User Generated Html Content

10.22.09

Problem: You need to handle user generated html content from an unknown source for display in your webapp.

Solution: Well this is alwasy a moving target due to cross site scripting, but my approach is the following.

1. I use MarkItUp to allow users an easy way to format their html.

2. After users has submitted his changes I run it through an HTML Sanitizer (Scroll to the bottom) that users a white list approach. For asp.net mvc you will need to mark your controller as [ValidateInput(false)]

2. If the Sanitization process has removed any user created content I do not save the content.  I then Return there modified content with a warning message, "Some illegal content tags where detected and removed double check your work and try again."  

3. If the content passes through the sanitization process cleanly, I save the raw html content to the database.

4. When rendering to the client I just pass the raw html out of the db to the page.

More Info:

StackOverflow.com