I am working with an ASP.NET MVC 5 application. I have to output the HTML that the user entered with some formatting. I store the HTML in the database as it is, that is, without encoding, as it advised here , but before showing it, I encode it using the MS AntiXSS library.Nevertheless, I have to output some tags like HTML, for example. make the text bold or italic. What is the best approach for doing this while keeping the application safe from XSS? The idea I have is to first encode the text with AntiXssEncoder and then replace the valid tags with regular characters with RegExp. I know that there are some tools for it, such as HTML Purifier, but I did not find anything for ASP.
Update: I decided to use something like
private static readonly Dictionary<string, string> allowedTags = new Dictionary<string, string>()
{
{"<p>", "<p>"},
{"</p>", "</p>"},
{"<strong>", "<strong>"},
{"</strong>", "</strong>"},
{"<em>", "<em>"},
{"</em>", "</em>"},
{"&nbsp;", " "},
{" ", "<br>"}
};
and then
StringBuilder text = new StringBuilder(AntiXssEncoder.HtmlEncode(item.Text, true));
foreach (var tag in allowedTags)
{
text.Replace(tag.Key, tag.Value);
}
Although I strongly dislike this solution, because it lacks flexibility, and I will have to manually insert each tag into the dictionary. In addition, it does not support attributes, for example. <p align = "center"> must be a separate value. I think I can replace the first part of the tag, for example
text.Replace("<p", "<p");
However, if any tag is called, for example, padding (I do not know all the HTMl tags that exist or may appear), then it will work with it, since its beginning will be replaced, turning it into a valid tag (which can be not closed though).