Server side HTML Validation

Question

Is there any existing way of validating the html that comes from your RCE element? because currently there is nothing to stop someone editing the rce content to inject a script and then submitting that to the server. Is there any server side validation to make sure that only the elements that are used by the RCE are contained in the submitted value?

Buvana Sathasivam · Answer

Hi Nicholas, 

Greetings from Syncfusion support. 

You can disable the cross-scripting site using the EnableHtmlSanitizer boolean property. This property is used to allow the cross-scripting site to exist or not. By default, this property is enabled on the Rich Text Editor component. To achieve your requirement, you can disable this property. 
  
API link:  
https://help.syncfusion.com/cr/aspnetcore-js2/Syncfusion.EJ2.RichTextEditor.RichTextEditor.html#Syncfusion_EJ2_RichTextEditor_RichTextEditor_EnableHtmlSanitizer  

Regards, 
Buvana S

Nicholas · Answer

but say i have an RTE on a page and i'm expecting a string that is HTML to come from that input. Nothing would stop someone from just opening postman and submitting data to the same form while completely bypassing your client side protections. Unless i'm missing something here then this is wildly insucure to use in it's current implimentation

Buvana Sathasivam · Answer

Hi Nicholas, 

To prevent cross-site request forgery (CSRF) attacks, an anti-forgery token is exchanged between the client and server. Please see the link below for more information on preventing CSRF attacks. 

Microsoft Documentation: https://docs.microsoft.com/en-us/aspnet/core/security/anti-request-forgery?view=aspnetcore-6.0&viewFallbackFrom=aspnetcore-2.1#authentication-fundamentals  

Regards, 
Buvana S