Antixss-supports HTML and prevents XSS attacks

Cross-site scripting (XSS) is no longer a new topic, and even many large companies have suffered from this. The simplest and most direct defense method is to prohibit any HTML Tag input and encode user input (htmlencode ).

What should I do if I want to support some formats for user input? One method is the BB code method adopted by many forums. Use specific tags instead of some formats. For example, [B] indicates bold, and so on. However, the form of BB code is not widely accepted. It is too expressive and not a standard format.

In order to make the user input more expressive, a large number of HTML editor controls have emerged, including FCKeditor, freetextbox, Rich Textbox, cute Editor, tinymce, and so on. For example, the backend posts of the blog park support cute editor and tinymce. I personally prefer cute Editor, Which is powerful, has good performance, and is easy to customize.

The potential danger of using these HTML editor controls is that users may enter dangerous characters and inject them into the website to form XSS attacks. The simplest input is:

<Javascript>Alert ('XSS')</Javascript>

How can this problem be prevented? There are three general ideas:
1. Regular Expression whitelist filtering mechanism.
2. The Blacklist replacement mechanism of the regular expression.
3. filter the whitelist and blacklist tags using DOM objects.

The following address lists many such filtering methods:
Http://refactormycode.com/codes/333-sanitize-html

However, I tried some methods in the above link, which is not very useful. One more simple and useful thing is antixss, a Class Library launched by Microsoft to prevent XSS attacks. Its implementation principle also uses the White List mechanism, but this white list is a black box for us. I used reflector for a rough look and did not find the so-called white list. However, this library is really useful.

A msdn illustrated instructions: http://msdn.microsoft.com/en-us/library/aa973813.aspx

In fact, I use very simple, that isAntixss. getsafehtmlfragment (HTML)This method will replace the dangerous characters in HTML. For example:

VaR html =   " <A href = \ " #\ " Onclick = \ " Alert ();\ " > Aaaaaaaaa </A> JavaScript <p> <JavaScript> alert ('A ') </JavaScript> " Abc.jpg \ " > <p> test </P> " ;

StringSafehtml= Antixss. getsafehtmlfragment(HTML );
Console. writeline (safehtml );

The above dangerous content is successfully replaced, and the returned content is:

< A Href = "" > Aaaaaaaaa </ A > Javascript
< P > < IMG SRC = "" > Alert ('A ') < IMG SRC = "Abc.jpg" > < IMG > </ P >
< P > Test </ P >

Well, it's very safe. Then there is another question: Should I filter user input and write it into the database? Or filter when the output interface is displayed? In fact, filtering is usually enough when the output interface is displayed. It is not necessary to filter user input and write it into the database, because even so, there is no dangerous data in the database. Of course, there is nothing wrong with double insurance.