Forums Ultimate UI for ASP.NET Web Forms
Your Privacy Matters: We use our own and third-party cookies to improve your experience on our website. By continuing to use the website we understand that you accept their use. Cookie Policy
Close
Sandy
2009
Script Injection Attacks using WebHtmlEditor
posted

In our project, we have a requirement to let the admin users customize the Welcome Message, Header Information, Footer Information, etc  that will be displayed to all users on various web pages. We need to support HTML too as input from the users. So we plan to use the WebHtmlEditor control. This control also accepts free HTML text form the user.

My question is, how does this control make sure that the web page is not prone to script injection attacks.

Like, in the HTML view, if I type <script>alert("heyaa");</script> and then assign this WebHtmlEditor1.Text to some Label, it executes the script too. I want to prevent the user some entering any such malicious code.

Something similar like the request validation feature of ASP.NET...

Check this link - http://www.asp.net/learn/whitepapers/request-validation/

From what I observed, If I user WebHtmlEditor1.TextXhtml, the script does not execute. But I did not find any information on how exactly this works. I'd appreciate any references that talk about this.