Assume you want to allow non-technical users to control content that appears on a public site/app. If the content is merely text, then you can HTML encode the text when you display it to prevent malicious scripts from being executed should they get into your database.
What options are available to prevent this scenario when you want to display the data as HTML (i.e. when the data is entered through a WYSIWYG editor)? Am I going to have to clean the data with a blacklist every time I want to display it?
Also, assume that the data has already been compromised. I am really looking for ways to limit damage from this sort of attack when HTML encoding is not an option.
For my purposes, the site is running ASP.NET MVC 3 and I am utilizing jQuery.
You can always whitelist elements and attribute names instead of blacklisting. .NET HTML whitelisting (anti-xss/Cross Site Scripting) discusses whitelisting HTML sanitizers for .NET.
Other options include loading the content in an iframe in a throwaway domain, but this will not stop the content from performing certain kinds of attacks — redirecting to a phishing page, starting downloads of malware, scanning the local network, exploiting XSRF vulnerabilities using the user’s credentials, etc.