Is there a minimum-trust equivalent of the Web Protection Library (Anti-XSS)?

StackOverflow https://stackoverflow.com/questions/8156805

Question

I am working on a project that requires some HTML sanitization. Normally, I would turn to the Microsoft Web Protection Library; however, in this case, I am developing an application running in minimal trust. Part of the WPL requires medium trust, and the rest seems to require full trust.

Can anyone suggest a good HTML sanitizer that can operate in a minimal trust environment?

Was it helpful?

Solution

Jeff Atwood's sanitizer is here And a C# Sanitizer that works better based on my limited testing is here I took the c# and converted to vbnet and am using it a project now and it seems to catch html and javascript i dont want getting through.

OTHER TIPS

Can you explain more about your project? Like what framework are you in?

This is what I would suggest without knowing more details: AntiXSS 4.0 (released 10/5/2010): http://www.microsoft.com/download/en/details.aspx?id=5242

In the following post I demonstrate how to execute a simple XSS, but you'll notice that it only works in .Net 2.0 projects. Once you're above that, certain security measures are taken on your behalf and it will warn anytime unsafe text is put into user input fields.

http://mdukehall.wordpress.com/2011/11/03/intro-to-xss-for-web-developers/

Here is an alternative blog on it:

http://jimbojw.com/wiki/index.php?title=Sanitizing_user_input_against_XSS

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top