I am using the wysihtml5 editor to allow a user to post messages on a ASP.NET MVC4 discussion forum. These messages are stored in a mssql db and rendered to the screen with Razor syntax:
@Html.Raw(post.Html)
Although these users are authenticated I wish to ensure that I will not be vulnerable to an injection attack such as the following:
User Posts:
<script>alert('Hacked:' + secretInformation)</script>
MVC Renders Alert box w/:
Hacked: ::secret info::
I have allowed the html to be stored in the db by setting in the controller:
[ValidateInput(false)]
What steps can I take to ensure that I am only rendering clean html code and not vulnerable to attack?
I have found a good solution here: AntiXss 4.2 Breaks everything
Thanks for the direction Justin. Let's go Microsoft, let's see a solution that doesn't devour ALL my tags!