I allow a user to enter text using the following:
<textarea ng-model="UserComment.text" rows="4" required maxlength="4000" />
Now this allows the user to enter
<script>alert('Hello world!');</script>
This will be saved to my db exactly as entered as the script tag (if not filtered) - which is extremely dangerous. I know when I render that input using the following ng-bind
<div class="user-comment-text">{{UserComment.text}}</div>
it will be sanitized by default and the script tags will be HTML encoded with < and > rendered as < and > so the script tags are not executed as script. But it is dangerous to save these tags in my DB so I want to filter the <script> tag (and any other dangerous input) from being input - what is the best way of doing that?
I hope there is a better solution than a regular expression (ng-pattern) as getting this right for multi-lingual is near impossible. My current thoughts are to sanitize on the server using a c# case-insensitive regular expression in my controller to strip out <script> tags - but there are other scripting concerns too - e.g. img onerror event and a href with javascript URLs. I'd like to tackle the script element first and worry about the others later. Thanks.