Is there a easier way to avoid harmful html code?

  • Thread starter Thread starter david
  • Start date Start date
D

david

When I create a web site, there are some places that allow user to input
html code, like in content of a message. But for security purpose, you can
not allow user use all html features, like javascript. I found some sites
are using UBB code and claim it is safer. I am wonderring if .NET provides
some easier way for this? I feel that .NET does have a feature to avoid user
type in html code, but is there a feature that allows some safe html code
but not others?

Thanks!
 
You could provide your own markup code, or inspect the code to make sure
it's only have your own approved tags. Get a Regex to find all tags, and
then if one of them doesn't match your list of few tags, then reject the
message.

"Safe HTML" depends on the site and what you deem to be bad. Obviously
SCRIPT is not good, but having people put arbitrary styles and overwrite
your page (and get people to click on fake links that appear to be part of
your page) can be just as damaging.

-mike
MVP
 
Thanks! that helps.

Michael Giagnocavo said:
You could provide your own markup code, or inspect the code to make sure
it's only have your own approved tags. Get a Regex to find all tags, and
then if one of them doesn't match your list of few tags, then reject the
message.

"Safe HTML" depends on the site and what you deem to be bad. Obviously
SCRIPT is not good, but having people put arbitrary styles and overwrite
your page (and get people to click on fake links that appear to be part of
your page) can be just as damaging.

-mike
MVP
Click to expand...
 
Back
Top