As we all know by now, XSS attacks are dangerous and really easy to pull off. Various frameworks make it easy to encode HTML, like ASP.NET MVC does:
<%= Html.Encode("string"); %>
But what happens when your client requires that they be able to upload their content directly from a Microsoft Word document?
Here's the scenario: People can copy and paste content from Microsoft word into a WYSIWYG editor (in this case tinyMCE), and then that information is posted to a web page.
The website is public, but only members of that organization will have access to post information to a webpage.
How do I handle these requirements in a secure fashion? Currently there is no checking done on what the client posts (since only 'trusted' users can post), but I'm not particularly happy with that and would like to lock it down further in case an account is hacked.
The only conceptual method that I'm aware of that meets these requirements is to whitelist HTML tags and let those pass through. Is there another way? If not, What is a secure way to let the user store input in the Database in any form, but only display it properly encoded and stripped of bad tags?
Best Answer
The easiest way (for you as a developer) is probably to implement one of many variations of Markdown, for example Markdown.NET or, even better (imho), a wmd-editor.
Then, your users would be able to paste simple HTML, but nothing dangerous, and they would be able to preview their entered data and straighten out any scruples even before posting...