Sanitize multiple whitespace/newlines on form input

Question

I am accepting user input in a field which will be rendered on a public page (e.g. posts on a forum, or comments on a website). I want to be able to render these as paragraphs along with the user's line breaks as necessary, using the CSS attribute

white-space: pre-line;

This allows users to post in a paragraph format, much like this post you're reading.

However, I don't want malicious users to be able to submit posts with huge amounts of whitespace, vastly increasing the length of the page. Currently I am trying to sanitize the input using a regular expression, deleting repeated whitespace characters (double spaces, or double newlines). This is kind of complicated and very ugly. I still want users to be able to submit posts containing whitespace. But is writing regular expressions really still the best solution to this very common problem?

Is there a best-practice to sanitize excess whitespace characters from user input in C#/ASP.NET, or is writing our own regular expressions still the best option in 2015?

Answer 1

There is a Trim() method you can use for this. Just attach it to input string.

string WhiteSpaces = "   ieae  ui  u ia       ea  ";
WhiteSpaces.Trim();

Answer 2

If a malicious user wants to deface your site where they can post their own content, they will. If they can't use excessive whitespace, they'll abuse markup to make their entire post bold or they'll just post a few megs of Lorem Ipsum.

There's no "one rule to ban them all", so you just got to keep folding duplicated whitespace into one if that is what you want to do.

One way to go would be to use an existing user-safe HTML templating engine, like Markdown, instead of rolling your own.