I am inserting html in database for the first time so I need some advice am I making it right and safe.
I have class with property:
[AllowHtml] public property Description {get;set}
In View I have a tinyMCE (on text area) where user input his data.
When I display that html later I use:
@Html.Raw(Model.Description)
I don’t know should I do something else to prevent some attack on site.
I have tried to input:
<script>alert('attack');</script>
but nothing happens it saves it in database and display as a normal text later.
Also I wonder if user leave some tag unclosed can he break my layout somehow.
What are smart steps when dealing with scenario like this?
What should happen is that the html should be encoded before it is written to the database. If you look in your database you should see something like this (or at least if things are safe you should):
Now when this is written to the page by html raw, it appear on screen as it did when it was submitted, but if you inspect the page you will still see the same thing.
ASP.Net actually makes it very difficult to write code that opens your site up to abuse, so you should generally be fine. It is worth doing some more reading around the topic though as it’s good stuff to be aware of especially if mentoring others.
Some links:
Preventing Javascript and XSS attacks
http://msdn.microsoft.com/en-us/library/ff649310.aspx