Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

HTML sanitizer in ASP.NET MVC that filters dangerous markup, but allows the rest

I know that lot of questions about HTML sanitizers have appeared in SO, but I don't know if they do what I want, I have a little mess since some of the recommended approaches have more than 4 years old.

I have a page with the TinyMCE editor. Of course, this editor send HTML to the server, and expect HTML, so I have created a entity with a String property decorated with the [AllowHtml] attribute. It works well.

Now, I want to ensure that nobody tries to send a <script> tag, or a <img onerror="">, or whatever way of execute JS, or add CSS that point to external urls.

What is the best solution at the moment?

WPL has the HtmlSanitizationLibrary, but how can I know what tags are considered "secure"?

WPL has not released anything from last April, and it was the beta. So I was wondering if is this project active?

Cheers.

like image 458
vtortola Avatar asked Dec 29 '11 13:12

vtortola


1 Answers

AntiXss/WPL is now 'end-of-life'. Found this library in a reply elsewhere:

HtmlSanitizer, a .NET library for cleaning HTML fragments from constructs that can lead to XSS attacks.

Project site: https://github.com/mganss/HtmlSanitizer

like image 161
track0 Avatar answered Sep 22 '22 18:09

track0