Click here to Skip to main content
Click here to Skip to main content

Dead Simple HTML Sanitizer

, 18 Jan 2013
Rate this:
Please Sign up or sign in to vote.
A dead simple HTML Sanitizer (and HTML Parser) you can use to clean user HTML input.

Introduction 

This article introduces a dead simple HTML Sanitizer which you can use to clean up user-entered HTML or uploaded HTML documents.

Sanitized:

Html Sanitizer WPF Demo

Original:

Background

One of our systems features a Document Production module which allows users to upload (and save) custom HTML documents which can be downloaded by other user. The problem was that some users kept adding "unsafe" script tags (and other XSS vulnerabilities) in their documents which we had to Sanitize.

Note: I know of the Microsoft Anti-Cross Site Scripting Library but decided to write my own since adding a new reference to the project was out of the question.

Using the code

//
// Sample usage
const string input = "<scriPt>alert(0)</Script>This is the game <SCRIPT>";
var output = HtmlSanitizer.Sanitize(input);
Assert.AreEqual("This is the game ", output); 

Parse the HTML

You can also just parse the HTML document.

//
// Parsing a malfomed HTML document
var input = System.IO.File.ReadAllText("myfile.htm");
var doc = HtmlParser.Parse(input);
Assert.AreEqual(2, doc.ChildNodes.Count);

Tidy the HTML

You can also just tidy the HTML content.

//
// Tidy a malfomed HTML document
var input = "<input type=checkbox value=ON checked>";
var output = HtmlParser.Tidy(input);
Assert.AreEqual("<input type=\"checkbox\" value=\"ON\" checked=\"checked\"/>", output); 

Points of Interest/References

  1. The XML Viewer used in this article was taken from A Simple XML Document Viewer Control
  2. This code has not been tested against extremely malformed HTML so please be careful how you use it.
  3. You can always change the list of unsafe tags and attributes to meet your requirements

History

This is the first revision of the article.

License

This article, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Share

About the Author

Tawani Anyangwe
Architect
United States United States
No Biography provided

Comments and Discussions

 
BugError on BR tags and at fix attribute value PinmemberPelle Penna28-Jan-14 0:40 
QuestionAwesome. Just what I needed. Pinmembernakash20503-Oct-13 5:19 

General General    News News    Suggestion Suggestion    Question Question    Bug Bug    Answer Answer    Joke Joke    Rant Rant    Admin Admin   

Use Ctrl+Left/Right to switch messages, Ctrl+Up/Down to switch threads, Ctrl+Shift+Left/Right to switch pages.

| Advertise | Privacy | Mobile
Web03 | 2.8.140827.1 | Last Updated 18 Jan 2013
Article Copyright 2013 by Tawani Anyangwe
Everything else Copyright © CodeProject, 1999-2014
Terms of Service
Layout: fixed | fluid