0

What is the best/safest way to ensure that if a user enters any html or javascript (or even SQL) into a form that it all gets cleaned out and only displays plain text (or will display their html in plain text) or gives the user an error? Obviously I'm trying to prevent XSS and any kind of injection as well as I don't want users to try to and disturb the display of my page with their own HTML. Ideally I would prefer to not have the HTML written to the database.

EDIT: I am not sure who to mark as the answer as you all solved this problem from different angles

dreadlocks1221
  • 90
  • 1
  • 11

3 Answers3

1

Why filtering before storing in the database? Filter when outputting. For example in a web application you could HTML encode. The Razor @ function already does that:

@Model.SomePropertyThatCouldContainHTML

Now you are safe. And inside your database you have the actual string being stored that could be reused in other applications. For example in a Desktop application you have no XSS to worry about so it wouldn't make sense to strip those tags out.

But if you need to show the user input unencoded you could use the AntiXSS library to strip all dangerous javascript code from it that could result in XSS.

And as far as SQL is concerned, well, always use parametrized queries, this way you don't need to worry about any SQL injection.

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • I really don't want to have to worry about encoding on every view, I think that leaves more room for error which could lead to an attack – dreadlocks1221 Aug 14 '12 at 18:55
  • 1
    @dreadlocks1221, no you don't need to worry about. As I said the framework already takes care of it. For example in Razor this is done by default with the `@` function. And by the way don't forget that not all users are malicious. There could be users that simply want to use for example the `<` character in a description and if you don't HTML encode it your view will completely break. So you should already be HTML encoding everything that comes from an user input anyways. If you are not then I very strongly suggest you to do so. – Darin Dimitrov Aug 14 '12 at 18:57
  • I see I will look more into this – dreadlocks1221 Aug 14 '12 at 19:27
0

By default Request Validation is turned on in your website. Basically this examines each request as it comes to the server and if it detects a potentially dangerous request it will throw an exception. In theory it is great but the reality is, at least in my experience, you almost always wind up turning this off on pages where you are using some sort of RTE (or user input in general really) since the mere presence of HTML will cause the validation to fail.

There are many ways to prevent XSS but here are a few basics:

  • Constrain your input. What this means is that if you have a field that should only ever have numbers in it (e.g. telephone number) then prevent the user from typing anything but numbers in that field.
  • Decode / Encode your inputs
  • Simply finding a regex to strip is not the silver bullet since XSS requests can be encoded so that no physical tags exist in the request.

Here are some resources:

Finally, when in doubt Google

dparsons
  • 2,812
  • 5
  • 28
  • 44
  • I wanted to download that library in the first link you mentioned, but the download link is broken is their a homepage or another place to get that library? – dreadlocks1221 Aug 14 '12 at 18:54
  • Ya you can pull it down off of Codeplex: http://wpl.codeplex.com/releases/view/80289 – dparsons Aug 14 '12 at 18:55
0

Look into

  1. here: handle javascript injection in asp.net mvc
  2. here: Questions about Javascript injection
  3. here: how to avoid SQL Injection with Linq with EF in codefirst technique in c#
  4. here: Control SQL injection in MVC
Community
  • 1
  • 1
Display Name
  • 4,672
  • 1
  • 33
  • 43