I have a webform that allows users to upload text as Markdown.
The Markdown is converted to Html on the server(using Markdig) and also stored.
When displaying the converted Html that the user uploaded, should I @Html.Encode the content - the project is in c#, MVC 5/razor with request validation on.
No, it isn't.
I just trivially tested the following:
<a href="javascript:evil()">hello</a>
and markdig lets it through:
See online example.
Although I haven't looked into it too deeply, the Microsoft AntiXSS library might be useful here:
var safeHtml = Microsoft.Security.Application.Sanitizer
.GetSafeHtmlFragment("<a href='javascript:evil()'>hello</a>");
gives:
<a href="">hello</a>
but
var safeHtml = Microsoft.Security.Application.Sanitizer
.GetSafeHtmlFragment("<a href='http://stackoverflow.com'>hello</a>");
gives:
<a href="http://stackoverflow.com">hello</a>
Generally it depends on the markdown converter.
By default Markdig doesn't escape html. You can however use the DisableHtml function in the pipeline that escapes all remaining HTML encodable strings that were not processed by previous extensions. This should also give better performance than letting an anti-xss function run over the string again.
See example:
var pipeline = new MarkdownPipelineBuilder().DisableHtml().Build();
var result = Markdig.Markdown.ToHtml("<a href='javascript:evil()'>hello</a>", pipeline);
![Prime Path[POJ3126] [SPFA/BFS]](https://oscimg.oschina.net/oscnet/e1200f32e838bf1d387d671dc8e6894c37d.jpg "Prime Path[POJ3126] [SPFA/BFS]")
