tags:

views:

750

answers:

1
+1  Q: 

Ajax Control Toolkit Editor Control - avoiding XSS attacks

I noticed in this article that Microsoft does not recommend using the Editor control from the Ajax Control Toolkit in public sites because of the danger of cross-site scripting attacks. I tried it out, and even if you specifically set NoScript="true" it's possible to add script, and therefore, introduce XSS attack vulnerabilities. In my situation, we are working on a scholarship application process, and we had hoped to use this to all nominees to type up an Essay on-line. We wanted to take the data and re-display it to the review board, but obviously, this is a bad idea.

So I'm wondering if anyone knows of a simple way of validating the content to allow HTML, but not script, perhaps using a CustomValidator or a Regular Expression that I can use in the code-behind. I'm aware that it's better to to white list validation and not blacklist validation, 'm specifically looking for that.

Alternatively, if anyone is aware of a similar control that does protect against XSS attacks, that would be good, too.

+2  A: 

The latest release of the AntiXSS library now does some HTML sanitation which I think will do what you want. Have a look at Blowdart's blog on it here.

PhilPursglove  2009-10-01 13:58:14
Thank you! I'm looking into it right now.
David Stratton  2009-10-01 14:08:08
Man it's too bad you can't vote someone up more than once. This is great.. I can't believe I never looked into this before. I just always stuck with using validation to sanitize my input and using HtmlEncode where applicable, but this is even better.. Better performance, plus the new GetSafeHtmlFragment() function works in this scenario! Thank you again!
David Stratton  2009-10-01 18:03:08
Not that I won't be sanitizing input and taking all precautions. This is just a nice additional tool to have.
David Stratton  2009-10-01 18:03:44

related questions

Is it better to create Model classes, or just stick with generic database utility class?
What are effective options for embedding video in an ASP.NET web site?
Visual Studio 2008 debugger already attached work-around
Tracking state using ASP.NET AJAX / ICallbackEventHandler
ASP.NET Display SVN Revision Number
ASP.NET URL Rewriting
How can I change the background of a masterpage from the code behind of a content page?
Easy way to AJAX WebControls
How do I define custom web.config sections with potential child elements and attributes for the properties?
ASP.NET MVC "CRUD" Database Sample
Are Multiple DataContext classes ever appropriate?
How to RedirectToAction in ASP.NET MVC without losing request data
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP.NET built in user profile, Vs old stile user class/tables
What's a good book for learning ASP?
Bandwith throttling in IIS 6 by IP Address
ASP .Net Custom Client-Side Validation
How to get the value of built, encoded ViewState?
Decent, simple, GIS/mapping component for ASP.NET?
Checklist for IIS 6/ASP.NET Windows Authentication?
How to write to Web.Config in Medium Trust ?
ASP.NET, Visual Studio and Subversion - how to integrate?
Floating Point Number parsing: Is there a Catch All algorithm?
How do I sync the SVN revision number with my ASP.NET web site?
ASP.NET Site Maps