[RESOLVED]escaping html and extracting dangerous html before storage

I have successfully been able to write a script that post values to my database. One of the field contains html which I store in my database. But I begining to get worried cause I did not do any validation to check for malicious html codes which can lead
to an hacker exploit. I also believe that I should escape my html before passing into my database. When I check my database table I see html in this format  e.g. <span>some is here</span>.

Please are there libraries that can help me protect and filter bad html within my controller action method so that I save the right and save codes into my database.

Please kindly advise me on the above subject.

Thanks alot.

You can use the HtmlAgilityPack to filter for disallowed tags. Here’s an article I wrote about using it in a Razor Web Pages site: http://www.mikesdotnetting.com/article/222/request-validation-in-asp-net-web-pages.
You should be able to adapt the key points to MVC.

Thanks alot Sir,

You are the best. This is the best article that I have read on Cross site scripting attack. I have just implemented in my code.

Leave a Reply