StackOverflow2013

Note that there are some explanatory texts on larger screens.

plurals

POSanitize html encoded text (#decimal notation) from AntiXSS v3 output
primarykey
Id
396324
data
AcceptedAnswerId
396400
AnswerCount
5
ClosedDate
CommentCount
6
CommunityOwnedDate
CreationDate
2008-12-28T15:57:08.090
FavoriteCount
1
LastActivityDate
2009-08-11T04:29:45.880
LastEditDate
LastEditorUserId
0
OwnerUserId
33349
ParentId
0
PostTypeId
1
Score
2
ViewCount
3586
LastEditorDisplayName
text
Body
I am tying to make comments in a blog engine XSS-safe. Tried a lot of different approaches but find it very difficult. When I am displaying the comments I am first using <a href="http://www.codeplex.com/AntiXSS" rel="nofollow noreferrer">Microsoft AntiXss 3.0</a> to html encode the whole thing. Then I am trying to html decode the safe tags using a whitelist approach. Been looking at <a href="http://refactormycode.com/codes/333-sanitize-html#refactor_44440" rel="nofollow noreferrer">Steve Downing's example</a> in Atwood's "Sanitize HTML" thread at refactormycode. My problem is that the AntiXss library encodes the values to &#DECIMAL; notation and I don't know how to rewrite Steve's example, since my regex knowledge is limited. I tried the following code where I simply replaced entities to decimal form but it does not work properly. <pre><code>&lt; with &#60; &gt; with &#62; </code></pre> My rewrite: <pre><code>class HtmlSanitizer { /// <summary> /// A regex that matches things that look like a HTML tag after HtmlEncoding. Splits the input so we can get discrete /// chunks that start with &lt; and ends with either end of line or &gt; /// </summary> private static Regex _tags = new Regex("&#60;(?!&#62;).+?(&#62;|$)", RegexOptions.Singleline | RegexOptions.ExplicitCapture | RegexOptions.Compiled); /// <summary> /// A regex that will match tags on the whitelist, so we can run them through /// HttpUtility.HtmlDecode /// FIXME - Could be improved, since this might decode &gt; etc in the middle of /// an a/link tag (i.e. in the text in between the opening and closing tag) /// </summary> private static Regex _whitelist = new Regex(@" ^&#60;/?(a|b(lockquote)?|code|em|h(1|2|3)|i|li|ol|p(re)?|s(ub|up|trong|trike)?|ul)&#62;$ |^&#60;(b|h)r\s?/?&#62;$ |^&#60;a(?!&#62;).+?&#62;$ |^&#60;img(?!&#62;).+?/?&#62;$", RegexOptions.Singleline | RegexOptions.IgnorePatternWhitespace | RegexOptions.ExplicitCapture | RegexOptions.Compiled); /// <summary> /// HtmlDecode any potentially safe HTML tags from the provided HtmlEncoded HTML input using /// a whitelist based approach, leaving the dangerous tags Encoded HTML tags /// </summary> public static string Sanitize(string html) { string tagname = ""; Match tag; MatchCollection tags = _tags.Matches(html); string safeHtml = ""; // iterate through all HTML tags in the input for (int i = tags.Count - 1; i > -1; i--) { tag = tags[i]; tagname = tag.Value.ToLowerInvariant(); if (_whitelist.IsMatch(tagname)) { // If we find a tag on the whitelist, run it through // HtmlDecode, and re-insert it into the text safeHtml = HttpUtility.HtmlDecode(tag.Value); html = html.Remove(tag.Index, tag.Length); html = html.Insert(tag.Index, safeHtml); } } return html; } } </code></pre> My input testing html is: <pre><code><script language="javascript">alert('XSS')</script>bold should work </code></pre> After AntiXss it turns into: <pre><code>&#60;p&#62;&#60;script language&#61;&#34;javascript&#34;&#62;alert&#40;&#39;XSS&#39;&#41;&#60;&#47;script&#62;&#60;b&#62;bold should work&#60;&#47;b&#62;&#60;&#47;p&#62; </code></pre> When I run the version of Sanitize(string html) above it gives me: <pre><code><script language="javascript">alert&#40;&#39;XSS&#39;&#41;</script>bold should work </code></pre> The regex is matching script from the whitelist which I don't want. Any help with this would be highly appreciated.
Tags
<c#><html><regex><xss>
Title
Sanitize html encoded text (#decimal notation) from AntiXSS v3 output
singulars
PostAcceptedAnswerId
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
PostParentId
1. This table or related slice is empty.
PostTypePostTypeId
1. PTQuestion
UserLastEditorUserId
1. This table or related slice is empty.
UserOwnerUserId
1. USjesperlind
plurals
PostLinksPostIdRelatedPostId
1. This table or related slice is empty.
PostLinksRelatedPostIdPostId
1. PL
 singulars
 LinkTypeLinkTypeId
 LTLinked
PostsAcceptedAnswerId
1. This table or related slice is empty.
PostsParentIdCreationDate
1. PO
 singulars
 PostTypePostTypeId
 PTAnswer
2. PO
 singulars
 PostTypePostTypeId
 PTAnswer
3. PO
 singulars
 PostTypePostTypeId
 PTAnswer
VotesPostIdCreationDate
1. VO
 singulars
 PostPostId
 POSanitize html encoded text (#decimal notation) from AntiXSS v3 output
 UserUserId
 UScdecker
 VoteTypeVoteTypeId
 VTFavorite
2. VO
 singulars
 PostPostId
 POSanitize html encoded text (#decimal notation) from AntiXSS v3 output
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
3. VO
 singulars
 PostPostId
 POSanitize html encoded text (#decimal notation) from AntiXSS v3 output
 UserUserId
 This table or related slice is empty.
 VoteTypeVoteTypeId
 VTUpMod
CommentsPostId

Querying!

Guidance

A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.