User input sanitisation in asp.net

Question

I need to sanitise user input (or output) for a web app I'm developing. The user input is just plain text, and I want to prevent HTML or other "harmful" strings. However characters such as less than, greater than, apostrophes, ampersands, quotes, etc., should be allowed.

I guess the first step is to disable request validation to prevent the generic "a potentially dangerous value was detected" message, but what else do I need to do? I can't simply htmlencode the output otherwise I'll end up with &lt being displayed in place of a less than character, for example.

Are there any tools that can help? I had a quick look at the AntiXSS library but from what I've seen it's just a glorified htmlencoder, or am I missing something? What about MVC - does this have anything built in?

I've never found a decent article on this kind of thing. Some say to sanitise input, while others say to sanitise output, and examples are typically over-simplistic, using techniques like htmlencoding, which will reformat perfectly valid characters such as a less than.

Answer 1

The Anti-XSS library is the standard library in ASP.Net WebForms for now. Though it is sub optimal. And the latest version (4.2) has several breaking bugs that haven't been fixed in awhile.

Also see the MSDN article Information Security - Anti-Cross Site Scripting.

See Should I use the Anti-XSS Security Runtime Engine in ASP.NET MVC? for your answer regarding MVC. From that answer:

Phil Haack has an interesting blog post here http://haacked.com/archive/2009/02/07/take-charge-of-your-security.aspx. He suggests using Anti-XSS combined with CAT.NET.