Preventing script attacks from text boxes

[DDK]

I am trying to figure out the best way to allow users to submit HTML in a
textbox, and allow them the ability to edit the text HTML submitted
afterwards safely in ASP.NET + C# (submitted to a sql server database), so
that the application is not subject to script attacks. Any ideas on the best
options for this.
thanks,
d.

 

[Ken Schaefer]

The HTML code that the users are entering. Is this supposed to be displayed
as text to others? If so, you can use Server.HTMLEncode()

Is it supposed to be interpreted by the browser as HTML? If so, you need to
define what types of HTML the user can legitimately enter, and what they
can't. If the user is legitimately allowed to enter client-side script, then
I think you'll need to have policies in place to deal with this - you'd be
hard pressed to develop a technological solution that can distinguish
between good/inocuous script and "bad" script (whatever that may be).

Cheers
Ken

: I am trying to figure out the best way to allow users to submit HTML in a
: textbox, and allow them the ability to edit the text HTML submitted
: afterwards safely in ASP.NET + C# (submitted to a sql server database), so
: that the application is not subject to script attacks. Any ideas on the
best
: options for this.
: thanks,
: d.
:
: