Skip to content

Security Considerations

David Turner edited this page Dec 26, 2013 · 8 revisions

When can you trust what someone enters into the text fields of your Blocks? Almost never. For the most part, you really need to concern yourself with those blocks that will be on the external website. These blocks will be under attack and nefarious script-kiddies will be attempting to inject HTML and other cross-script code (XSS) to cause maximum havoc. Want to understand XSS more? Read this article.


"Many times the hacker will use the ‘comments’ feature of your web page to insert a comment that contains a script. Every user who views that comment will download the script which will execute on his browser, causing undesirable behaviour."

from Cross Site Scripting – XSS – The Underestimated Exploit


This is such a serious threat that Google will pay you $7k if you find one in their code.

Now that you understand the serious nature of the problem, continue reading to find out what you need to do.

Regarding AntiXSS Efforts

According to MSDN best practices, encoding should only happen just prior to being sent to the browser:

Q. Can I encode the input and store it in a data store?

A. No, encoding should be performed just before the input is sent to the browser and if input is encoded using HtmlEncode then it cannot be used in other contexts such as JavaScript or Url etc.

Therefore, depending on the scenario, either scrub using the SanitizeHtml(bool strict) string extension method or encode using HttpUtility.HtmlEncode( string ) after retrieving data from an Entity.

The following table illustrates the effect using each approach:

Input SanitizeHtml(false) SanitizeHtml(true) HtmlEncode
<b>bold</b> <b>bold</b> &lt;b&gt;bold&lt;/b&gt;
Hi, I'm Joe. Hi, I'm Joe. Hi, I'm Joe. Hi, I&#39;m Joe.
It's "Good" & safe It's "Good" &amp; safe It's "Good" & safe It&#39;s &quot;Good&quot; &amp; safe
<img src="foo"> <img src="foo" /> &lt;img src=&quot;foo&quot;&gt;
<script>alert('bad')</script> &lt;script&gt;alert(&#39;bad&#39;)&lt;/script&gt;
<div onclick="alert('xss')">Clickable Content</div> <div>Clickable Content</div> &lt;div onclick=&quot;alert(&#39;xss&#39;)&quot;&gt;Clickable Content&lt;/div&gt;

There may be certain cases where you've decided that it's quite safe to encode or sanitize before the data is saved, but be warned if you're not 100% correct you could end up with various encoding problems. For example, consider the following scenario where input was encoded before being saved to the entity/database and then again encoded (as usual) before being displayed:

Input Encoded Before Save (renders as) Encoded Again, Before Display (renders as)
Not "Good" Not &quot;Good&quot; (Not "Good") Not &amp;quot;Good&amp;quot; (Not &quot;Good&quot;)

Also note that depending on how you bind your data to controls, you may need to encode like so:

<!--  OK  -->
<asp:Repeater ID="rptTest1" runat="server">
  <ItemTemplate>
    <%#Server.HtmlEncode((string)Eval("FieldName"))%>
  </ItemTemplate>
</asp:Repeater>

<!-- Also OK -->
<asp:Repeater ID="rptTest2" runat="server">
    <ItemTemplate>
      <asp:TextBox ID="txtFieldName" Text='<%# Bind("FieldName") %>'
        runat="server"></asp:TextBox>
    </ItemTemplate>
  </asp:Repeater>
Clone this wiki locally