How to use C# to sanitize input on an html page?

Asked 9/10, 2008 at 19:41 Answered 3/10, 2016 at 18:56

Solved c#html-sanitizing antixsslibrary

Is there a library or acceptable method for sanitizing the input to an html page?

In this case I have a form with just a name, phone number, and email address.

Code must be C#.

For example:

"<script src='bobs.js'>John Doe</script>" should become "John Doe"

Overtax answered 9/10, 2008 at 19:41 Comment(1)

You MUST protect the output(e.g. see Jeremy Cook answer below ). Adding input sanitisation is an additional optional “nice to have” functionality, that only reduces the risk of XSS attacks, but not fully protect. – Scintillation 3/2, 2023 at 21:57

We are using the HtmlSanitizer .Net library, which:

Is open-source (MIT) - GitHub link
Is fully customizable, e.g. configure which elements should be removed. see wiki
Is actively maintained
Doesn't have the problems like Microsoft Anti-XSS library
Is unit tested with the OWASP XSS Filter Evasion Cheat Sheet
Is special built for this (in contrast to HTML Agility Pack, which is a parser - not a sanitizer)
Doesn't use regular expressions (HTML isn't a regular language!)

Also on NuGet

Surtout answered 3/10, 2016 at 18:56 Comment(0)

Based on the comment you made to this answer, you might find some useful info in this question:
https://stackoverflow.com/questions/72394/what-should-a-developer-know-before-building-a-public-web-site

Here's a parameterized query example. Instead of this:

string sql = "UPDATE UserRecord SET FirstName='" + txtFirstName.Text + "' WHERE UserID=" + UserID;

Do this:

SqlCommand cmd = new SqlCommand("UPDATE UserRecord SET FirstName= @FirstName WHERE UserID= @UserID");
cmd.Parameters.Add("@FirstName", SqlDbType.VarChar, 50).Value = txtFirstName.Text;
cmd.Parameters.Add("@UserID", SqlDbType.Integer).Value = UserID;

Edit: Since there was no injection, I removed the portion of the answer dealing with that. I left the basic parameterized query example, since that may still be useful to anyone else reading the question.
--Joel

Wilone answered 9/10, 2008 at 20:5 Comment(3)

Actually, no. I was just trying to be proactive with some new development. Great info though. – Overtax 9/10, 2008 at 20:7

Make sure you've seen the latest edit: I added a very useful link at the bottom. – Wilone 9/10, 2008 at 20:12

BTW, I'm already using s'procs anyway. I just want to make sure that systems downstream (which I have absolutely no control over) don't incorrectly deal with the input. – Overtax 9/10, 2008 at 21:9

It sounds like you have users that submit content but you cannot fully trust them, and yet you still want to render the content they provide as super safe HTML. Here are three techniques: HTML encode everything, HTML encode and/or remove just the evil parts, or use a DSL that compiles to HTML you are comfortable with.

Should it become "John Doe"? I would HTML encode that string and let the user, "John Doe" (if indeed that is his real name...), have the stupid looking name <script src='bobs.js'>John Doe</script>. He shouldn't have wrapped his name in script tags or any tags in the first place. This is the approach I use in all cases unless there is a really good business case for one of the other techniques.
Accept HTML from the user and then sanitize it (on output) using a whitelist approach like the sanitization method @Bryant mentioned. Getting this right is (extremely) hard, and I defer pulling that off to greater minds. Note that some sanitizers will HTML encode evil where others would have removed the offending bits completely.
Another approach is to use a DSL that "compiles" to HTML. Make sure to whitehat your DSL compiler because some (like MarkdownSharp) will allow arbitrary HTML like <script> tags and evil attributes through unencoded (which by the way is perfectly reasonable but may not be what you need or expect). If that is the case you will need to use technique #2 and sanitize what your compiler outputs.

Closing thoughts:

If there is not a strong business case for technique #2 or #3 then reduce risk and save yourself effort and the use of the worries, go with technique #1.
Don't assume your safe because you used a DSL. For example: the original implementation of Markdown allows HTML through, unencoded. "For any markup that is not covered by Markdown’s syntax, you simply use HTML itself. There’s no need to preface it or delimit it to indicate that you’re switching from Markdown to HTML; you just use the tags."
Encode when you output. You can also encode input but doing so can put you in a bind. If you encoded incorrectly and saved that, how will you get the original input back so that you can re-encode after fixing faulty encoder?

Craniotomy answered 4/10, 2013 at 18:16 Comment(0)

If by sanitize you mean REMOVE the tags entirely, the RegEx example referenced by Bryant is the type of solution you want.

If you just want to ensure that the code DOESN'T mess with your design and render to the user. You can use the HttpUtility.HtmlEncode method to prevent against that!

Secondguess answered 9/10, 2008 at 20:3 Comment(3)

Is there a reason to do that instead of the simpler regex by Jakub? – Overtax 9/10, 2008 at 21:10

The regex solution will remove the code, it works....but takes time. HtmlEncode, just formats it in a safe manner for web display. – Secondguess 9/10, 2008 at 21:18

Sanitizing HTML is notoriously tricky to get right. There are so many ways an attacker can get JavaScript code to fire. Consider <a href="javascript:alert('Evil')">Click me</a>, and that's just the tip of the iceberg. Outputting HTML encoded user input is a surefire approach to render safe HTML. – Craniotomy 4/10, 2013 at 16:34

What about using Microsoft Anti-Cross Site Scripting Library?

Blennioid answered 10/11, 2009 at 12:53 Comment(4)

Interesting. When I have time I'll play with it. Looks promising though. – Overtax 10/11, 2009 at 23:48

The link above references v3.1 of the Anti-Cross Site Scripting Library. Version 4.0 is the most current release. – Bren 10/10, 2011 at 13:39

the above link is outdated as well, edited the answer to include the correct link to the MSACSS Library – Homogamy 23/5, 2012 at 17:42

Obsolete in today's date – Quinte 13/10, 2020 at 23:53

Recommended topics

Hot tags