Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I’ve been using MS’s AntiXSS library for a while now. Recently I decided to change the textareas in my site to be plain textareas (used to be WYSIWYG), and run a conversion on the newlines to br’s.
Problem is, MS’s AntiXSS library doesn’t support this… it strips out the br’s. I don’t want to let the user’s entry go directly into my DB unchecked. Without using the MS AntiXSS library, what’s a reliable way to prevent XSS while allowing HTML input, including br’s (in C#)?
To resolve this, I decided to store the raw HTML as-is, performing a replace on
Environment.Newlinesto<br />before storing it.Then on the flip side, when showing it to visitors I use the MS AntiXSS code to clean it up. Not 100% the ideal way I’d like to do it, but gets the job done.
I do a bit of caching here to make sure it’s not running through AntiXSS on every request too.