4,826 questions
Proper html escape on display is preferred. But you can find html sanitization libraries if you google.
How to cleanse a string
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(262.40000000000003, 59%, 35%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EKV%3C/text%3E%3C/svg%3E)
Keith Viking
20
Reputation points
Hi I have a message box on a site. They can enter any characters and submit the form. In Asp.Net webforms we could add decode or encode to stop malicious content from being submitted but what would the equivalent be for MVC (.Net 6) so I can clean the string before storing in a database or sending as an email? I have added the attribute [validateantiforgerytoken] to the POST method.
Developer technologies | ASP.NET | ASP.NET Core
{count} votes
-
Karen Payne MVP 35,586 Reputation points Volunteer Moderator2023-05-03T16:42:25.1966667+00:00 See HtmlSanitizer which is installed as an NuGet package
Sign in to comment
1 answer
Sort by: Most helpful
-
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(211.20000000000002, 61%, 30%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EBS%3C/text%3E%3C/svg%3E)
Bruce (SqlWork.com) 77,926 Reputation points Volunteer Moderator2023-05-03T15:07:48.9033333+00:00 -
Keith Viking 20 Reputation points
2023-05-03T16:13:30.3366667+00:00 Interesting, so any benefit of a third party library over the .Net Core/6?
-
Bruce (SqlWork.com) 77,926 Reputation points Volunteer Moderator
2023-05-03T22:42:03.7133333+00:00 Html sanitizing is much more complex then one expects, and most solutions only handle common cases. You don't specify what you are trying to sanitize.
Do you just want text? then parse the input into a html dom and only extract the text nodes. walking the dom, you can also include know node types (say <div>,<p>,<ul><ol>, <li>, etc).
You can also use dom parsing to produce well formed html.
net 6 (nor previous versions) does not have a html parser. you need to use a nuget package.
Sign in to comment -