May 19th, 2013

WYSIWYG Html Editor and XSS Attack Prevention

In my previous post, we implemented CRUD operations with HTML WYSIWYG editor and allowed user to enter html code for formatting. Now the next step is to validate html input to prevent XSS. One way is to use AntiXss library, but the newer version breaks everything and has compatibility issues, so not reliable. Here is the white-list approach where you can allow specific html tags and other tags will be html encoded based on this discussion(Archive Version).