I have an editor that lets users add HTML that is stored in the database and rendered on a web page. Since this is untrusted input, I plan to use Microsoft.Security.Application.AntiXsSS.GetSafeHtmlFragment
to sanitize the HTML.
- Should I santiize before saving to the database or before rendering the untrusted input into the webpage?
- Is there an advantage in including the AntiXSS source code in my project instead of just the DLL? (Maybe I can customize the white list?)
- Which class file should I look in for actual implementation of the GetSafeHtmlFragment