问题
I noticed in this article that Microsoft does not recommend using the Editor control from the Ajax Control Toolkit in public sites because of the danger of cross-site scripting attacks. I tried it out, and even if you specifically set NoScript="true" it's possible to add script, and therefore, introduce XSS attack vulnerabilities. In my situation, we are working on a scholarship application process, and we had hoped to use this to all nominees to type up an Essay on-line. We wanted to take the data and re-display it to the review board, but obviously, this is a bad idea.
So I'm wondering if anyone knows of a simple way of validating the content to allow HTML, but not script, perhaps using a CustomValidator or a Regular Expression that I can use in the code-behind. I'm aware that it's better to to white list validation and not blacklist validation, 'm specifically looking for that.
Alternatively, if anyone is aware of a similar control that does protect against XSS attacks, that would be good, too.
回答1:
The latest release of the AntiXSS library now does some HTML sanitisation which I think will do what you want. Have a look at Blowdart's blog on it here.
UPDATE 15 Sep 2015:
The AntiXSS got rolled into the .Net 4.0 Framework, enable it in your .config file.
来源:https://stackoverflow.com/questions/1503947/ajax-control-toolkit-editor-control-avoiding-xss-attacks