User input sanitisation in asp.net

Sniper16

New Member
I need to sanitise user input (or output) for a web app I'm developing. The user input is just plain text, and I want to prevent HTML or other "harmful" strings. However characters such as less than, greater than, apostrophes, ampersands, quotes, etc., should be allowed.I guess the first step is to disable request validation to prevent the generic "a potentially dangerous value was detected" message, but what else do I need to do? I can't simply htmlencode the output otherwise I'll end up with &lt being displayed in place of a less than character, for example.Are there any tools that can help? I had a quick look at the AntiXSS library but from what I've seen it's just a glorified htmlencoder, or am I missing something? What about MVC - does this have anything built in?I've never found a decent article on this kind of thing. Some say to sanitise input, while others say to sanitise output, and examples are typically over-simplistic, using techniques like htmlencoding, which will reformat perfectly valid characters such as a less than.
 
Back
Top