Question

I want to protect my page when a user inputs the following:

<script type="text/javascript">
    alert("hi");
</script>

I'm using ShowDown:

jQuery.fn.markDown = function() 
{
    return this.each(function() {
        var caller = this;
        var converter = new Showdown.converter();

        var text = $(caller).text();
        var html = converter.makeHtml(text);

        $(caller).html(html);
    });
}
Was it helpful?

Solution

One of the solution that could be effective would be to strip all the tag in the source or HTML encode the tag before it is transformed with Showdown.

For how to strip all the HTML tag, there are a couple of way to do it that you can find in this question :

Strip HTML from Text JavaScript

For how to HTML encode the tag, you can use this :

myString.replace(/</g, '&lt;').replace(/>/g, '&gt;');

Note: This will remove you the ability to use HTML in Showdown.

OTHER TIPS

If you want to sanitize html on a .NET server-side code, I'd advise you use Microsoft web protection library, after transforming the markup to html, before rendering it to the page. e.g. the following snippet:

x = @"<div>safe</div>
       <script type='text/javascript'>
         alert('hi');
       </script>";
return Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(x);

returns <div>safe</div>

http://wpl.codeplex.com/

The ShowDown page strips any javascript, so I don't know what you mean exactly. But you can't do this on the client. If this is never going to be submitted to the server, then it doesn't matter. However, 99% of the time, you want to store it on the server.

I think the best approach is to create a server side DOM object out of the html that is submitted (which could be spoofed and bypass ShowDown) and look for any script or other dangerous tags. This is not so simple!

The best compromise for me is to use a server side markdown language (like https://github.com/charliesome/bbsharp) that you could then use to generate the html. You would then html encode any html before passing it to the tool that converts the markdown to HTML.

I use HTML Purifier which works very well for filtering user input and is highly customizable.

I assume you can use it with MarkDown, although I never tried.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top