How do I prevent XSS when allowing simple formatting and hyperlink in a Sharepoint webpart?
I'm building a webpart for a Sharepoint site that allows the user to enter information into a textbox that will eventually be showed to other users. The problem is that I need to allow simple formatting (bold, italic etc) and also allow the user to enter an url (a <a href=".....). I don't want to expose a XSS exploit since I do not trust the users using my webpart not doing that.
What are my best alternatives when not wanting to write a fully fledged html parser?
There is a SPHttpUtility.HtmlEncodeAllowSimpleTextFormatting(string) that does almost what I need. It allows simple formatting such as <B>, <I>, etc. The problem is that I want to allow hyperlinks as well. Does anyone know if there is some builtin functions in Sharepoint/ASP.NET that does what I want?
If I enable "Enhanced rich text" on a "Mult开发者_StackOverflow社区iple Lines of Text" column in a Sharepoint list, it seems to do exactly what I want (it allows formatting and hyperlinks, but not evil stuff) but I cannot figure out how and where it does that?
Microsoft have a project over at CodePlex called AntiXSS that seems to do what I want.
It does however allow more html than I need (I couldn't find a way to control what to allow, maybe I didn't look everywhere), but I think this might be a good solution anyway.
精彩评论