Ask HN: What do you use for HTML sanitization?
There's some established HTML sanitization solutions like HTML Purifier in PHP, but I can't seem to find their counterparts in either Java or .Net. Code samples in C# and Java are floating around, but I haven't seen anything like a project that's undergone serious testing and is being updated for new security threats on an ongoing basis.
Heck, I'd pay for a commercial component if it was well maintained. Any suggestions? Or, this being Hacker News - would someone want to create such a component as a mini-ISV startup?
5 comments
[ 1.6 ms ] story [ 23.1 ms ] threadAttempts to sanitize HTML (or SQL...) by eliminating a set of "dangerous" inputs inevitably end up as whack-a-mole processes as people keep discovering new evil things to throw at you. The only secure solution is to escape everything except a small set of "safe" inputs -- this is analogous to the situation with packet filtering firewalls, where "default deny all" is widely accepted as the right way to do things.
But I'd like to let the user submit formatted HTML via something like FCKEditor and have it checked against a limited whitelist.
I don't trust my own knowledge of browser-specific HTML rules to do this on my own. It's got to be a common enough scenario, right?