I use AntiXSS but I still can hack page

Question

I don't know if I am doing this right.
I first time build something to prevent attack on page.
I will start from the bottom:
I have property:

public string Description {get;set;}

User can set it's value through tinyMCE

tinyMCE.init({
            mode: "textareas",
            theme: "advanced",
            encoding : "xml"...

In controller before I save this in database I do:

model.Description = HttpUtility.HtmlDecode(model.Description);

In database I have a value like:

<p>bla bla bla</p>

I added AntiXSS library to my project:

public class AntiXssEncoder : HttpEncoder
    {
        public AntiXssEncoder() { }

        protected override void HtmlEncode(string value, TextWriter output)
        {
            output.Write(Encoder.HtmlEncode(value)); // on breakpoint code always get in here
        }
...

When I display data from database I use:

@Html.Raw(Model.Place.Description)

And it works fine I see only text. No Html tags. Breaklines work fine. I can style text with bold, italic etc.

But If I enter:

<script>alert(open to attack);</script>

I got alert window.
I don't understand do I need to do something more to prevent this?

Answer 1

I added AntiXSS library to my project

And where are you using it?

Make sure that you have not only added AntiXSS but you actually used it:

@Html.Raw(Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(Model.Place.Description))

But remember that the new version of the AntiXSS library is a bit too restrictive and will strip tags like <strong> and <br> out which might not be desired.

As an alternative to the AntiXSS library you could use HTML Agility Pack to do this job. Rick Strahl blogged about a sample implementation.

Answer 2

First off you are displaying RAW Html- not encoded in any manner. If you want to display Html you should ideally be doing several things.

1. Sanitize it with the antixss Sanitizer class using GetSafeHtmlFragment. Note that this wont protect you completely. Do this before saving to the DB.

2. Implement the not yet fully supported headers to prevent other script from running. This is limited to only some of the modern browsers.

3. Or... Dont allow html or don't allow any HTML outside of known character tags. Ie a whitelist approach so you allow <strong> and nothing outside of other alphanumeric chars is allowed.