asp.net mvc - Prevent XSS attacks and still use Html.Raw -
i have cms system using ck editor enter data. if user types in <script>alert('this bad script, data');</script>
ckeditor fair job , encodes correctly , passes <script>alert('this bad script, data')</script>
server.
but if user goes browser developer tools (using inspect element) , adds inside shown in below screen shot when trouble starts. after retrieving db when displayed in browser presents alert box.
so far have tried many different things 1 them
- encode contents using antixssencoder [
httputility.htmlencode(contents)
] , store in database , when displaying in browser decode , display using mvchtmlstring.create [mvchtmlstring.create(httputility.htmldecode(contents))
] or html.raw [html.raw(contents)
] may expect both of them displays javascript alert.
i don't want replace <script>
manually thru code not comprehensive solution (search "and encoded state:").
so far have referred many articles (sorry not listing them here adding few proof show have put sincere efforts before writing question) none of them have code shows answer. may there easy answer , not looking in right direction or may not simple @ , may need use content security policy.
asp.net mvc html.raw antixss protection is there risk in using @html.raw? http://blog.simontimms.com/2013/01/21/content-security-policy-for-asp-net-mvc/ http://blog.michaelckennedy.net/2012/10/15/understanding-text-encoding-in-asp-net-mvc/
to reproduce saying go *this url , in text box type <script>alert('this bad script, data');</script>
, click button.
*this link michael kennedy's blog
it isn't easy , don't want this. may suggest use simpler language html end user formatted input? markdown (i believe) used stackoverflow. or 1 of existing wiki or other lightweight markup languages?
if allow html, suggest following:
- only support fixed subset of html
- after user submits content, parse html , filter against whitelist of allowed tags , attributes.
- be ruthless in filtering , eliminating aren't sure about.
there existing tools , libraries this. haven't used it, did stumble on http://htmlpurifier.org/. assume there many others. rick strahl has posted 1 example .net, i'm not sure if complete.
about ten years ago attempted write own whitelist filter. parsed , normalized entered html. removed elements or attributes not on allowed whitelist. worked pretty well, never know vulnerabilities you've missed. project long dead, if had on have used existing simpler markup language rather html.
there many ways users inject nasty stuff pages, have fierce prevent this. css can used inject executable expressions page, like:
<style type="text/css">body{background:url("javascript:alert('xss')")}</style>
here page list of known attacks keep @ night. if can't filter , prevent of these, aren't ready untrusted users post formatted content viewable public.
right around time working on own filter, myspace (wow i'm old) hit xss worm known samy. samy used style attributes embedded background url had javascript payload. explained author.
note example page says:
this page meant accept , display raw html trusted editors.
the key issue here trust. if of users trusted (say employees of web site), risk here lower. however, if building forum or social network or dating site or allows untrusted users enter formatted content viewable others, have difficult job sanitize html.
Comments
Post a Comment