How to convert < into &lt; and similar things using HtmlSanitizer.sanitize call and preserve inline js?

[gmeghalg]

Looks like I can't seem to find a proper way to convert a string after calling .sanitize method.

Basically convert < into < and convert > into >.

For example,

When given input string Test 509 <img src=x onerror=alert(document.cookie) />
Then output string should be Test 509 <img src=x onerror=alert(document.cookie) />

Here's the code I'm using which does not generate above mentioned output

var doc = new HtmlSanitizer();
return doc.Sanitize(text);

Actual output is (see how it removed the onerror javascript code and did not converted < and >)

Input: Test 123 <img src=x onerror=alert(document.cookie) />
Output: Test 123 <img src="x">

Looks like this text does not seems to be working due to js conversion. So, I have attached the fiddle screenshot explaining the issue I'm facing

[gmeghalg]

@mganss - I have opened this as issue and now closing that issue since looks like this is ideal for Q&A.

[gmeghalg]

@mganss ,

I got this working using encoding mechanism. Here's the sample code which I ran in .net fiddle and is working as expected.

using System;
using Ganss.XSS;
using System.Text.Encodings.Web;
					
public class Program
{
	public static void Main()
	{
		var sanitizer = new HtmlSanitizer();
                var html = @"Test 509 <img src=x onerror=alert(document.cookie) />";
                var sanitized = sanitizer.Sanitize(HtmlEncoder.Default.Encode(html));
	        Console.WriteLine(sanitized);	
	}
}

[mganss]

What is your specific use case? Do you want to allow some HTML to pass through, allowing for the output to show bullet lists, bold text etc when displayed in a browser? If so, then you shouldn't HTML encode the output of the sanitizer.

If OTOH you just want to safeguard against XSS then you should simply HTML encode your input without sanitizing it. HTML encoding always makes the output safe against XSS.

IMO there is no point in both sanitizing and HTML encoding the input.

[gmeghalg]

Ah, My goal is to prevent XSS while processing requests comes in via asp.net core controllers. So, simply encoding does that trick - which I was not sure about.

Thanks @mganss for making it clear.