Safe HTML in ASP.NET Controls

Question

Im sure this is a common question...

I want the user to be able to enter and format a description.

Right now I have a multiline textbox that they can enter plain text into. It would be nice if they could do a little html formatting. Is this something I am going to have to handle? Parse out the input and only validate if there are "safe" tags like <ul><li><b> etc?

I am saving this description in an SQL db. In order to display this HTML properly do I need to use a literal on the page and just dump it in the proper area or is there a better control for what I am doing?

Also, is there a free control like the one on SO for user input/minor editing?

PhilPursglove · Accepted Answer · 2010-01-20 18:03:50Z

4

Have a look at the AntiXSS library. The current release (3.1) has a method called GetSafeHtmlFragment, which can be used to do the kind of parsing you're talking about.

A Literal is probably the correct control for outputting this HTML, as the Literal just outputs what's put into it and lets the browser render any HTML. Labels will output all the markup including tags.

The AJax Control Toolkit has a text editor.

edited Jan 20, 2010 at 18:03

answered Jan 20, 2010 at 17:50

PhilPursglove

12.6k5 gold badges48 silver badges71 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Community · Accepted Answer · 2021-01-18 12:38:11Z

4

Also, is there a free control like the one on SO for user input/minor editing?

Stackoverflow uses the WMD control and markdown as explained here:

https://blog.stackoverflow.com/2008/09/what-was-stack-overflow-built-with/

edited Jan 18, 2021 at 12:38

CommunityBot

11 silver badge

answered Jan 20, 2010 at 17:31

Andy West

12.5k4 gold badges37 silver badges52 bronze badges

Comments

Fermin · Accepted Answer · 2010-01-20 17:31:29Z

2

You will need to check what tags are entered to avoid Cross side scripting attacks etc. You could use a regex to check that any tags are on a 'whitelist' you have and strip out any others.

You can check out this link for a list of rich text editors.

answered Jan 20, 2010 at 17:31

Fermin

36.3k22 gold badges87 silver badges131 bronze badges

Comments

Jason Berkan · Accepted Answer · 2010-01-20 20:58:13Z

0

In addition to the other answers, you will need to set ValidateRequest="false" in the @Page directive of the page that contains the textbox. This turns off the standard ASP.NET validation that prevents HTML from being posted from a textbox. You should then use your own validation routine, such as the one @PhilPursglove mentions.

answered Jan 20, 2010 at 20:58

Jason Berkan

8,9447 gold badges32 silver badges39 bronze badges

Collectives™ on Stack Overflow

Safe HTML in ASP.NET Controls

4 Answers 4

Comments

Comments

Comments

Comments

Your Answer

Hot Network Questions

Collectives™ on Stack Overflow

4 Answers 4

Comments

Comments

Comments

Comments

Your Answer

Sign up or log in

Post as a guest

Related