views:

750

answers:

1

I noticed in this article that Microsoft does not recommend using the Editor control from the Ajax Control Toolkit in public sites because of the danger of cross-site scripting attacks. I tried it out, and even if you specifically set NoScript="true" it's possible to add script, and therefore, introduce XSS attack vulnerabilities. In my situation, we are working on a scholarship application process, and we had hoped to use this to all nominees to type up an Essay on-line. We wanted to take the data and re-display it to the review board, but obviously, this is a bad idea.

So I'm wondering if anyone knows of a simple way of validating the content to allow HTML, but not script, perhaps using a CustomValidator or a Regular Expression that I can use in the code-behind. I'm aware that it's better to to white list validation and not blacklist validation, 'm specifically looking for that.

Alternatively, if anyone is aware of a similar control that does protect against XSS attacks, that would be good, too.

+2  A: 

The latest release of the AntiXSS library now does some HTML sanitation which I think will do what you want. Have a look at Blowdart's blog on it here.

PhilPursglove
Thank you! I'm looking into it right now.
David Stratton
Man it's too bad you can't vote someone up more than once. This is great.. I can't believe I never looked into this before. I just always stuck with using validation to sanitize my input and using HtmlEncode where applicable, but this is even better.. Better performance, plus the new GetSafeHtmlFragment() function works in this scenario! Thank you again!
David Stratton
Not that I won't be sanitizing input and taking all precautions. This is just a nice additional tool to have.
David Stratton