How to prevent XSS using markdown input validation in ASP.NET Core

Asked Dec 29 '17 at 11:27

Active Dec 30 '17 at 10:13

Viewed 937 times

I have a markdown textarea (just like stackoverflow) and I want to allow code samples like this:

<script>alert('Hello world')</script>

as well as basic html formatting like <b>bold text</b>: bold text.

How to do validation and encoding so that it will prevent XSS attacks but also allow scenarios above?

I know there is HTML Sanitizer, but it probably won't work with markdown formatting by default.

edited Dec 30 '17 at 10:13

asked Dec 29 '17 at 11:27

Liero

Possible duplicate of [HTML Sanitizer for .NET](https://stackoverflow.com/questions/341872/html-sanitizer-for-net) – fgb Dec 29 '17 at 16:54
Regex replace the script tags with HTML entities substituted for the `<` and `>` characters (i.e. `<` and `>`). – Chris Pratt Dec 29 '17 at 19:43
Read [Markdown and XSS](https://michelf.ca/blog/2010/markdown-and-xss/) for an overview of the only correct way to sanitize Markdown (sanitize the HTML output), then use an HTML sanitizer as you mention in your question. – Waylan Jan 01 '18 at 20:41

0 Answers0