0

I am using a DevExpress HTMLEditor to create a page that can edit HTML.

When I attempt to submit content that includes HTML tags, it throws the following error:

Content Submitted

<div>Hello World</div>

Error

A potentially dangerous Request.Form value was detected from the client.

  1. My understanding is that this error is in place to help prevent an XSS attack. However, I am under the impression that XSS attacks require the use of JavaScript or SQL. Is there any circumstance where pure HTML can be used for such an attack?

  2. What is the best way of allowing HTML tags to be submitted but disallowing JavaScript, SQL or anything else that actually has the potential of being dangerous?

Community
  • 1
  • 1
William
  • 3,335
  • 9
  • 42
  • 74
  • depending on what you are doing with the content, HTML can also be dangerous. A malicious user could, for example, upload a form that asks for login details and posts to a server under their control. No need for JS – Jay Apr 18 '16 at 14:22
  • The struggle, first either use a MarkDown Editor or a Markup editor, which will allow rich text in your submissions, which i'm assuming you desire. Then, sanitize your submissions removing any xss attacks using some html sanitizer. Then, put in a Content Security Policy, which will whitelist all of your api calls so even if someone does manage to XSS they won't be able to much – johnny 5 Apr 18 '16 at 14:22
  • have a look at this answer, which explains how to only filter XSS: http://stackoverflow.com/a/3368769/1682450 – Jay Apr 18 '16 at 14:22
  • try to add [ValidateInput(false)] attribute to your action method. – MNF Apr 18 '16 at 14:43
  • I strongly advise abandoning HTML creation. Support markdown creation instead. Normal users want nothing to do with html, they just want a means to drop some text and images on a webpage, things that markdown does beautifully. – Chris Marisic Apr 18 '16 at 16:10

1 Answers1

0

You can decorate the ViewModel property to which you want to bind your HTML content with [AllowHtml]. This is better than suppressing the validation of the whole request by attributing the controller action with [ValidateInput(false)].

But this will also allow JS code. A solution could be to allow HTML, and then validate the content to check whether is is pure HTML, e.g. by implementing IValidatableObject on your ViewModel. You should be safe until you try to persist or render the user provided content.

Georg Patscheider
  • 9,357
  • 1
  • 26
  • 36