How to prevent Javascript injection attacks within user-generated HTML

by

You think that’s it? Check this out.

Whatever approach you take, you definitely need to use a whitelist. It’s the only way to even come close to being safe about what you’re allowing on your site.

EDIT:

I’m not familiar with .NET, unfortunately, but you can check out stackoverflow’s own battle with XSS (https://blog.stackoverflow.com/2008/06/safe-html-and-xss/) and the code that was written to parse HTML posted on this site: Archive.org link – obviously you might need to change this because your whitelist is bigger, but that should get you started.

More Related Contents:

  1. Why are regular expressions taking the helm in my JavaScript, and how do I insist “this is a string”? [closed]
  2. Page content is loaded with JavaScript and Jsoup doesn’t see it
  3. Fastest method to escape HTML tags as HTML entities?
  4. Converting user input string to regular expression
  5. Detect which word has been clicked on within a text
  6. Removing all script tags from html with JS Regular Expression
  7. What is the best way to parse html in google apps script
  8. JavaScript YAML Parser [closed]
  9. Javascript regular expression to validate URL
  10. Javascript regex returning true.. then false.. then true.. etc [duplicate]
  11. How to wrap part of a text in a node with JavaScript
  12. Increment a number in a string in with regex
  13. Remove specific HTML tag with its content from javascript string
  14. javascript FileReader – parsing long file in chunks
  15. parsings strings: extracting words and phrases [JavaScript]
  16. What is the best way to parse html in google apps script
  17. Removing backslashes from strings in javascript
  18. Remove everything within script and style tags
  19. Find and replace nth occurrence of [bracketed] expression in string
  20. Negative lookbehind equivalent in JavaScript
  21. How to properly use jsPDF library
  22. How to get the element clicked (for the whole document)?
  23. Prevent form redirect OR refresh on submit?
  24. Can I get image from canvas element and use it in img src tag?
  25. Is it possible to access Shadow DOM elements through the parent document?
  26. Reset select value to default
  27. Counting and limiting words in a textarea
  28. How to insert space every 4 characters for IBAN registering?
  29. How to insert HTML as Text
  30. How can I calculate the difference between two times that are in 24 hour format?

Leave a Comment