3

How can we handle the javascript injection in asp.net mvc (C#) application?

I can use Html.Encode in my View. But the problem is i have html also to show in the page like a blog post.

I need to remove the script entered in the input elements of the application? How can i do that in a common place?

Prasad
  • 58,881
  • 64
  • 151
  • 199

1 Answers1

9

The "high-level" best practice for doing this is:

  • Store user-input the way it was entered into the system
  • HTML encode all user-input when it is output on any page
  • Use a white-list approach to "de-encode" allowed HTML characters, attributes, attribute values, etc. that you encoded in the previous step

HTML Encoding user-input on output will stop JavaScript from being executed on your site.

The reasons why you want to store user-input "as entered" is because you may in the future decide to output user data in other formats (PDF, email, JavaScript, RSS, etc) that don't have the same rules for encoding. As a result, you should keep data as close to its original form as possible. This will make things easier to deal with later.

For HTML Encoding user-input, you can use System.Web.HttpUtility.HtmlEncode(...).

To combine steps 2 & 3, you can use Microsoft's AntiXSS library. It provides some extra encoding methods that the HttpUtility class doesn't provide to make your job easier. I was unaware until Malcolm pointed out in the comments, that the latest version of this library includes a method called GetSafeHtmlFragment(...) which will remove all JavaScript manually. This will handle all of the heavy lifting of removing user-entered JavaScript code for you. You will most likely want to use GetSafeHtmlFragment and not GetSafeHtml, which is designed to encode entire HTML documents.

Minor note: Read the reviews of the latest AntiXss release (January 2012 at the time of writing this) if you find functionality is not working as you expect. You may want to consider using an older release depending on your needs, though be advised that older releases have known security defects in them. Microsoft has acknowledged the issue and is looking into a solution.

Dan Herbert
  • 99,428
  • 48
  • 189
  • 219
  • I have not heard about Anixss libray for a while and did not know that it is on codeplex now. It has Javascript encode. My understanding is that you need to Javascript encode if you want to use input in javascript. HttpUtility doesnt have Javascript encode. So every project needs to have this library right? – Mathias F Feb 06 '10 at 15:19
  • @Malcolm Every project that plans on encoding user input for use in JavaScript should have this library. – Dan Herbert Feb 06 '10 at 15:33
  • 1
    This is new and looks very usable: AntiXss.GetSafeHtml(input). The method has its own whitelist of html tags. Perfect! – Mathias F Feb 06 '10 at 16:11
  • Added the Warning Note to this post, I was about to start using the AntiXSS but luckily enough did read the review messages before. This answer is all good and solid, based on the reviews something broke in the latest versions of the AntiXSS. – Kallex Sep 28 '12 at 12:14
  • @Kallex It is appropriate to add this note as a comment here, rather than editing the answer. – Erick Robertson Sep 28 '12 at 12:17
  • @ErickRobertson I did evaluate how to do this, but reflecting my own behaviour, I don't always read the comments after seeing a good solid answer. And based on what in my head turned "really great that Microsoft provides this library" into "thank god I didn't use it", I ended to go with fixing the perfectly valid answer. The incident of broken lib kind of renders part of the answer unfortunately not applicable. – Kallex Sep 28 '12 at 12:24
  • @Kallex As with all external libraries, you should always test that it works the way you expect. The maintainers of the library have acknowledged that the current release is overly-aggressive in the type of content it strips out and they are working on a solution. I've added a note to my answer to point this out. – Dan Herbert Sep 28 '12 at 12:30
  • @DanHerbert Thanks, all good now. I understand MS didn't do this on purpose, and they do imply that it's taken months now. Just when I read the reviews and sensed the frustration, wanted to avoid anyone jumping into that (as I myself almost did). – Kallex Sep 28 '12 at 12:35