html-sanitizing | 易学教程

How to use C# to sanitize input on an html page?

阅读更多关于 How to use C# to sanitize input on an html page?

Is there a library or acceptable method for sanitizing the input to an html page? In this case I have a form with just a name, phone number, and email address. Code must be C#. For example: "<script src='bobs.js'>John Doe</script>" should become "John Doe" This is an older, but still relevant question. We are using the HtmlSanitizer .Net library, which: is open-source (MIT) - GitHub link is actively maintained doesn't have the problems like Microsoft Anti-XSS library , Is unit tested with the OWASP XSS Filter Evasion Cheat Sheet is special built for this (in contrast to HTML Agility Pack ,

Best way to handle security and avoid XSS with user entered URLs

阅读更多关于 Best way to handle security and avoid XSS with user entered URLs

We have a high security application and we want to allow users to enter URLs that other users will see. This introduces a high risk of XSS hacks - a user could potentially enter javascript that another user ends up executing. Since we hold sensitive data it's essential that this never happens. What are the best practices in dealing with this? Is any security whitelist or escape pattern alone good enough? Any advice on dealing with redirections ("this link goes outside our site" message on a warning page before following the link, for instance) Is there an argument for not supporting user

Server side HTML sanitizer/cleanup for JSF

阅读更多关于 Server side HTML sanitizer/cleanup for JSF

问题 Is there any HTML sanitizer or cleanup methods available in any JSF utilities kit or libraries like PrimeFaces/OmniFaces? I need to sanitize HTML input by user via p:editor and display safe HTML output using escape=\"true\" , following the stackexchange style. Before displaying the HTML I\'m thinking to store sanitized input data to the database, so that it is ready to safe use with escape=\"true\" and XSS is not a danger. 回答1: In order to achieve that, you basically need a standalone HTML

Best way to handle security and avoid XSS with user entered URLs

阅读更多关于 Best way to handle security and avoid XSS with user entered URLs

问题 We have a high security application and we want to allow users to enter URLs that other users will see. This introduces a high risk of XSS hacks - a user could potentially enter javascript that another user ends up executing. Since we hold sensitive data it\'s essential that this never happens. What are the best practices in dealing with this? Is any security whitelist or escape pattern alone good enough? Any advice on dealing with redirections (\"this link goes outside our site\" message on

Sanitize/Rewrite HTML on the Client Side

阅读更多关于 Sanitize/Rewrite HTML on the Client Side

问题 I need to display external resources loaded via cross domain requests and make sure to only display \" safe \" content. Could use Prototype\'s String#stripScripts to remove script blocks. But handlers such as onclick or onerror are still there. Is there any library which can at least strip script blocks, kill DOM handlers, remove black listed tags (eg: embed or object ). So are any JavaScript related links and examples out there? 回答1: Update 2016: There is now a Google Closure package based

Insert HTML into view from AngularJS controller

阅读更多关于 Insert HTML into view from AngularJS controller

问题 Is it possible to create an HTML fragment in an AngularJS controller and have this HTML shown in the view? This comes from a requirement to turn an inconsistent JSON blob into a nested list of id : value pairs. Therefore the HTML is created in the controller and I am now looking to display it. I have created a model property, but cannot render this in the view without it just printing the HTML. Update It appears that the problem arises from angular rendering the created HTML as a string