.NET HTML whitelisting (anti-xss/Cross Site Scripting)

Question

I\'ve got the common situation where I\'ve got user input that uses a subset of HTML (input with tinyMCE). I need to have some server-side protection against XSS attacks an

Answer 1

I had the exact same problem a few years back when I was using TinyMCE.

There still doesn't seem to be any decent XSS / HTML white-listing solutions for .Net so I've uploaded a solution I created and have been using for a few years.

http://www.codeproject.com/KB/aspnet/html-white-listing.aspx

The white list defnintion is based on TinyMCE's valid-elements.

Take Two: Looking around, Microsoft have recently released a white-list based Anti-XSS Library (V3.0), check that out:

The Microsoft Anti-Cross Site Scripting Library V3.0 (Anti-XSS V3.0) is an encoding library designed to help developers protect their ASP.NET web-based applications from XSS attacks. It differs from most encoding libraries in that it uses the white-listing technique -- sometimes referred to as the principle of inclusions -- to provide protection against XSS attacks. This approach works by first defining a valid or allowable set of characters, and encodes anything outside this set (invalid characters or potential attacks). The white-listing approach provides several advantages over other encoding schemes. New features in this version of the Microsoft Anti-Cross Site Scripting Library include: - An expanded white list that supports more languages - Performance improvements - Performance data sheets (in the online help) - Support for Shift_JIS encoding for mobile browsers - A sample application - Security Runtime Engine (SRE) HTTP module