I don't know if I am doing this right.
I first time build something to prevent attack on page.
I will start from the bottom:
I have property:
public string Description {get;set;}
User can set it's value through tinyMCE
tinyMCE.init({
mode: "textareas",
theme: "advanced",
encoding : "xml"...
In controller before I save this in database I do:
model.Description = HttpUtility.HtmlDecode(model.Description);
In database I have a value like:
<p>bla bla bla</p>
I added AntiXSS library to my project:
public class AntiXssEncoder : HttpEncoder
{
public AntiXssEncoder() { }
protected override void HtmlEncode(string value, TextWriter output)
{
output.Write(Encoder.HtmlEncode(value)); // on breakpoint code always get in here
}
...
When I display data from database I use:
@Html.Raw(Model.Place.Description)
And it works fine I see only text. No Html tags. Breaklines work fine. I can style text with bold, italic etc.
But If I enter:
<script>alert(open to attack);</script>
I got alert window.
I don't understand do I need to do something more to prevent this?
I added AntiXSS library to my project
And where are you using it?
Make sure that you have not only added AntiXSS but you actually used it:
@Html.Raw(Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(Model.Place.Description))
But remember that the new version of the AntiXSS library is a bit too restrictive and will strip tags like <strong>
and <br>
out which might not be desired.
As an alternative to the AntiXSS library you could use HTML Agility Pack to do this job. Rick Strahl blogged about a sample implementation
.