What HTML/JS markup I have to remove from HTML to prevent XSS?

Asked Jan 21 '19 at 13:44

Active Jan 21 '19 at 13:49

Viewed 38 times

I have to render "User's" HTML as HTML.

"User" is an administrator, so it is kind of safe, but despite everything I'd want to prevent any xss-ish attack

I came with an idea like this:

while (html.Contains("script"))
{
    html = html.Replace("script", "");
}

Why while? because scripscriptt + replace script to "" would still leave script

So, what are other key-words that have to be deleted?

img? due to loading data from other server

iframe?

button?

href?

Over all I want to delete dangerous markup, but I do not want to delete safe things like table, <b>, <div> and the rest of text formatting / page style markups

edited Jan 21 '19 at 13:49

asked Jan 21 '19 at 13:44

Joelty

1,751
5
22
64

2

There are many and it might be a good idea to do it on the server side with a battle proof module. What is your backends language? E.g. https://github.com/punkave/sanitize-html – CaKa Jan 21 '19 at 13:47
@CanK. Yea, I want to do on the server side - C# – Joelty Jan 21 '19 at 13:47

What HTML/JS markup I have to remove from HTML to prevent XSS?

0 Answers0