English 中文(简体)
How do I prevent XSS when allowing simple formatting and hyperlink in a Sharepoint webpart?
原标题:

I m building a webpart for a Sharepoint site that allows the user to enter information into a textbox that will eventually be showed to other users. The problem is that I need to allow simple formatting (bold, italic etc) and also allow the user to enter an url (a <a href=".....). I don t want to expose a XSS exploit since I do not trust the users using my webpart not doing that.

What are my best alternatives when not wanting to write a fully fledged html parser?

There is a SPHttpUtility.HtmlEncodeAllowSimpleTextFormatting(string) that does almost what I need. It allows simple formatting such as <B>, <I>, etc. The problem is that I want to allow hyperlinks as well. Does anyone know if there is some builtin functions in Sharepoint/ASP.NET that does what I want?

If I enable "Enhanced rich text" on a "Multiple Lines of Text" column in a Sharepoint list, it seems to do exactly what I want (it allows formatting and hyperlinks, but not evil stuff) but I cannot figure out how and where it does that?

最佳回答

Microsoft have a project over at CodePlex called AntiXSS that seems to do what I want.

It does however allow more html than I need (I couldn t find a way to control what to allow, maybe I didn t look everywhere), but I think this might be a good solution anyway.

时间:2009-11-17 10:05:48
问题回答

暂无回答


上一篇:
下一篇:


相关问题
Anyone feel like passing it forward?

I m the only developer in my company, and am getting along well as an autodidact, but I know I m missing out on the education one gets from working with and having code reviewed by more senior devs. ...

时间:2009-11-13 04:17:47 回答:6 展示:1
How to Add script codes before the </body> tag ASP.NET

Heres the problem, In Masterpage, the google analytics code were pasted before the end of body tag. In ASPX page, I need to generate a script (google addItem tracker) using codebehind ClientScript ...

时间:2009-11-13 03:31:36 回答:3 展示:1
Transaction handling with TransactionScope

I am implementing Transaction using TransactionScope with the help this MSDN article http://msdn.microsoft.com/en-us/library/system.transactions.transactionscope.aspx I just want to confirm that is ...

时间:2009-11-05 09:45:28 回答:1 展示:1
System.Web.Mvc.Controller Initialize

i have the following base controller... public class BaseController : Controller { protected override void Initialize(System.Web.Routing.RequestContext requestContext) { if (...

时间:2009-11-05 09:38:39 回答:2 展示:1
Microsoft.Contracts namespace

For what it is necessary Microsoft.Contracts namespace in asp.net? I mean, in what cases I could write using Microsoft.Contracts;?

时间:2009-11-05 09:36:09 回答:2 展示:1
Separator line in ASP.NET

I d like to add a simple separator line in an aspx web form. Does anyone know how? It sounds easy enough, but still I can t manage to find how to do it.. 10x!

时间:2009-11-05 09:27:29 回答:3 展示:1
热门标签

友情链接

Allggapp Alljchome-教程家园 mvfinale.com-影视剧情大结局大全