HTML sanitizer in ASP.NET MVC that filters dangerous markup, but allows the rest
https://stackoverflow.com/questions/8668446
-
09-04-2021 - |
italiano
english
français
española
中国
日本の
العربية
Deutsch
한국어
Português
RussianQuestion
I know that lot of questions about HTML sanitizers have appeared in SO, but I don't know if they do what I want, I have a little mess since some of the recommended approaches have more than 4 years old.
I have a page with the TinyMCE editor. Of course, this editor send HTML to the server, and expect HTML, so I have created a entity with a String property decorated with the [AllowHtml] attribute. It works well.
Now, I want to ensure that nobody tries to send a <script> tag, or a <img onerror="">, or whatever way of execute JS, or add CSS that point to external urls.
What is the best solution at the moment?
WPL has the HtmlSanitizationLibrary, but how can I know what tags are considered "secure"?
WPL has not released anything from last April, and it was the beta. So I was wondering if is this project active?
Cheers.
Solution
WPL is the de-facto standard. Run the string through it and you are safe to print it unencoded:
@Html.Raw(Model.SomePropertyThatWasSanitizedWithWPL)
OTHER TIPS
AntiXss/WPL is now 'end-of-life'. Found this library in a reply elsewhere:
HtmlSanitizer, a .NET library for cleaning HTML fragments from constructs that can lead to XSS attacks.
Project site: https://github.com/mganss/HtmlSanitizer
Yo should probably go for a white list based HTML sanitizer which actually understands HTML documents. Using regular expressions is generally not considered to be a safe approach.
The reason for not using Microsoft's AntiXss is that it's not possible to enforce more detailed rules like what to do with tags. This results in tags being completely deleted when it for example would make sense to preserve the textual content. In addition it does not seem to be maintained anymore.
HtmlRuleSanitizer allows you to define a sanitation strategy to exactly match the expect HTML generated by your editor in the following manner:
var sanitizer = new HtmlSanitizer();
sanitizer.Tag("strong").RemoveEmpty();
sanitizer.Tag("b").Rename("strong").RemoveEmpty();
sanitizer.Tag("i").RemoveEmpty();
sanitizer.Tag("a").SetAttribute("target", "_blank")
.SetAttribute("rel", "nofollow")
.CheckAttribute("href", HtmlSanitizerCheckType.Url)
.RemoveEmpty();
string cleanHtml = sanitizer.Sanitize(dirtyHtml);
Use a a predefined sanitation strategy.
