Filtrar datos HTML incorrectos en Razor

In my Razor MVC application, I added the feature where a model property allows HTML by doing:

[AllowHtml]
public string Body { get; set; }

This works great. But I was wondering, I want to make sure the user doesn't submit malicious data, so has anyone built a utility or library to filter out bad HTML data like JavaScript statements, etc? I do plan on decoding the HTML and displaying in the UI, so naturally I would like to be somewhat restrictive. I understand I have to do this manually from code, just curious for some pointers or utilities.

Gracias.

preguntado el 01 de febrero de 12 a las 03:02

1 Respuestas

Absolutely! The anti-xss library from Microsoft has a sanitizer: It's simple to use and I cover this (and a lot more) in the "Hack Proofing your ASP.Net Applications" video series going live on pluralsight.com this week. Theres more than just html encoding if you use html, theres caution for dangling html problems used for cross site scripting as well as improper use of javascript functions that can lead to xss as well. Check out the video series (the topic is a lot longer than a post here to cover)


Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(yourHtml);

Get the code in the web protection library. Note in asp.net 4.5 this should be included in System.Web.Security

http://wpl.codeplex.com/

Respondido 01 Feb 12, 08:02

No es la respuesta que estás buscando? Examinar otras preguntas etiquetadas or haz tu propia pregunta.