This is a migrated thread and some comments may be shown as answers.

Prevent SQL Injection, XSS and CSRF with Editor

1 Answer 148 Views
Editor
This is a migrated thread and some comments may be shown as answers.
This question is locked. New answers and comments are not allowed.
Chris
Top achievements
Rank 2
Chris asked on 01 Feb 2012, 09:32 PM
What are the best practices to prevent XSS and CSRF with the Editor Control? 

1 Answer, 1 is accepted

Sort by
0
Alex Gyoshev
Telerik team
answered on 02 Feb 2012, 09:47 AM
Hello Chris,

The best practices are the same with the editor as with all input components. In particular, because the editor enables regular users (and malicious ones) to edit HTML, you should be extra cautious about XSS, and thus sanitizing the editor content on the server (i.e. the number one rule about security, to not trust user data). See also the following article from MSDN: how to protect from injection attacks in ASP.NET.

Keep in mind that the editor itself does not (and it can not) protect you from any injection attacks -- it is a more user-friendly way to enter HTML than a plain <textarea>.

Kind regards,
Alex Gyoshev
the Telerik team
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the Telerik Extensions for ASP.MET MVC, subscribe to their blog feed now
Tags
Editor
Asked by
Chris
Top achievements
Rank 2
Answers by
Alex Gyoshev
Telerik team
Share this question
or