R – How to prevent XSS when allowing simple formatting and hyperlink in a Sharepoint webpart


I'm building a webpart for a Sharepoint site that allows the user to enter information into a textbox that will eventually be showed to other users. The problem is that I need to allow simple formatting (bold, italic etc) and also allow the user to enter an url (a <a href="…..). I don't want to expose a XSS exploit since I do not trust the users using my webpart not doing that.

What are my best alternatives when not wanting to write a fully fledged html parser?

There is a SPHttpUtility.HtmlEncodeAllowSimpleTextFormatting(string) that does almost what I need. It allows simple formatting such as <B>, <I>, etc. The problem is that I want to allow hyperlinks as well. Does anyone know if there is some builtin functions in Sharepoint/ASP.NET that does what I want?

If I enable "Enhanced rich text" on a "Multiple Lines of Text" column in a Sharepoint list, it seems to do exactly what I want (it allows formatting and hyperlinks, but not evil stuff) but I cannot figure out how and where it does that?

Best Solution

Microsoft have a project over at CodePlex called AntiXSS that seems to do what I want.

It does however allow more html than I need (I couldn't find a way to control what to allow, maybe I didn't look everywhere), but I think this might be a good solution anyway.

Related Question