Sanitize html encoded text (#decimal notation) from AntiXSS v3 output

Question

I am tying to make comments in a blog engine XSS-safe. Tried a lot of different approaches but find it very difficult.

When I am displaying the comments I am first using Microsoft AntiXss 3.0 to html encode the whole thing. Then I am trying to html decode the safe tags using a whitelist approach.

Been looking at Steve Downing's example in Atwood's "Sanitize HTML" thread at refactormycode.

My problem is that the AntiXss library encodes the values to &#DECIMAL; notation and I don't know how to rewrite Steve's example, since my regex knowledge is limited.

I tried the following code where I simply replaced entities to decimal form but it does not work properly.

< with <
> with >

My rewrite:

class HtmlSanitizer
{
    /// <summary>
    /// A regex that matches things that look like a HTML tag after HtmlEncoding.  Splits the input so we can get discrete
    /// chunks that start with &lt; and ends with either end of line or &gt;
    /// </summary>
    private static Regex _tags = new Regex("&#60;(?!&#62;).+?(&#62;|$)", RegexOptions.Singleline | RegexOptions.ExplicitCapture | RegexOptions.Compiled);


    /// <summary>
    /// A regex that will match tags on the whitelist, so we can run them through 
    /// HttpUtility.HtmlDecode
    /// FIXME - Could be improved, since this might decode &gt; etc in the middle of
    /// an a/link tag (i.e. in the text in between the opening and closing tag)
    /// </summary>
    private static Regex _whitelist = new Regex(@"
^&#60;/?(a|b(lockquote)?|code|em|h(1|2|3)|i|li|ol|p(re)?|s(ub|up|trong|trike)?|ul)&#62;$
|^&#60;(b|h)r\s?/?&#62;$
|^&#60;a(?!&#62;).+?&#62;$
|^&#60;img(?!&#62;).+?/?&#62;$",


      RegexOptions.Singleline | RegexOptions.IgnorePatternWhitespace |
      RegexOptions.ExplicitCapture | RegexOptions.Compiled);

    /// <summary>
    /// HtmlDecode any potentially safe HTML tags from the provided HtmlEncoded HTML input using 
    /// a whitelist based approach, leaving the dangerous tags Encoded HTML tags
    /// </summary>
    public static string Sanitize(string html)
    {

        string tagname = "";
        Match tag;
        MatchCollection tags = _tags.Matches(html);
        string safeHtml = "";

        // iterate through all HTML tags in the input
        for (int i = tags.Count - 1; i > -1; i--)
        {
            tag = tags[i];
            tagname = tag.Value.ToLowerInvariant();

            if (_whitelist.IsMatch(tagname))
            {
                // If we find a tag on the whitelist, run it through 
                // HtmlDecode, and re-insert it into the text
                safeHtml = HttpUtility.HtmlDecode(tag.Value);
                html = html.Remove(tag.Index, tag.Length);
                html = html.Insert(tag.Index, safeHtml);
            }

        }

        return html;
    }

}

My input testing html is:

<p><script language="javascript">alert('XSS')</script><b>bold should work</b></p>

After AntiXss it turns into:

<p><script language="javascript">alert('XSS')</script><b>bold should work</b></p>

When I run the version of Sanitize(string html) above it gives me:

<p><script language="javascript">alert&#40;&#39;XSS&#39;&#41;</script><b>bold should work</b></p>

The regex is matching script from the whitelist which I don't want. Any help with this would be highly appreciated.

Answer 1

Have you considered using Markdown or VBCode or some similar approaches for the users to mark their comments up with? Then you can disallow all HTML.

If you must allow HTML then I would consider using a HTML parser (in the spirit of HTMLTidy) and do the white-listing there.

Answer 2

Hi Pez. Yes I am using the WMD editor with markdown, but I want the users to be able to post HTML and code examples like on Stack Overflow, so I don't want to disallow HTML completely.

I have been looking at HTML Tidy but not tried it yet. I am however using the Html Agility Pack to make sure the HTML is correct (no orphan tags). This is done before I run AntiXss.

I will try out HTML Tidy if I can't make my current solution work as I like, thanks for the suggestion.

Answer 3

I'm on a Mac so I can't test your C# code. But to me it seems like you should make the _whitelist regexp only work with the tag names. It might mean you have to make two passes, one for opening and one for closing tags. But it will make it much simpler.

Answer 4

Your problem is that C# is missinterpretating your regexp. You need to escape the #-sign. Without the escape it matches too much.

private static Regex _whitelist = new Regex(@"
    ^&\#60;(&\#47;)? (a|b(lockquote)?|code|em|h(1|2|3)|i|li|ol|p(re)?|s(ub|up|trong|trike)?|ul)&\#62;$
    |^&\#60;(b|h)r\s?(&\#47;)?&\#62;$
    |^&\#60;a(?!&\#62;).+?&\#62;$
    |^&\#60;img(?!&\#62;).+?(&\#47;)?&\#62;$",

    RegexOptions.Singleline |
    RegexOptions.IgnorePatternWhitespace |
    RegexOptions.ExplicitCapture 
    RegexOptions.Compiled
 );

Update 2: You might be interested in this xss and regexp site.

Answer 5

I will here post the complete code again (slightly refactored and with updated comments) if anybody is interested in using this.

I also decided to remove the img tag from the whitelist as @Pez and @some pointed out that this can be dangerous to allow.

Also have to point out that I have not tested this properly against possible XSS attacks. It's just a stating point for my to se how well this method works.

class HtmlSanitizer
{
    /// <summary>
    /// A regex that matches things that look like a HTML tag after HtmlEncoding to &#DECIMAL; notation. Microsoft AntiXSS 3.0 can be used to preform this. Splits the input so we can get discrete
    /// chunks that start with &#60; and ends with either end of line or &#62;
    /// </summary>
    private static readonly Regex _tags = new Regex(@"&\#60;(?!&\#62;).+?(&\#62;|$)", RegexOptions.Singleline | RegexOptions.ExplicitCapture | RegexOptions.Compiled);


    /// <summary>
    /// A regex that will match tags on the whitelist, so we can run them through 
    /// HttpUtility.HtmlDecode
    /// FIXME - Could be improved, since this might decode &#60; etc in the middle of
    /// an a/link tag (i.e. in the text in between the opening and closing tag)
    /// </summary>

    private static readonly Regex _whitelist = new Regex(@"
^&\#60;(&\#47;)? (a|b(lockquote)?|code|em|h(1|2|3)|i|li|ol|p(re)?|s(ub|up|trong|trike)?|ul)&\#62;$
|^&\#60;(b|h)r\s?(&\#47;)?&\#62;$
|^&\#60;a(?!&\#62;).+?&\#62;$",


      RegexOptions.Singleline | RegexOptions.IgnorePatternWhitespace |
      RegexOptions.ExplicitCapture | RegexOptions.Compiled);

    /// <summary>
    /// HtmlDecode any potentially safe HTML tags from the provided HtmlEncoded HTML input using 
    /// a whitelist based approach, leaving the dangerous tags Encoded HTML tags
    /// </summary>
    public static string Sanitize(string html)
    {
        Match tag;
        MatchCollection tags = _tags.Matches(html);

        // iterate through all HTML tags in the input
        for (int i = tags.Count - 1; i > -1; i--)
        {
            tag = tags[i];
            string tagname = tag.Value.ToLowerInvariant();

            if (_whitelist.IsMatch(tagname))
            {
                // If we find a tag on the whitelist, run it through 
                // HtmlDecode, and re-insert it into the text
                string safeHtml = HttpUtility.HtmlDecode(tag.Value);
                html = html.Remove(tag.Index, tag.Length);
                html = html.Insert(tag.Index, safeHtml);
            }
        }
        return html;
    }
}

Answer 6

link text