How do you resolve this Xss from Stackoverflow?
Asked
Active
Viewed 1.1k times
2
-
1I didn't do anything... have a look at http://stackoverflow.com/questions/2425328/what-is-the-waybest-practice-to-deal-with-xss – Felix Kling Nov 19 '10 at 21:45
-
2I didn't. Jeff Atwood and Joel Spolsky did. – darioo Nov 19 '10 at 21:45
-
im just trying to undertand how SO solve this problem but i recieve the answer sooner than i found the logic. I assume they use the escape() javascript function to avoid the Asp.net Exception for dangerous form text and then use UrlDecode with HtmlEncode to present the text in safe manner. Thanks anyway you are faster than people use to say – cyberdantes Nov 19 '10 at 21:53
2 Answers
3
The output is html encoded.
All html entities are replaced with their escaped characters, for example "<" is replaced by <.
More info on wikipedia along with a list of html characters, http://en.wikipedia.org/wiki/Character_encodings_in_HTML
alexn
- 57,867
- 14
- 111
- 145
-
http://www.htmlescape.net/htmlescape_tool.html here's a tool that illustrates exactly that. – charisis Nov 19 '10 at 21:48
0
Jeff actually posted his Sanitizer on RefactorMyCode.com
You can see it here. It may not be the final version they're currently using, but it will show you the basics of how it works.
Brandon
- 68,708
- 30
- 194
- 223
-
That sanitizer strips non-whitelisted tags from the input. That can't be the case with this question title, which has been HTML-encoded to preserve the original output. – Max Nanasy Dec 06 '12 at 03:05