This post originated from an RSS feed registered with .NET Buzz by Scott Watermasysk. Original Post: Preventing XSS Feed Title: ScottW's ASP.NET WebLog Feed URL: /error.aspx?aspxerrorpath=/blog/rss.aspx Feed Description: ASP.NET and Blogging Latest .NET Buzz Posts Latest .NET Buzz Posts by Scott Watermasysk Latest Posts From ScottW's ASP.NET WebLog

One of the "Lessons Learned" in my VSLive talk this Wednesday is going to focus on XSS. In many applications, the simple answer is to encode the content before rendering (or saving it). However, for application like CS this is not possible.

Over the years we have tried many ways to prevent users from posting malicious markup. Mostly these involved using regular expressions to find and remove elements like a javascript element. However, there are too many potential combinations to do this safely. So we decided to go in a different direction.

CS by default, will only allow a pre-selected set of elements and attributes in any post. All others will either be stripped or encoded.  The whole process is completely configurable, so site administrators can easily add or remove new elements and attributes. For those already using CS, this wiki FAQ might be helpful.