Hi all,

Can we use the Antixss library with WYSIWYG editors output?

If Yes please let me know how it is possible to do that.

Same question from me. I want to integarate it with WYSIWYG editor but don't know how to prevent malicious scripts but still allow HTML tags.

I hope there is someone can answer it...

Thanks b4

Add me to the list of those who want an answer to this question.

I'd also like to know which WYSIWYG textbox controls you guys are using, and if there is a better "home brewed" solution for ASP.Net apps.

Oh and also it has to work in a hosted environment.

Hi,

You sure can use the antiXSS library with most editors.

The most popular editors are probably FCKEditor and FreeTextBox.

Get the latest version of the Microsoft Anti-Cross Site Scripting Library here

These editors will require that you set the ValidateRequest parameter in @ Page  to false. This is obviously asking for trouble so use the AntiXss library to encode all input on the page especially any input from the WSIWYG editor. There is a great tutorial here: http://msdn.microsoft.com/en-us/library/aa973813.aspx

Enjoy.

adman666:

Hi,

You sure can use the antiXSS library with most editors.

The most popular editors are probably FCKEditor and FreeTextBox.

Get the latest version of the Microsoft Anti-Cross Site Scripting Library here

These editors will require that you set the ValidateRequest parameter in @ Page  to false. This is obviously asking for trouble so use the AntiXss library to encode all input on the page especially any input from the WSIWYG editor. There is a great tutorial here: http://msdn.microsoft.com/en-us/library/aa973813.aspx

Enjoy.

 Hum... would you give the real code example of using AntiXSS with WYSIWYG editor from encoding input to displaying the encoded input that will eliminate the malicius script and keep the safe HTML there?

For me, when I encode the input, it will also encode the HTML tags.... is there API to set allowed HTML tags?

adman666:

Hi,

You sure can use the antiXSS library with most editors.

The most popular editors are probably FCKEditor and FreeTextBox.

Get the latest version of the Microsoft Anti-Cross Site Scripting Library here

These editors will require that you set the ValidateRequest parameter in @ Page  to false. This is obviously asking for trouble so use the AntiXss library to encode all input on the page especially any input from the WSIWYG editor. There is a great tutorial here: http://msdn.microsoft.com/en-us/library/aa973813.aspx

Enjoy.

 Hum... would you give the real code example of using AntiXSS with WYSIWYG editor from encoding input to displaying the encoded input that will eliminate the malicius script and keep the safe HTML there?

For me, when I encode the input, it will also encode the HTML tags.... is there API to set allowed HTML tags?

AntiXss.GetSafeHtmlFragment
and
AntiXss.GetSafeHtml

but when I try to call these functions I get an exception saying "SafeHtml Failed".

It would be great to get an aswer to this as it seems alot of people have the same issue,

I actually don't find those functions inside the Anti-XSS library. Where did you get them?

 The notes on the Cross-Site Scripting library seem to be have moved from what was cited near the start of this thread. Links now at

•  http://msdn.microsoft.com/en-us/library/ms998274.aspx

Hello there,

I actually use the tinyMCE WYSIWYG editor. There's a couple of interresting feature and it works well with .net environment. But as you may notice, it doesn't remove XSS code automatically.

I've heard some things about the new Anti-XSS library. It seems that we may have some function to remove XSS. If you go on the blog of the team (here) and you look in last posted article, you will find a post talking about the new feature in the library.

The new version (beta) may be released near the end of November (that's a rhumor). Just wait and see , it's coming.

 >But as you may notice, it doesn't remove XSS code automatically.

However there is a whitelist filter function in the CommonData library at http://www.CodePlex.Com/CommonData. That function will check all tags against a list of acceptable.

 Yeah but the CommonData library if I'm right doesn't allow to put attributes like style="color:red" and stuff like that. I would preffer if it could detect and remove only the potentially "security issue".

 >the CommonData library if I'm right doesn't allow to put attributes like style="color:red" and stuff like that

Currently it does not. Once I have some samples of legitimate styles that should be permitted, the function will get extended. It is a white list processor as opposed to a blacklist processor as it only passes what it has been programmed to accept.

So how about posting some html fragments (valid XHTML please) that I can use of the TDD process?

 I'm using FCKEditor, also have to face with this problem. I can clear the script and some on_event using the C# regex. But, that's the bad way (really bad way!) when have to loop times.. But I'm looking around for a better regex that can help me clear the loop out of the code. Is there any?

This is how I'm doing

1    private static string EncodeEvent(string text)
2            {
3                return ClearCodeEvent(text, "onBlur,onError,onFocus,onLoad,onResize,onUnload,onClick,onDblClick,onKeyDown,onKeyPress,onKeyUp,onMouseDown,onMouseMove,onMouseOut,onMouseOver,onMouseUp");
4            }
5            private static string ClearCodeEvent(string text, string filterEvent)
6            {
7                string kq = text;
8                string[] s = filterEvent.Split(',');
9                foreach (string st in s)
10               {
11                   Regex r = new Regex(st + "[ ]?=[ ]?\"[^\"]+\"", RegexOptions.Multiline | RegexOptions.IgnoreCase);
12                   kq = r.Replace(kq, "");
13                   r = new Regex(st + "[ ]?=[ ]?\'[^\']+\'", RegexOptions.Multiline | RegexOptions.IgnoreCase);
14                   kq = r.Replace(kq, "");
15               }
16               return kq;
17           }

 From #11~#13: I hope thing can work with smt like (onmouseover|onmouseout|....)[ ]?=[ ]?((\"[^\"]+\")|(\'[^\']+\')) but I failed, how is the right regex for this?
1     public static string ClearJSScript(string text)
2            {
3                Regex r = new Regex("((<script.*</[ ]?script>)|(<script.*/>)|(<script>)|(</script>))", RegexOptions.Multiline | RegexOptions.IgnoreCase);
4                string r1 = r.Replace(text, new MatchEvaluator(ReplaceMatchHTML));
5                return EncodeEvent(r1);
6            }

 
1     public static string FCKEditorHTML(string text)
2            {
3                return ClearJSScript( SafeSQLQs(text.Replace("<input type=\"image\"", "<img ")));
4            }