I know that lot of questions about HTML sanitizers have appeared in SO, but I don't know if they do what I want, I have a little mess since some of the recommended approaches have more than 4 years old.
I have a page with the TinyMCE editor. Of course, this editor send HTML to the server, and expect HTML, so I have created a entity with a String property decorated with the [AllowHtml] attribute. It works well.
Now, I want to ensure that nobody tries to send a <script> tag, or a <img onerror="">, or whatever way of execute JS, or add CSS that point to external urls.
What is the best solution at the moment?
WPL has the HtmlSanitizationLibrary, but how can I know what tags are considered "secure"?
WPL has not released anything from last April, and it was the beta. So I was wondering if is this project active?
Cheers.
WPL is the de-facto standard. Run the string through it and you are safe to print it unencoded:
@Html.Raw(Model.SomePropertyThatWasSanitizedWithWPL)