Sanitize HTML before storing in the DB or before rendering? (AntiXSS library in ASP.NET)

Posted by user102533 on Stack Overflow See other posts from Stack Overflow or by user102533
Published on 2010-01-13T22:53:07Z Indexed on 2010/05/25 21:21 UTC
Read the original article Hit count: 256

I have an editor that lets users add HTML that is stored in the database and rendered on a web page. Since this is untrusted input, I plan to use Microsoft.Security.Application.AntiXsSS.GetSafeHtmlFragment to sanitize the HTML.

  • Should I santiize before saving to the database or before rendering the untrusted input into the webpage?
  • Is there an advantage in including the AntiXSS source code in my project instead of just the DLL? (Maybe I can customize the white list?)
  • Which class file should I look in for actual implementation of the GetSafeHtmlFragment

© Stack Overflow or respective owner

Related posts about ASP.NET

Related posts about xss