Click here to Skip to main content
15,887,468 members
Search within:


How to whitelist some characters using HTML sanitizer C#
Please Sign up or sign in to vote.
1.00/5 (1 vote)
See more:
C#
XSS
 
I am using HTML sanitizer to detect tag or script in input but I want to allow some characters in input like &, *. However, the sanitizer method replace the character & to & which is wrong

What I have tried:

public static bool IsDangerousString(string raw)
    {
        // Using HTML sanitizer nuget for more info https://github.com/mganss/HtmlSanitizer
        raw = abc&123;
        var sanitiser = new HtmlSanitizer();
        var sanitised = sanitiser.Sanitize(raw);
        return raw != sanitised; // should return false but returns true
    }
Posted
Add a Solution
Comments
Richard Deeming 17-Mar-22 4:49am    
& on its own is not valid in an HTML context; it has to be encoded as &.

If you're allowing characters which are not valid in HTML, then you are not generating HTML. An HTML sanitiser is not the correct tool to process non-HTML content.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

  Print Answers RSS
Top Experts
Last 24hrsThis month
Related Questions
How do I create a SQL injection for a website that has a simple sanitization function?
How to secure PHP from XSS attack - filter sanitizers not working
Change text color for whitelist
How to set up VPN to avoid whitelisting
Sending message from HTML form
Animating a character using HTML/CSS
How to whitelist the IP address in kali linux
Using $ in HTML for class
php giving an error when sanitizing input
Asp.net randomly stops obeying forms authentication whitelist

Advertise
Privacy
Cookies
Terms of Use
Last Updated 17 Mar 2022
Layout: fixed | fluid
Copyright © CodeProject, 1999-2024
All Rights Reserved.

Web02 2.8:2024-04-02:1

CodeProject, 20 Bay Street, 11th Floor Toronto, Ontario, Canada M5J 2N8 +1 (416) 849-8900