In the intent of preventing XSS attacks, I am updating a page in which we have a textbox that accepts HTML, stores it in a database and retrieves and renders it at a later time.
My understanding is that I can sanitize the HTML using AntiXSS.GetSafeHtmlFragment()
method. As long as I do this before storing the HTML in the database, am I covered? Do I need to do anything when the HTML is outputted on a web page?
Also, it appears that the white list is kind of a black box. Is there a way to update this based on our requirements?