Ajax Control Toolkit Editor Control - avoiding XSS attacks
https://stackoverflow.com/questions/1503947
-
19-09-2019 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I noticed in this article that Microsoft does not recommend using the Editor control from the Ajax Control Toolkit in public sites because of the danger of cross-site scripting attacks. I tried it out, and even if you specifically set NoScript="true" it's possible to add script, and therefore, introduce XSS attack vulnerabilities. In my situation, we are working on a scholarship application process, and we had hoped to use this to all nominees to type up an Essay on-line. We wanted to take the data and re-display it to the review board, but obviously, this is a bad idea.
So I'm wondering if anyone knows of a simple way of validating the content to allow HTML, but not script, perhaps using a CustomValidator or a Regular Expression that I can use in the code-behind. I'm aware that it's better to to white list validation and not blacklist validation, 'm specifically looking for that.
Alternatively, if anyone is aware of a similar control that does protect against XSS attacks, that would be good, too.
Solution
The latest release of the AntiXSS library now does some HTML sanitisation which I think will do what you want. Have a look at Blowdart's blog on it here.
UPDATE 15 Sep 2015:
The AntiXSS got rolled into the .Net 4.0 Framework, enable it in your .config file.
