1

I am working on a project that requires some HTML sanitization. Normally, I would turn to the Microsoft Web Protection Library; however, in this case, I am developing an application running in minimal trust. Part of the WPL requires medium trust, and the rest seems to require full trust.

Can anyone suggest a good HTML sanitizer that can operate in a minimal trust environment?

Ashok Padmanabhan
  • 2,110
  • 1
  • 19
  • 36
kbrimington
  • 25,142
  • 5
  • 62
  • 74

2 Answers2

1

Can you explain more about your project? Like what framework are you in?

This is what I would suggest without knowing more details: AntiXSS 4.0 (released 10/5/2010): http://www.microsoft.com/download/en/details.aspx?id=5242

In the following post I demonstrate how to execute a simple XSS, but you'll notice that it only works in .Net 2.0 projects. Once you're above that, certain security measures are taken on your behalf and it will warn anytime unsafe text is put into user input fields.

http://mdukehall.wordpress.com/2011/11/03/intro-to-xss-for-web-developers/

Here is an alternative blog on it:

http://jimbojw.com/wiki/index.php?title=Sanitizing_user_input_against_XSS

Duke Hall
  • 582
  • 4
  • 12
  • Thank you, Mike. AntiXSS, in fact, *is* a part of the Web Protection Library. I'm not especially interested in the framework. Anything v2.0 on up will do. – kbrimington Nov 16 '11 at 18:48
  • OWASP has the other thing I came across for XSS: https://www.owasp.org/index.php/ESAPI – Duke Hall Nov 16 '11 at 18:52
  • Security Ninja did 3 posts on implementing ESAPI starting here: http://www.securityninja.co.uk/application-security/input-validation-using-the-owasp-esapi/ – Duke Hall Nov 16 '11 at 19:11
  • Thanks, Mike. This was all good reading; however, it does not address my need. I am interested in sanitizing HTML rather than encoding HTML. While these articles serve well to show some Anti-XSS solutions, they do not deal with my scenario. You have my vote, anyway, for providing such useful references. – kbrimington Nov 21 '11 at 17:58
1

Jeff Atwood's sanitizer is here And a C# Sanitizer that works better based on my limited testing is here I took the c# and converted to vbnet and am using it a project now and it seems to catch html and javascript i dont want getting through.

Ashok Padmanabhan
  • 2,110
  • 1
  • 19
  • 36
  • While I am not content that all/any of the refactormycode submissions are anywhere as tight/secure as the Microsoft Web Protection Library implementation, I did ultimately adapt one of them for my project, so the answer goes to you. Thanks! – kbrimington Nov 21 '11 at 18:13