Making the blog comments posted by users safe

I'm in the process of creating a blog engine on my website. Nothing fancy. The user will register some basic information, including the comment itself that is the issue of this question.

Inside the comment field, the user can write some text, but there are currently nothing stopping him from writing anything harmful there, that would mess up the page when rendering it with comments.

So I'm wondering what the easiest way to accomplish these three tasks are (hoping for something built into .NET :) )

• Making sure that no harmful html are written into the textbox to run scripts, or to just make the page render with an error for all users after the comment is added.
• I still want to accept tags like <a>,<b> and so on so the user can format his text, and provide links.
• Any linebreaks in the message should be honored so that the comment looks the same when rendered as html as when the user wrote it in. Currently, all line breaks are just ignored, as开发者_JS百科 standard for html content.

You want to make sure that you use a proper method when adding values to your database to avoid SQL Injection, there's an MSDN article on How To Protect from SQL Injeciton in ASP.NET that I recommend you to read.

When you want to allow users to format code themselves you open up for exploits and you most certainl have to think more than once on this. First of all you want to make sure that every tag has a matching end-tag. Because if someone writes: <strong>Hello! you don't want all text after that to be bold.

To help you acheive this you can use a couple of different libraries these are two of the methods/libraries I recommend:

• Html Agility Pack
• ASP.NET BBCode

You can use an approach where you allow users to write [bold]text[/bold] and then you use something called Html Encoding on everything else. So If you write the following:

<strong>this will not be in bold</strong>[bold]But this will![/bold]

The output could be:

<strong>this will not be bold</strong>but this will!

You acheive this by following these steps:

• HTML Encode the text
• Replace your BB Code tags ( [bold] and what not ) with proper HTML

Regarding the line-breaks you need to replace \r\n with <br />, check the Html Agility Pack for this or use String.Replace.

You might also want to read Jeffs blog post about Safe HTML and XSS.

My best suggestion is use wiki code or bulletin board code (BBCode).

In some custom development in one of my personal projects I was using a Codeplex project called "Codekicker BBCode", which is a parser engine so you can use BBCode in your comment composing text input:

• http://bbcode.codeplex.com/

It's not hard to extend its semantics and add more BBCode tags, but out-of-the-box ones are enough for your requirements - or I guess so! -.

I've never integrated a wiki code engine but you can download Screwturn Wiki's source code and strip out wiki code parser and use in your own solution - it's GPL, isn't it? If you leave author notice and license, you can do it! -:

• http://www.screwturn.eu

You could allow standard XHTML/HTML elements, but it'd better to use such parsers.

My humild opinion is a wiki code parser is better than BBCode, but maybe your requirements and BBCode can have a good marriage :)