In my Razor MVC application, I added the feature where a model property allows HTML by doing:
[AllowHtml]
public string Body { get; set; }
This works great. But I was wondering, I want to make sure the user doesn’t submit malicious data, so has anyone built a utility or library to filter out bad HTML data like JavaScript statements, etc? I do plan on decoding the HTML and displaying in the UI, so naturally I would like to be somewhat restrictive. I understand I have to do this manually from code, just curious for some pointers or utilities.
Thanks.
Absolutely! The anti-xss library from Microsoft has a sanitizer:
It’s simple to use and I cover this (and a lot more) in the “Hack Proofing your ASP.Net Applications” video series going live on pluralsight.com this week. Theres more than just html encoding if you use html, theres caution for dangling html problems used for cross site scripting as well as improper use of javascript functions that can lead to xss as well. Check out the video series (the topic is a lot longer than a post here to cover)
Get the code in the web protection library. Note in asp.net 4.5 this should be included in System.Web.Security
http://wpl.codeplex.com/