Introduction

EPiServer has limited support for HTML-tags in raw text fields, for example a string property that does not have the editor activated. The reason is to prevent rendering of unsafe scriptcode in a safe environment (commonly refered to as cross site scripting).

EPiServer does not limit input but will HTML-encode output that are rendered using the Property webcontrol. The limited set of tags that are allowed in text fields can be updated in setting EPsSafeHtmlTags in the configuration file web.config. The default value is "b,i,u,br".

Consider the following input:

<b>Here comes an alert</b><script>alert('Hello');</script>

will show up as:

Here comes an alert<script>alert('Hello');</script>

Important! If you are using the HTML-editor you are ofcourse enabling all users to input whatever HTML-code they want. Therefore you should be careful when exposing the editor to "untrusted" users. If you do not render content on the ASPX page using the webcontrol Property this limitation will not apply (not recommended).

If you need to access the encoded content from code instead of using the Property webcontrol you can always access the ToWebString() method instead of the ToString() method, for example:

CurrentPage.Property["MainIntro"].ToWebString();

You may also HTML-encode text using the HttpUtility.HtmlEncode in the .NET Framework so ensure that content will show up as raw text and not HTML.

Background

Everyone that build web applications that take input from users and then present it to the editors should be aware of the risk with cross-site-scripting. If you do not take the correct action code can travel from a unsafe environment to a safe environment and there for example extract secure information and then send it back to the user that entered the code.

You can also read more about cross-site-scripting on the Internet.