Reputation: 42178
HTML Sanitizer for .NET
I'm starting a project that will be public facing using asp.net mvc. I know there are about a billion php, python, and ruby html sanitizers out there, but does anyone have some pointers to anything good in .net? What are your experiences with what is out there? I know stackoverflow is a site done in asp.net that allows freeform HTML, what does it use?
Upvotes: 29
Views: 38040
Answers (6)
Reputation: 1673
We can also use
AntiXss.GetSafeHtmlFragments
sanitize input by parsing the HTML fragment,to use this sanitizer for rich content to ensure that it does not content any harmful script and it is safe to be displayed on the browser.For the text input(not rich content) to use AntiXss.HtmlEncode or any other equivalent html encoder.Here is the Sample for rich content.
string mal = "<IMG NAME = 'myPic' SRC = 'images / myPic.gif' onerror='alert(1)' onerror='alert(1) ><div bottommargin = 150 ondblclick = 'alert('double clicked!')' >< p > Double - click anywhere in the page.</p> </div> ";
var cleanHtml = Sanitizer.GetSafeHtmlFragment(mal);
Console.Write(cleanHtml);
Console.Read();
Note: Download AntiXSS library fron nugetpackage manager and include this namesapce Microsoft.Security.Application in the souce code;
Upvotes: 1
Reputation: 519
Based on your question I have the following suggestions:
- You want to allow free form HTML, so you need a solution to be able to specify a set of tags, attributes and/or CSS classes which are allowed.
- By allowing free form HTML it is likely that you'll also have to deal with malformed HTML because users make errors (deliberate or not). You thus need a solution built on a tolerant parser such as the Html Agility Pack.
- You'll want to take a white listing approach because a black listing sanitizer does not protect your from any new HTML specifications. In addition it is very hard to guarantee that a black list covers all cases in the first place due to the size of the HTML specification.
I faced the same problem and built HtmlRuleSanitizer which is a white listing rule based HTML sanitizer on top of the Html Agility Pack.
Upvotes: 4
Reputation: 3232
HtmlSanitizer
Source: https://github.com/mganss/HtmlSanitizer
A fairly robust sanitizer. It understands and can clean inline styles, but doesn't have a parser that can deal with <style> blocks, so it strips them. It's certainly up to and probably beyond the level that Microsoft's AntiXSS was at, before it was abandoned.
Upvotes: 27
Reputation: 3110
Here is one built by microsoft. http://wpl.codeplex.com/
var cleanHtml = Sanitizer.GetSafeHtml(unsafeHtml);
Upvotes: 3
Related Questions
- How to use C# to sanitize input on an html page?
- HTML Sanitizer for .NET that supports style tags
- HTML sanitizer in ASP.NET MVC that filters dangerous markup, but allows the rest
- HTML Sanitization - bad markup?
- How do you sanitize and publish HTML into ASP.Net View?
- ASP.Net MVC Html.Raw with AntiXSS protection
- Html Agility Pack: a simple "Sanitizer" with dictionary parameters
- What can I use to sanitize received HTML while retaining basic formatting?
- Clean user HTML in .net
- An algorithm using LINQ or C# to sanitize specific HTML from a string