Is it safe to render Html that was uploaded as Markdown and converted serverside to Html?

三世轮回 提交于 2019-12-24 06:58:52

问题


I have a webform that allows users to upload text as Markdown.

The Markdown is converted to Html on the server(using Markdig) and also stored.

When displaying the converted Html that the user uploaded, should I @Html.Encode the content - the project is in c#, MVC 5/razor with request validation on.


回答1:


No, it isn't.

I just trivially tested the following:

<a href="javascript:evil()">hello</a>

and markdig lets it through:

See online example.

Although I haven't looked into it too deeply, the Microsoft AntiXSS library might be useful here:

var safeHtml = Microsoft.Security.Application.Sanitizer
    .GetSafeHtmlFragment("<a href='javascript:evil()'>hello</a>");

gives:

<a href="">hello</a>

but

var safeHtml = Microsoft.Security.Application.Sanitizer
    .GetSafeHtmlFragment("<a href='http://stackoverflow.com'>hello</a>");

gives:

<a href="http://stackoverflow.com">hello</a>



回答2:


Generally it depends on the markdown converter.

By default Markdig doesn't escape html. You can however use the DisableHtml function in the pipeline that escapes all remaining HTML encodable strings that were not processed by previous extensions. This should also give better performance than letting an anti-xss function run over the string again.

See example:

var pipeline = new MarkdownPipelineBuilder().DisableHtml().Build();
var result = Markdig.Markdown.ToHtml("<a href='javascript:evil()'>hello</a>", pipeline);


来源:https://stackoverflow.com/questions/43090491/is-it-safe-to-render-html-that-was-uploaded-as-markdown-and-converted-serverside

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!