tags:

views:

133

answers:

1
+1  Q: 

handle javascript injection in asp.net mvc

How can we handle the javascript injection in asp.net mvc (C#) application?

I can use Html.Encode in my View. But the problem is i have html also to show in the page like a blog post.

I need to remove the script entered in the input elements of the application? How can i do that in a common place?

+4  A: 

The "high-level" best practice for doing this is:

  • Store user-input the way it was entered into the system
  • HTML encode all user-input when it is output on any page
  • Use a white-list approach to "de-encode" allowed HTML characters, attributes, attribute values, etc. that you encoded in the previous step

HTML Encoding user-input on output will stop JavaScript from being executed on your site.

The reasons why you want to store user-input "as entered" is because you may in the future decide to output user data in other formats (PDF, email, JavaScript, RSS, etc) that don't have the same rules for encoding. As a result, you should keep data as close to its original form as possible. This will make things easier to deal with later.

For HTML Encoding user-input, you can use System.Web.HttpUtility.HtmlEncode(...).

To combine steps 2 & 3, you can use Microsoft's AntiXSS library. It provides some extra encoding methods that the HttpUtility class doesn't provide to make your job easier. I was unaware until Malcolm pointed out in the comments, that the latest version of this library includes a method called GetSafeHtmlFragment(...) which will remove all JavaScript manually. This will handle all of the heavy lifting of removing user-entered JavaScript code for you. You will most likely want to use GetSafeHtmlFragment and not GetSafeHtml, which is designed to encode entire HTML documents.

Dan Herbert  2010-02-06 06:10:09
I have not heard about Anixss libray for a while and did not know that it is on codeplex now. It has Javascript encode. My understanding is that you need to Javascript encode if you want to use input in javascript. HttpUtility doesnt have Javascript encode. So every project needs to have this library right?
Malcolm Frexner  2010-02-06 15:19:26
@Malcolm Every project that plans on encoding user input for use in JavaScript should have this library.
Dan Herbert  2010-02-06 15:33:53
This is new and looks very usable: AntiXss.GetSafeHtml(input). The method has its own whitelist of html tags. Perfect!
Malcolm Frexner  2010-02-06 16:11:34

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript