Are there any problems with what I am doing here? This is my first time to deal with something like this, and I just want to make sure I understand all the risks, etc. to different methods.
I am using WMD to get user input, and I am displaying it with a literal control. Since it is uneditable once entered I will be storing the HTML and not the Markdown,
input = Server.HTMLEncode(stringThatComesFromWMDTextArea)
And then run something like the following for tags I want users to be able to use.
// Unescape whitelisted tags.
string output = input.Replace("<b>", "<b>").Replace("</b>", "</b>")
.Replace("<i>", "<i>").Replace("</i>", "</i>");
Edit Here is what I am doing currently:
public static string EncodeAndWhitelist(string html)
{
string[] whiteList = { "b", "i", "strong", "img", "ul", "li" };
string encodedHTML = HttpUtility.HtmlEncode(html);
foreach (string wl in whiteList)
encodedHTML = encodedHTML.Replace("<" + wl + ">", "<" + wl + ">").Replace("</" + wl + ">", "</" + wl + ">");
return encodedHTML;
}
- Will what I am doing here keep me protected from XSS?
- Are there any other considerations that should be made?
- Is there a good list of normal tags to whitelist?