Sanitize input prior to storing text in BlogComments

[MohrJ]

WeTeam,

You have developed a great product that is easy to add to Sitecore. I noticed one possible enhancement while implementing WeBlog. BlogComment items do not sanitize the comment text before storing it, which can cause the sidebar and other items referencing that field to provide content without HTML encoding. I would be happy to work on this enhancement.

[adeneys]

Hi MohrJ,
WeBlog should be using the AntiXSS library from Microsoft to ensure potentially harmful content submitted as a comment doesn't affect the page output. I recall recently though that this was reverted with some changes but should have been put back in. Checking the latest version of WeBlog I see our extension method HtmlEncode() in use in the CommentsList.ascx sublayout markup file. This causes the comment to be encoded before output on the page.

Does this address your concern or did I miss what you were saying?

EDIT: The reason we encode the comment when it's put on the page instead of when it's submitted is because a content author could also insert markup which is not desirable in a comment item in the content tree.

[rendermouse]

We are seeing an issue (in ver 2.2) where comments that contain one single quote are throwing "Unterminated String" errors.

Comments containing a single doublequote character throw "Length can not be zero" errors.