.NET HTML Sanitation for rich HTML Input

added by justphil
8/9/2012 5:54:59 PM


Recently I was working on updating a legacy application to MVC 4 that included free form text input. When I set up the new site my initial approach was to not allow any rich HTML input, only simple text formatting that would respect a few simple HTML commands for bold, lists etc. and automatically handles line break processing for new lines and paragraphs. This is typical for what I do with most multi-line text input in my apps and it works very well with very little development effort involved.


8/9/2012 5:55:39 PM
I agree that switching to markdown would be easier, in that case escaping any html is just a shotgun approach. Using a smarter html input control still doesn't help since the data still needs to be sanitized server-side.