How can I check HTML input to prevent XSS?

Question

How can I check HTML input to prevent XSS?

For example, StackExchange renames a subset of HTML: https://meta.stackexchange.com/questions/1777/what-html-tags-are-allowed-on-stack-exchange-sites

How could you do this in your controller to make sure user input is safe?

+5

asp.net-mvc-3

Jason beck Jun 23 '12 at 5:54

source share

3 answers

Jason Beck · Answer 1 · 2012-06-23T07:13:02+0000

This approach is not identical to StackExchange, but I found the AntiXSS 4.x library in an easy way to sanitize input to provide “safe” HTML.

http://www.microsoft.com/en-us/download/details.aspx?id=28589 , DOCX. - NuGet AntiXSS.

HtmlSanitizationLibrary, 4.x AntiXss. , GetSafeHtml() HtmlSanitizationLibrary Microsoft.Security.Application.Sanitizer.

content = Sanitizer.GetSafeHtml(userInput);

. , . , - , , .

, .

AngelsandDemons · Answer 2 · 2012-06-23T08:00:12+0000

JSoup, HTML . http://jsoup.org/ JSoup . DOM HTML .

, HTML-, XSS-, , , XSS, HTML. HTML , . HTML , , FORM, .

www.owasp.org, , XSS. - HTML- XSS.

Hakan kose · Answer 3 · 2012-08-07T12:11:43+0000

ASP.NET HttpUtility.Htmlencode () does this for you. But if you want to block dangerous scenarios, first do NOT paste it into your database. First clear the HTML text before pasting it into the database.

I found a class that will do this for you: http://eksith.wordpress.com/2012/02/13/antixss-4-2-breaks-everything/

It works great, and you can add new tags and attributes to the custom Sanitizer whitelist.

Note. The Microsoft Sanitizer and Anti-XSS library was not useful to me. Maybe you can also try them.

How can I check HTML input to prevent XSS?

More articles: