tags:

views:

65

answers:

2

hi,

i am trying to find ways to sanitize the input of wmd editor

Specifically, I am trying to make HTML tags only available in the <code>tags that wmd generates. Is that possible

My problem is that the following code is rendered as html which is vunerable to potential xss attacks

e.g. <a onmouseover="alert(1)" href="#">read this!</a>

The above code renders normally both in preview mode and when saved to the db.

I notice that SO doesnt seem to have this problem. The same code is just rendered as text.

I notice that SO has shared their code here http://refactormycode.com/codes/333-sanitize-html Do I really have to use c# in order to sanitize wmd to do this?

Any help appreciated , cheers Ke

+2  A: 

i ended up using html purifier for this....

Ke
A: 

If you want to block bad scripts from WMD on the client side, take a look at my answer here: http://stackoverflow.com/questions/2837593/align-wmd-editors-preview-html-with-server-side-html-validation-e-g-no-embedde.

It shows how to implement a client-side whitelist in the WMD editor to restrict WMD's preview pane HTML to known-safe HTML elements and known-safe HTML attributes. It does the validation after WMD geneates its HTML, so even if there's a bug in the WMD editor's HTML generation which allows bad script to get through, the whitelist blocker will catch it. This code is based on StackOverflow.com's implementation of the same validation.

That said, you also need server-side validation too (If you're using PHP, HTML Purifier is a good choice), because even if you fix the client, that doesn't prevent an attacker from simulating a browser and saving malicious markdown by POST-ing it to your server. So doing client-side WMD previewer validation isn't actually required, except to defend against an obscure case where an attacker manages to get compromised markdown onto the server, and convinces a site moderator to edit the page. In that case, client WMD previewer validation might prevent an attacker from taking over the entire site.

Also, doing client-side validation can be helpful because then you know that the same tags and HTML allowed by the client will also be allowed on the server. Make sure to sync the server-side whitelist with the client whitelist. StackOverflow's whitelist is here if you want an example.

Justin Grant