Safe HTML in ASP.NET Controls

Question

Im sure this is a common question...

I want the user to be able to enter and format a description.

Right now I have a multiline textbox that they can enter plain text into. It would be nice if they could do a little html formatting. Is this something I am going to have to handle? Parse out the input and only validate if there are "safe" tags like <ul><li><b> etc?

I am saving this description in an SQL db. In order to display this HTML properly do I need to use a literal on the page and just dump it in the proper area or is there a better control for what I am doing?

Also, is there a free control like the one on SO for user input/minor editing?

Answer 1

In addition to the other answers, you will need to set ValidateRequest="false" in the @Page directive of the page that contains the textbox. This turns off the standard ASP.NET validation that prevents HTML from being posted from a textbox. You should then use your own validation routine, such as the one @PhilPursglove mentions.

Answer 2

Have a look at the AntiXSS library. The current release (3.1) has a method called GetSafeHtmlFragment, which can be used to do the kind of parsing you're talking about.

A Literal is probably the correct control for outputting this HTML, as the Literal just outputs what's put into it and lets the browser render any HTML. Labels will output all the markup including tags.

The AJax Control Toolkit has a text editor.

Answer 3

Also, is there a free control like the one on SO for user input/minor editing?

Stackoverflow uses the WMD control and markdown as explained here:

https://blog.stackoverflow.com/2008/09/what-was-stack-overflow-built-with/

Answer 4

You will need to check what tags are entered to avoid Cross side scripting attacks etc. You could use a regex to check that any tags are on a 'whitelist' you have and strip out any others.

You can check out this link for a list of rich text editors.