Microsoft's AntiXSS library has been broken for 6 months and it looks abandoned (that may or may not officially be the case). Due to a security issue with previous versions, it is not safe to rollback to an earlier release. Are there any good actively developed alternatives for AntiXSS and web security in general when working with the Microsoft (specifically MVC) stack?
There's a new xss sanitizer shipping with the June 2012 release of the ajax control toolkit. The toolkit was originally using the microsoft anti xss library as well, so they experienced the same problems. The new sanitizer is based off the HtmlAgilityPack
I have the same issue and I've been looking high and low for a solution but haven't found anything else out there.
Basically, I think the only option moving forward is to use some flavour of WMD (like they do here on Stackoverflow)... send it back to the server as WMD markup then save it in the database as HTML and then convert it html when spitting it out on the page on the server.
This could be a good start: http://code.google.com/p/pagedown/
来源:https://stackoverflow.com/questions/11269306/microsoft-antixss-alternative