Safe HTML in ASP.NET Controls

Question

Im sure this is a common question...

I want the user to be able to enter and format a description.

Right now I have a multiline textbox that they can enter plain text into. It would be nice if they could do a little html formatting. Is this something I am going to have to handle? Parse out the input and only validate if there are "safe" tags like <ul><li><b> etc?

I am saving this description in an SQL db. In order to display this HTML properly do I need to use a literal on the page and just dump it in the proper area or is there a better control for what I am doing?

Also, is there a free control like the one on SO for user input/minor editing?

Answer 1

Have a look at the AntiXSS library. The current release (3.1) has a method called GetSafeHtmlFragment, which can be used to do the kind of parsing you're talking about.

A Literal is probably the correct control for outputting this HTML, as the Literal just outputs what's put into it and lets the browser render any HTML. Labels will output all the markup including tags.

The AJax Control Toolkit has a text editor.