Users on my site have a page they can write their own html to.

Question

0

Asked: May 26, 20262026-05-26T19:06:36+00:00 2026-05-26T19:06:36+00:00

Users on my site have a page they can write their own html to.

0

Users on my site have a page they can write their own html to. I want this to be used for things like ordered lists, styling, and so on, but some people will try to insert script, which I can’t allow.

The mechanism for updating a user’s description is through ajax. From javascript, I send a request to a file ajax.ashx, which calls a function in ajaxMethods.cs. In the function I update the sql server with the user’s new description.

How can I validate the input in the function, before the description is submited to the server? I want to take out anything to do with scripting, but leave the normal html tags like <p>. Are there any tools that will handle all of this?

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-05-26T19:06:36+00:00

Editorial Team

2026-05-26T19:06:36+00:00Added an answer on May 26, 2026 at 7:06 pm

Why not allow users to use a custom format / language instead (for example Markdown) and then parse this server side to HTML? This way you know that any script / html code you find within the actual request is invalid and can be stripped (or encoded). This also gives you the advantage of only allow a predetermined list of tags. It would basically give you the same functionality as StackOverflow has.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

Users on my site have a page they can write their own html to.

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply