if I have a user entering data into a text editor (tiny editor) and sending the data that I store in the database, and then get to display it on other dynamic web pages, why should I code here.
Is this the only reason someone can paste javascript into the rich text editor? is there any other reason?
Security is the reason.
The most obvious / common reason is Cross Site Scripting (XSS). This, it turns out, is the main cause of security problems that may arise on your site.
(XSS) - - script - . , . , -, 80% , Symantec 2007 . 1 , , , .
, , .
Microsoft Anti-Cross Site
http://forums.asp.net/t/1223756.aspx
.
HTML , Html.Encode HTML, .
Html.Encode
XSS.
, HTML-:
<b>Hello!</b> <script>alert('XSS!');</script>
<b>, ( ) <script>.(, onmouseover) URL- Javascript (, <a href="javascript:alert('XSS!');>Dancing Bunnies!</a>)
<b>
<script>
onmouseover
<a href="javascript:alert('XSS!');>Dancing Bunnies!</a>
HTML XML .
, "" "".
, HTML, HTML. ,
a < b
HTML
a < b
HTML ( , ), :
HTML- ( , ), HTML, HTML.Encode. , , (, script).
javascript - , HTML, . , , : "Nice Page: → ".
, , "" .
, JavaScript, - . , javascript , , XSS:
<IMG SRC=javascript:alert('XSS')>
XSS; http://ha.ckers.org/xss.html
..... MVC2 , HTML.Encode
to
MVC . / . , MVC2
, </div></table> -. HTML, , html , . . HtmlAgilityPack, .
</div></table>
The main reason to do what you offer is to avoid going out. Since you accept HTML and want to output it, you cannot do this. What you need to do is filter out what the user can do, it is unsafe or at least not what you want.
To do this, let me suggest AntiSamy .
You can demo here .
What you do has many inherited risks, and you should be very careful about this.