10.22.09
Problem: You need to handle user generated html content from an unknown source for display in your webapp.
Solution: Well this is alwasy a moving target due to cross site scripting, but my approach is the following.
1. I use MarkItUp to allow users an easy way to format their html.
2. After users has submitted his changes I run it through an HTML Sanitizer (Scroll to the bottom) that users a white list approach. For asp.net mvc you will need to mark your controller as [ValidateInput(false)]
2. If the Sanitization process has removed any user created content I do not save the content. I then Return there modified content with a warning message, "Some illegal content tags where detected and removed double check your work and try again."
3. If the content passes through the sanitization process cleanly, I save the raw html content to the database.
4. When rendering to the client I just pass the raw html out of the db to the page.
More Info:
StackOverflow.com
Subscribe