0

I'm looking for some guidance\back practice, etc on a project i'm currently working on.

The site has a form, which allows the user to create an email template. The email template is simply a text area with a wysiwyg editor (bootstrap-wysihtml5).

So the text area will have basic html tags so the user can format the look of the email.

My question is : What is the best\safest way to handle posting back the HTML from the text area to avoid any script attacks, etc?

If its any help i do have a whitelist of HTML tags for the emails.

tereško
  • 58,060
  • 25
  • 98
  • 150
user2859298
  • 1,373
  • 3
  • 13
  • 28
  • 2
    Possible dup of [How to save HTML to database and retrieve it properly](http://stackoverflow.com/questions/21662766/how-to-save-html-to-database-and-retrieve-it-properly) answer's by Darin Dmitrov so you know it's good! – user1477388 Aug 29 '14 at 14:37
  • 1
    Have a read of http://eksith.wordpress.com/2012/02/13/antixss-4-2-breaks-everything/ and look at the workaround that uses HTMLAgility pack and AntiXss to provide a good solution. – Paul Zahra Aug 29 '14 at 14:47

2 Answers2

1

Assuming email templates will be created a authorized interal users.

use [AllowHtml] attribute for the Model property of your TextArea field. That shoul dbe good enough for your requirement.

HaBo
  • 13,999
  • 36
  • 114
  • 206
1

If you're worried about safety than do one of these 2 things:

  • Allow a Whitelist of tags and limit the UI. Again, this will be lot of work and lot of XSS testing.
  • Or accept markdown formatting and convert markdown to HTML on your server

For second option, you can use http://kevo.io/pagedown-bootstrap/ or any such markdown aware editor. The toolbar can help users who are unaware of markdown syntax.

Mrchief
  • 75,126
  • 20
  • 142
  • 189