HTML sanitizer in ASP.NET MVC that filters dangerous markup, but allows the rest

vtortola picture vtortola · Dec 29, 2011 · Viewed 7.6k times · Source

I know that lot of questions about HTML sanitizers have appeared in SO, but I don't know if they do what I want, I have a little mess since some of the recommended approaches have more than 4 years old.

I have a page with the TinyMCE editor. Of course, this editor send HTML to the server, and expect HTML, so I have created a entity with a String property decorated with the [AllowHtml] attribute. It works well.

Now, I want to ensure that nobody tries to send a <script> tag, or a <img onerror="">, or whatever way of execute JS, or add CSS that point to external urls.

What is the best solution at the moment?

WPL has the HtmlSanitizationLibrary, but how can I know what tags are considered "secure"?

WPL has not released anything from last April, and it was the beta. So I was wondering if is this project active?

Cheers.

Answer

track0 picture track0 · Feb 10, 2016

AntiXss/WPL is now 'end-of-life'. Found this library in a reply elsewhere:

HtmlSanitizer, a .NET library for cleaning HTML fragments from constructs that can lead to XSS attacks.

Project site: https://github.com/mganss/HtmlSanitizer