Sanitise text input for display on HTML page

Question

Have built a chat program for our website. A part of tHe program does allow a web page comment area for chatting about the page.

So there is a text input so text is entered and redisplayed on the page.
Obviously that is potentially risky.

So in order to make a text string input safe for redisplay on a web page, can I just disallow < and > chars and their encoded xml and hex equivalents?

Without script tags is there any other potential attack vector that can be embedded in a text string?

score 0 · Answer 1 · answered Jan 24 '18 at 09:07

0

You wouldn't actually need to disallow these characters, you can just escape them (e.g. > becomes &gt; and so on). This would safely convert all HTML into readable text. Remember it's not only script tags you can also do things like <span onmouseOver="javascript here">, you could also load images which could exploit browser weaknesses, you could add iframes that display malicious content and so on. So HTML-escaping the whole string is probably the safest option.

The OWASP project has some C# libraries which you could use for your purposes. https://www.owasp.org/index.php/.NET_AntiXSS_Library

answered Jan 24 '18 at 09:07

Jan Thomä

13,296
6
55
83

If I disallow script tags surely that covers images spans etc? – wingyip Jan 24 '18 at 09:10
What exactly do you mean by "disallow script tags"? – Jan Thomä Jan 24 '18 at 09:15
As in do not accept as input - client side and server- side – wingyip Jan 24 '18 at 09:16
Sorry I was being unclear. What exactly counts as a script tag then, just ` – Jan Thomä Jan 24 '18 at 09:21
Sorry it’s me being completely unclear. I am referring to the greater than and less than symbols – wingyip Jan 24 '18 at 13:38

Sanitise text input for display on HTML page

1 Answers1