0

I am using the wysihtml5 editor to allow a user to post messages on a ASP.NET MVC4 discussion forum. These messages are stored in a mssql db and rendered to the screen with Razor syntax:

@Html.Raw(post.Html)

Although these users are authenticated I wish to ensure that I will not be vulnerable to an injection attack such as the following:

User Posts:

<script>alert('Hacked:' + secretInformation)</script>

MVC Renders Alert box w/:

Hacked: ::secret info::

I have allowed the html to be stored in the db by setting in the controller:

[ValidateInput(false)]

What steps can I take to ensure that I am only rendering clean html code and not vulnerable to attack?

SHeinema
  • 634
  • 5
  • 14
  • 34

2 Answers2

1

This has been answered in previous questions but here is some info:

AntiXss.HtmlEncode vs AntiXss.GetSafeHtmlFragment

You'll want the sanitzer code since you want html to render but you don't want things like script tags showing up in the markup for security reasons of course. I also would use the AntiXss.GetSafeHtmlFragment before persisting the html in a database. This will help save you when you use razor's @Html.Raw

Community
  • 1
  • 1
JustinMichaels
  • 1,092
  • 7
  • 12
  • Thank you for the response. It seems that GetSafeHtmlFragment is stripping most of: Test

    test

    ddfhdfghdfghdfghdfghdfghdfgh ---> Testtestddfhdfghdfghdfghdfghdfghdfgh Is this really unsafe?     – SHeinema May 30 '13 at 16:23
  • After some research, it seems that the newest version of Microsoft's AntiXss lib is way way too strict. Have you been able to use this library successfully? – SHeinema May 30 '13 at 16:33
  • I haven't used this library since release 3.0. I was checking to see if you could remove the break and bold tags from the blacklist but don't see much in the way of documentation. – JustinMichaels May 30 '13 at 16:36
0

I have found a good solution here: AntiXss 4.2 Breaks everything

Thanks for the direction Justin. Let's go Microsoft, let's see a solution that doesn't devour ALL my tags!

SHeinema
  • 634
  • 5
  • 14
  • 34
  • Sorry that the AntiXss didn't work for you. I did have success with it in version 3 of it but haven't found the need for a WYSIWYG in any of the recent apps that I've worked on – JustinMichaels May 30 '13 at 17:32