Using Markdown in ASP.NET
Recently I was tasked with adding some CMS style functionality to a customers site. Rather than reinvent the wheel by doing my own pattern matching etc, I decided to use some markdown to do the hard work. I naively thought that it would be easier to implement because the markdown library would take care of key security concerns. Little did I realise...
For starters, I enjoyed the blog post FAQ: Untrusted users and HTML. It sets the scene quite nicely:
"No Method of displaying untrusted HTML is 100% safe."
There are some interesting debates about whether markdown should actually include some basic security to stop people (like me 😊) inadvertently introducing issues. After doing some initial research, I thought it would be OK just to convert the markdown to html and then html encode it. But what happens when you type this markdown in..
[Go Boom!](javascript:alert('Boom!')
Yes, you guessed it... BOOM! The JavaScript is executed, because by default the markdown will just get converted into the appropriate href link. See Markdown and Xss for a good description of the problem.
So, no shortcuts...
Rick Strahl has a great blog post .NET HTML Sanitation for rich HTML Input, explaining his findings as he worked through looking at Html Sanitizing in .Net. Its worth a read, although I didn't end up using his HtmlSanitizer code as I found a more complete example... the .NET Html Sanitizer. This Html Sanitizer uses AngleSharp.
There's a wealth of markdown converters out there, I ended up using CommonMark.NET after seeing it being "advertised" in one of the channel 9.net core videos.
The final snippet for converting the markdown ended up as...
For starters, I enjoyed the blog post FAQ: Untrusted users and HTML. It sets the scene quite nicely:
"No Method of displaying untrusted HTML is 100% safe."
There are some interesting debates about whether markdown should actually include some basic security to stop people (like me 😊) inadvertently introducing issues. After doing some initial research, I thought it would be OK just to convert the markdown to html and then html encode it. But what happens when you type this markdown in..
[Go Boom!](javascript:alert('Boom!')
Yes, you guessed it... BOOM! The JavaScript is executed, because by default the markdown will just get converted into the appropriate href link. See Markdown and Xss for a good description of the problem.
So, no shortcuts...
- Html Encode
- Markdown convert
- Html Sanitize
Rick Strahl has a great blog post .NET HTML Sanitation for rich HTML Input, explaining his findings as he worked through looking at Html Sanitizing in .Net. Its worth a read, although I didn't end up using his HtmlSanitizer code as I found a more complete example... the .NET Html Sanitizer. This Html Sanitizer uses AngleSharp.
There's a wealth of markdown converters out there, I ended up using CommonMark.NET after seeing it being "advertised" in one of the channel 9.net core videos.
The final snippet for converting the markdown ended up as...
