1. Home
  2. Forum
  3. Blazor
  4. Sanatize HTML on the server

Sanatize HTML on the server

I'm using the Rich Text Editor in a client side WASM application to allow for rich user comments.

Whilst there is built in sanitization on the control, the content is essentially untrusted because a malicious user could craft their own post request. Do you have a function I can use on the server that can sanitize the posted HTML?


5 Replies
RK Revanth Krishnan Syncfusion Team December 17, 2021 01:39 PM UTC

Hi Bob, 
 
Greetings from Syncfusion support. 
 
We are currently validating your query from our end, we will update you with further details on or before 20th December. We appreciate your patience till then. 
 
Regards, 
Revanth 


VJ Vinitha Jeyakumar Syncfusion Team December 21, 2021 03:15 PM UTC

Hi Bob,



We have still validating on the reported query. We will update you the further details in two business days on or before 23rd December 2021.


Regards,

Vinitha


VJ Vinitha Jeyakumar Syncfusion Team December 28, 2021 03:00 PM UTC

Hi Bob, 
 
 
We have considered the requirement “Need an API property to add required selectors/tag to the already existing html sanitizer list” as an uncertain feature from our end and it will be included with any of our upcoming releases.  
 
 
Please get in touch with us if you would require any further assistance. 
 
Regards, 
Vinitha 


BV Bob Vale December 28, 2021 03:19 PM UTC

Hi, whilst the feature request you've created does sound useful, it's not actually what I was asking about.

The idea is that I am using a blazor WASM application to allow users to add content to support tickets. Kind of similar behaviour to the way that your forums engine works.  The responses are then displayed on the page.

Whilst I can use the built in sanitizer in the control to make sure the HTML is safe before posting to the server we are worried about malicious actors.

The request is posted back to an ASP NET Core controller to save the post.  A malicious actor could craft a custom request that contains bad content and post that to the same server endpoint.  What I'm asking is if there is any Server Side code you have that I can use to validate and clean the post request to close this potential security hole.


IS Indrajith Srinivasan Syncfusion Team December 29, 2021 08:21 AM UTC

We doesn't provide any server side codes for sanitizing/validating the HTML content from the SfRichTextEditor. As you said, the selectors in the DeniedSanitizeSelectors property, will allow them to render only if the EnableHtmlSanitizer is enabled.

Loader.
Up arrow icon