ansaurus

Question

How to use C# to sanitize input on an html page?

Answer 1

+16 A:

You could use the StackOverflow santization method from here.

Bryant 2008-10-09 19:47:18

That allows way too much in.

Chris Lively 2008-10-09 19:57:05

The approach takes a whitelist approach, so just use the same code but don't include any tags in your whitelist. It will strip everything out.

Bryant 2008-10-09 20:11:51

Answer 2

A:

You are looking for RegEx class and for pattern like this <(.|\n)*?>.

You can find a lot of examles on google.

Jakub Šturc 2008-10-09 19:58:12

Using RegEx for this is not very wise, this will give you a false sense of security since there are always corner cases that gives a hacker a way to still inject script tags or other things into your fields. RegEx is not made to sanitize input...

Redbeard 0x0A 2010-06-03 15:14:03

Answer 3

+5 A:

If by sanitize you mean REMOVE the tags entirely, the RegEx example referenced by Bryant is the type of solution you want.

If you just want to ensure that the code DOESN'T mess with your design and render to the user. You can use the HttpUtility.HtmlEncode method to prevent against that!

Mitchel Sellers 2008-10-09 20:03:11

Is there a reason to do that instead of the simpler regex by Jakub?

Chris Lively 2008-10-09 21:10:19

The regex solution will remove the code, it works....but takes time. HtmlEncode, just formats it in a safe manner for web display.

Mitchel Sellers 2008-10-09 21:18:04

Answer 4

+4 A:

Based on the comment you made to this answer, you might find some useful info in this question:
http://stackoverflow.com/questions/72394/what-should-a-developer-know-before-building-a-public-web-site

Here's a parameterized query example. Instead of this:

string sql = "UPDATE UserRecord SET FirstName='" + txtFirstName.Text + "' WHERE UserID=" + UserID;

Do this:

SqlCommand cmd = new SqlCommand("UPDATE UserRecord SET FirstName= @FirstName WHERE UserID= @UserID");
cmd.Parameters.Add("@FirstName", SqlDbType.VarChar, 50).Value = txtFirstName.Text;
cmd.Parameters.Add("@UserID", SqlDbType.Integer).Value = UserID;

Edit: Since there was no injection, I removed the portion of the answer dealing with that. I left the basic parameterized query example, since that may still be useful to anyone else reading the question.
--Joel

Joel Coehoorn 2008-10-09 20:05:37

Actually, no. I was just trying to be proactive with some new development. Great info though.

Chris Lively 2008-10-09 20:07:56

Make sure you've seen the latest edit: I added a very useful link at the bottom.

Joel Coehoorn 2008-10-09 20:12:26

BTW, I'm already using s'procs anyway. I just want to make sure that systems downstream (which I have absolutely no control over) don't incorrectly deal with the input.

Chris Lively 2008-10-09 21:09:47

Answer 5

+3 A:

What about using Microsoft Anti-Cross Site Scripting Library?

stian.net 2009-11-10 12:53:18

Interesting. When I have time I'll play with it. Looks promising though.

Chris Lively 2009-11-10 23:48:40

ansaurus

tags:

views:

answers:

How to use C# to sanitize input on an html page?

related questions