发表新帖
发表新帖

Sanitize HTML before storing in the DB or before rendering? (AntiXSS library in ASP.NET)

后端 未结
关注
4 1307
广开言路
广开言路 2020-12-29 11:59

I have an editor that lets users add HTML that is stored in the database and rendered on a web page. Since this is untrusted input, I plan to use Microsoft.Security.Ap

相关标签:
4条回答
  • 暖寄归人
    2020-12-29 12:21

    Have a listen to the OWASP podcast 67 with Jeff Williams on XSS. He talks about not sanitising or encoding before storage. The primary reason is that if (when) libraries evolve in response to new vulnerabilities your data is going to be stuck back in the old version. Of course this doesn’t stop you from running any input against a whitelist at the entry point and rejecting anything outside acceptable range.

    0 讨论(0)
  • 耶瑟儿~
    2020-12-29 12:33
    • Both
    • Only if you plan on changing it, which I would not do personally
    • The AntiXss class (since it's called as AntiXss.GetSafeHtmlFragment())
    0 讨论(0)
  • 长发绾君心
    2020-12-29 12:35

    I disagree with the selected answer for two reasons

    1. If you stored encoded data, you have to pick an encoder before you store. What happens if you have stored something as HTML but also want to push it out in another format, for example as a JSON response, or as part of an XML document? You now have a an HTML encoded format you must decode, then encode in the correct format.
    2. What if we discover a bug in the encoders and push a new version out? Now, because you're not encoding at the point of output all your old data may contain things that have been incorrectly encoded. You can encode again, but then you hit double encoding issues which can be painful to filter correctly.

    Generally you encode at the point of output and treat any data coming from a data store as untrusted by default - after all, what if someone manages to edit your database directly or via SQL injection?

    0 讨论(0)
  • 既然无缘
    2020-12-29 12:38

    You can use the in the page directive the parameter ValidateRequest="true". In this way all the Request data is validated and if there's a validation problem you can always catch the error. It also prevents sql injection threads and others not only possible XSS.

    With numeric data, you can validate integer overflow or misuse of data types with Int32.TryParse() or any other of the TryParse family (Byte.TryParse Int16.TryParse...)

    No need to use any other class or additional sanitizer method.

    0 讨论(0)
 看不清?
提交回复
热议问题