What are the best practices to prevent XSS and CSRF with the Editor Control?
1 Answer, 1 is accepted
0
Alex Gyoshev
Telerik team
answered on 02 Feb 2012, 09:47 AM
Hello Chris,
The best practices are the same with the editor as with all input components. In particular, because the editor enables regular users (and malicious ones) to edit HTML, you should be extra cautious about XSS, and thus sanitizing the editor content on the server (i.e. the number one rule about security, to not trust user data). See also the following article from MSDN: how to protect from injection attacks in ASP.NET.
Keep in mind that the editor itself does not (and it can not) protect you from any injection attacks -- it is a more user-friendly way to enter HTML than a plain <textarea>.
Kind regards,
Alex Gyoshev
the Telerik team
If you want to get updates on new releases, tips and tricks and sneak peeks at our product labs directly from the developers working on the Telerik Extensions for ASP.MET MVC, subscribe to their blog feed now