If you know what you want to strip out replacing within strings works well. This is a method I use on a button click before the record gets submitted to the DB: Dim sName As String = Server.HtmlEncode(txtName.Text.Replace("'", "''")) This is a format function used on a page that posts the DB information: Public Function FormatStr(ByVal MessageString As String) As String MessageString = Replace(MessageString, Chr(13), "") MessageString = Replace(MessageString, Chr(10) & Chr(10), "</p><p>") MessageString = Replace(MessageString, Chr(10), "") FormatStr = MessageString End Function Then: <%# (FormatStr(Container.DataItem("message")))%>
I'd like to allow some html tags on my site comments section, but the recommended Microsoft ASP.NET package, AntiXssLibrary, simply encodes everything, which blocks all html tags. I spent a full day looking for a suitable regular expression with no luck. Does anyone know a good regex or asp.net package for filtering user submitted text to prevent XSS but allow whitelisted HTML tags? I'm using FreeTextBox, but am willing to switch if necessary. thanks,