C#html消毒器有没有很好的解决方案? [英] Is there a good solution for a C# html sanitizer?
问题描述
用户可以输入稍后将显示给其他用户的HTML。我使用的所见即所得插件从前端清理HTML。它删除所有潜在的恶意标签(脚本,src,以on开头的任何东西),我显然需要在后端做一些验证。
有人知道C#有一个很好的解决方案吗?我一直在看这个 http://roberto.open-lab.com / 2010/03/04 / a-html-sanitizer-for-c / ,尽管我对使用随机博客中的一些代码有点犹豫。有没有一些众所周知的插件?在这种情况下,大多数人会做什么?
HtmlAgilityPack ,这是一个维护良好的与所有HTML标签相关的库。最好的做法是实施一个白名单,这是一个允许标签列表。这个SO问题可能正是你需要的:
A user can enter HTML that will later be displayed to other users. The WYSIWYG plugin i'm using sanitizes the HTML from the front end. It removes all potentially malicious tags (script, src, anything starting with "on" etc) I obviously need to do some validation in the back end as well.
Does anyone know of a good solution for C#? I keep seeing this http://roberto.open-lab.com/2010/03/04/a-html-sanitizer-for-c/, though I'm a little hesitant to use some code from a random blog. Are there any well known plugins? What do most people do in this situation?
You can use HtmlAgilityPack, which is a well maintained library for all things related to HTML tags. A best practice would be to implement a White List, which is a list of allowable tags. This SO question might be exactly what you need:
HTML Agility Pack strip tags NOT IN whitelist
这篇关于C#html消毒器有没有很好的解决方案?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
