1

I'm using some regex to sanitize tags from text

static string Pattern = "<(?:[^>=]|='[^']*'|=\"[^\"]*\"|=[^'\"][^\\s>]*)*>";

static public string StripHtml(string Value)
{
    return Regex.Replace(Value, Pattern, string.Empty);
}

Although this seems pretty secure, I'm wondering if it really is? Is there a way to execute XSS without using tags?

Would it be better to use a markdown editor, or is that still going to have similar issues because they allow tags as well?

Or should I just manually parse the tags I want and allow them to put what ever?

johnny 5
  • 19,893
  • 50
  • 121
  • 195
  • Markdown does **not** protect against XSS (even with raw HTML disabled). See this: https://michelf.ca/blog/2010/markdown-and-xss/ – Waylan Feb 16 '16 at 18:12
  • 2
    Do you account for every situation listed here: https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet – Waylan Feb 16 '16 at 18:37
  • 1
    @Waylan the regex is definetly insecure there should be a way to still inject, I'm just trying to figure out the best way to prevent it. – johnny 5 Feb 17 '16 at 15:05

2 Answers2

2

You didn't specify which language of ESAPI you're using, but regex is 100% the wrong solution to implement if you need to accept HTML into your application. This is because HTML is a context free language and regular expressions cannot parse it.

You want something like OWASP's HTML Sanitizer or although it hasn't been updated in some time, Antisamy. This is backed by an actual HTML parser, and allows you to specify legal tags and THEN specify regex's for legal content within them.

Also note, it is much more important for you to make sure your application has successfully implemented output-escaping before you worry about HTML sanitation. You can ignore XSS validation entirely if you properly escape for every context. (The reverse, is not true.)

Community
  • 1
  • 1
avgvstvs
  • 6,196
  • 6
  • 43
  • 74
  • 2
    It's also recommended to implement a [Content Security Policy (CSP)](http://www.html5rocks.com/en/tutorials/security/content-security-policy/) to prevent any new sequences that break your sanitiser from executing. – SilverlightFox Feb 17 '16 at 08:49
1

You can use ESAPI, it will help you to prevent XSS as well as other security vulnerabilities. There are some validation already there and regex is also defined for that. But if you wants your customize regex then you have to defined it explicitly.

ManthanB
  • 404
  • 2
  • 5
  • 21