inspiration to see their intent: HtmlAgilityPackSanitizerProvider.cs

  • I removed the Ajax htmlagilitypack which has way too strict and life is grand once again.

Benefits: You can cleanse/sanitize text properties for all input controls.

Total time to conceive, develop, unit test and feel loved and secure without having bad dreams: 2 hours

I hope this helps.... :)

DISCLAIMER: I didn't take my spelling and grammar medicine today. Sorry.

References: 

Imports System.Linq
Imports HtmlAgilityPack
Mike
  • 139
  • 1
  • 3
  • 5
    Sanitizers are generally a solved problem, and using an existing solution is better - it not only saves time, but also avoids bugs which might cause vulnerabilities if it is not written carefully. – ronalchn Sep 19 '12 at 08:50