Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have a chat application that I am developing with SignalR. In the chat the user sends a message, now I want to make it safe so users cant send javascript or anything like that. What are the things I should watch out for (i.e. stripping tags)? The chat does not go in a database, it litterly just relays the message from one user’s text area to the connected other user’s browser.
Basically you want to guard against XSS – see here https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#Escaping_.28aka_Output_Encoding.29 under “Escaping (aka Output Encoding)”.
Any characters entered at source should be HTML encoded when output to the target browser. This will convert sequences like
<script>to HTML for display e.g.Personally I wouldn’t bother stripping tags, I believe output sanitization is is the way to go as this is safe and will allow the most freedom for users to communicate without restriction (what happens if a user wants to send someone a snippet of code and your application is stripping all the HTML tags out?).