HTML sanitizer in ASP.NET MVC that filters dangerous markup, but allows the rest
I know that lot of questions about HTML sanitizers have appeared in SO, but I don't know if they do what I want, I have a little mess since some of the recommended approaches have more than 4 years old.
I have a page with the TinyMCE editor. Of course, this editor send HTML to the server, and expect HTML, so I have created a entity with a String property decorated with the [AllowHtml] attribute. It works well.
Now, I want to ensure that nobody tries to send a <script> tag, or a <img onerror="">, or whatever way of execute JS, or add CSS that point to external urls.
What is the best solution at the moment?
WPL has the HtmlSanitizationLibrary, but how can I know what tags are considered "secure"?
WPL has not released anything from last April, and it was the beta. So I was wondering if is this project active?
Cheers.
Answer
AntiXss/WPL is now 'end-of-life'. Found this library in a reply elsewhere:
HtmlSanitizer, a .NET library for cleaning HTML fragments from constructs that can lead to XSS attacks.
Project site: https://github.com/mganss/HtmlSanitizer