Is there is .NET implementation of HtmlPurifier(php) [closed]

Asked 12/1, 2010 at 18:9 Answered 5/5, 2010 at 13:9

Is there a comprehensive Html cleaner/Anti-Xss library for .NET that also has a defined whitelist. I know that Microsofts Anti-Xss is a good place to start, but it needs a good whitelist for allowed html tags and css. Does anyone know of something?

Sketch answered 12/1, 2010 at 18:9 Comment(0)

What's wrong with Microsoft's Anti-XSS library (which you've mentioned)?

They've got comprehensive HTML sanitizing that filters the characters based on a white list, parses the HTML, filters the nodes based on a white-list, and then regenerates the (safe) HTML. You can change the white lists (since the code is open), but I'm not sure you'd want to.

Usage is simple too:

var sanitizedHtml = Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(inputHtml);

Rees answered 5/5, 2010 at 13:9 Comment(2)

That's very cool! I've been writing my own cheesy sanitizer... no more! – Jedthus 20/1, 2011 at 5:41

Unfortunately AntiXSS Library release process is quite unfriendly. Release 4.2.1 has introduced massive unexpected breaking changes, there is no timeline for a fix and no source to fork. Not something you want to rely upon. – Datum 13/4, 2012 at 13:47

According to MSDN (see "Allowing Restricted HTML Input") the best way to sanitize HTML input is to call HttpUtility.HtmlEncode() on your input and then selectively replace the encoding on all your whitelist tags like so:

<%@ Page Language="C#" ValidateRequest="false"%>    
<script runat="server">    
  void submitBtn_Click(object sender, EventArgs e)
  {
    // Encode the string input
    StringBuilder sb = new StringBuilder(
                            HttpUtility.HtmlEncode(htmlInputTxt.Text));
    // Selectively allow  and <i>
    sb.Replace("&lt;b&gt;", "<b>");
    sb.Replace("&lt;/b&gt;", "");
    sb.Replace("&lt;i&gt;", "<i>");
    sb.Replace("&lt;/i&gt;", "");
    Response.Write(sb.ToString());
  }
</script>

Recommended topics

Hot tags