XSS on BodyPart?

Topics: Core, Customizing Orchard
Dec 3, 2012 at 4:45 PM

Hi everyone,

I am new Orchard. When I use the BodyPart, allowing RichText users will be able to edit the HTML, that is all good. What worries me is that they are also able to write <script> directly in the HTML so it won't be encoded.

Some suggestions on what is the ideal way to prevent this?

 

Thank you,
Javier

<script type="text/javascript">// <![CDATA[ alert("POC"); // ]]></script>
Developer
Dec 3, 2012 at 5:05 PM

I don't think you can efficiently or at all solve the issue "allow full html here, but no JS". If you'd go this way there will be always some tricky way to inject JS. If you want to provide some formatting but prevent the injection of JS you should go with some other markup language (like Markdown or BBCode - both available for Orchard) instead. So you really should provide the option of editing html only for types of users you totally trust; so basically only types of administrators.