Rich TextBox accepting Script tags also

Question

I have a aspx form where we have used freetextbox as my rich text editor to make entries.

but I am able to enter <script></script> in this reach tags.

how can i validate on client side that it should not accept any scripting which ever it is included in javascript library.

EDIT:

how can i validate it for not allowing script tags into it? how can we validate it for mandatory field? How can i manage more than one textareas on my page. but i want only one to be as rich editor and not all???

I had tried some code but it did not helped me for proper validation. below is the snippet. SCRITPT

<script>
    $(document).ready(function () {

        var $btn = $("#<%=btnSubmit.ClientID %>");
        var $txtEditor = $("#<%=txtEditor.ClientID %>");

        $btn.click(function () {
            alert($txtEditor.html()); 
            return false;
        })

    });

</script>

HTML

<div>
            <asp:TextBox id="txtEditor" runat="server" TextMode="MultiLine"></asp:TextBox>
        </div>
        <div>
        <asp:Button id="btnSubmit" runat="server" Text="Save" />

        </div>

Answer 1

If you do need support HTML in your text, then you probably should integrate some WYSIWYG editor (TinyMCE for example).

If you don't need html there, then just html encode all user input.

Answer 2

I would consider using the HTML agility pack to parse the content and allow only white listed markup.

There are are numerous ways of getting script to execute in arbitrary markup (without necessarily needing <script> tags). Blacklisting isn't a viable solution if you're trying to avoid XSS attacks.