-1

Lets say we have private math/developers forum website made with asp.net. Users can post text-messages in topics. Based on OWASP articles we should escape symbols like: ' " < > / to prevent XSS attacks. But characters ' " < > / are too important for that community.

Since it's private forum we can have some level of trust. Should user posts be escaped fully or is it good idea to have some compromise? Where should be some practise, since many popular online websites doesn't escape such characters at all.

Ice2burn
  • 101
  • 3
  • 1
    What do you mean by using them? If you encode e.g. `<` to `<` users can still write `<` and it will be displayed. However, they should not be able to write HTML tags that will be interpreted as tags. – Anders Oct 01 '19 at 10:54
  • Just sanitization doesn't mean you have to block them nor can't use them – tungsten Oct 01 '19 at 11:28

1 Answers1

2

You don't need to find a compromise. This is one of the cases where security and usability go hand in hand.

In an HTML context, you don't want to escape special characters, but encode them. 

An example for escaping: " -> \"
An example for encoding: " -> &quot;

The good thing with encoding in an HTML context is that it doesn't impact usability.

Say your user input is 3<5. What you will put into the HTML response is 3&lt;5. What the user will see in their browser is 3<5.

So there will be no impact on usability by fully encoding user-supplied data on output. It will actually improve usability. As this is a developer forum, what if users want to write A common XSS example is <img src=x onerror=alert(1)>? If you don't encode, then this will be treated as HTML code, not as the string it is meant as.

If you actually need a subset of HTML because users want to format their comments (links, images, color, bold, etc), then you would want to use a HTML filter to ensure that the it's a safe HTML subset.

Stackexchange is a good example for this. In this answer, it would have been bad if < wasn't encoded, because parts of the answer would not be properly formatted. But I can still format the answer using markdown.

tim
  • 29,018
  • 7
  • 95
  • 119
  • Is this correct: accept user post as it is, sanitize it if necessary (to defend from SQL Injection), store in DB as is, encode it before dispaying on client? – Ice2burn Oct 01 '19 at 12:54
  • 1
    @Ice2burn Yes, pretty much. Encoding as protection against XSS should always be done right before displaying. For SQL injection, prepared statements would be the recommended protection. Input sanitizing can be performed as defense in depth, but shouldn't be used as sole protection, and only to the extent that it doesn't impact usability (eg an id can be sanitized to be numerical, because it should never be anything else (if you use numerical ids that is); but text input should probably be kept as-is to preserve integrity of the data). – tim Oct 01 '19 at 14:56
  • @Ice2burn you should encode use rinput before you save it in your DB – tungsten Oct 01 '19 at 17:44
  • @tungsten why so? It increase content size and doesn't improve security. – Ice2burn Oct 02 '19 at 10:17
  • @Ice2burn If you have multiple pointers that require user input as a variable on your site it can be useful to first encode the input before it gets handled by other functions, thus directly fetched from the DB. – tungsten Oct 02 '19 at 10:24