0

I have created a website based on

SQL Server 2014
C# (ASP.NET)
Javascript and jQuery

The user can store information within a textbox on my site. To prevent injection, I can use encode / decode from special character. The user should be able to submit code like below but the code should not executed. So far so good.

<script type="text/javascript">
    $(document).ready(function () {
        console.log('uuuuups.....');
    });
</script>

This code will be stored as is to database. (without encoding first). Now I would like to offer a ckeditor to my users and give the ability to use the code-plugin. The code-plugin itself creates the following code:

<pre class="brush:jscript;">
&lt;script type=&quot;text/javascript&quot;&gt;
    $(document).ready(function () {
        console.log(&#39;uuuuups....&#39;);
    });
&lt;/script&gt;</pre>

I have tried to replace charcter within SQL like

replace(replace(@text, '<', '&lt;'), '>', '&gt;')

But this seems to break the code when I try to view. My problem now is, how to handle this? Do I have encode twice? Every hint will be appreciated.

MattOpen
  • 815
  • 11
  • 24
  • You may think about somthing like Sanitize HTML: https://github.com/gbirke/Sanitize.js for example – Steffomio Jun 03 '16 at 07:31
  • [CKEditor is escaping html elements](http://stackoverflow.com/questions/12700383/ckeditor-is-escaping-html-elements) – Y.B. Jun 03 '16 at 08:14

1 Answers1

0

i am using ckeditor in my web site, and i face the same issue, it is about javascript injection. how to prevent it without disrupting the view. Try in your server side to parse the "< script ...>javascript code ...</script>" and clear it. I think it is not difficult to find this tag in asp.net nor in php.

Good luck

Hadi Kanaan.
  • 1
  • 1