EnableSanitization property

If you have questions about using mojoPortal, you can post them here.

You may want to first review our site administration documentation to see if your question is answered there.

This thread is closed to new posts. You must sign in to post in the forums.
8/13/2012 2:31:33 AM
Total Posts 12
Ramesh Menta

EnableSanitization property

Hi, I have updated my entire wwwroot folder to our new version It was downloaded from codeplex on 12.08.2012.

Also it is included my private features i.e .ascx files. However i am getting following error where i used HtmlEditorExtender in my private ascx files.

Sanitizer provider is not configured in the web. con fig file. If you are using the HtmlEditorExtender with a public website then please configure a Sanitizer provider. Otherwise, set the EnableSanitization property to false.

I have another option to set EnableSanitization property to false however sice it my website is public, i am not daring to to set.

Kindly advise.


8/13/2012 1:19:04 PM
Total Posts 18439

Re: EnableSanitization property

I'm not generally a fan of filtering input as an approach to protecting from xss, I think it is much better to assume that untrusted content can get past the filters and into the database during input and protect from xss by filtering output. We use NeatHtml in mojoPortal to protect us from untrusted content. The problem with filtering on the front end is that if you later found something got past the filtering there isn't a good way to solve it since the content is already in the database. Therefore we assume the untrusted content in the database probably does have malicious content. Given that assumption it is always possible to improve the output filtering, but if you only filter on input and then assume the content in the db is safe because you filtered it during input you could be wrong and without filtering the output the malicious content that made it into the db can be rendered in your site. For more information see the article protecting from untrusted content. In practice, the white-list approach to filtering output used in NeatHtml has never failed to protect from xss.

That said, you can use the stuff in the toolkit, this article explains the needed web.config configuration, but you'll need to download the toolkit and add the HtmlAgilityPack.dll into the /bin folder since it wasn't bundled with this release of mojoPortal. I will bundle it and include the needed config settings in the next release.

Hope that helps,


You must sign in to post in the forums. This thread is closed to new posts.