3

So, in a section of an ASP.NET MVC2 app, I have to allow HTML input from a typical rich textbox. So, I added an attribute on the controller method to turn off MVC's brute-force input validation.

But, now what do I do to prevent XSS attacks. So far, I have looked and found:

  • AntiXSS: looks good, but the whitelist seems to not be editable. Also, I am having issues getting it to work, for some reason. After adding the reference to the dll, the compiler still sees a missing assembly.
  • Antisamy: allows configuration of a whitelist, but the last time the .NET was updated was in 2009. That doesn't inspire confidence in security software.

What else? Are there other libraries for cleaning up HTML-containing input such that it is easy to configure allowable tags?

alphadogg
  • 12,762
  • 9
  • 54
  • 88
  • 1
    Are you allowed to upgrade to ASP.NET MVC 3? If so you can utilize the AllowHtml attribute. – amurra Feb 10 '11 at 03:09
  • That just turns off the brute-force by field instead of by method. But, assuming you let that one filed in unchecked, what then? – alphadogg Feb 21 '11 at 22:19

1 Answers1

0

You might consider using an HTML parser, walking along the parse tree eliminating tags/attributes that are harmful. You would have full control of what was allowed. According to this question HTMLAgilityPack is the best for C#.

Community
  • 1
  • 1
tsupe
  • 555
  • 5
  • 12