AntiXSS in ASP.Net Core

Question

Microsoft Web Protection Library (AntiXSS) has reached End of Life. The page states \"In .NET 4.0 a version of AntiXSS was included in the framework and could be enabled via

Answer 1

Sounds like you need a whitelist based sanitizer of some sort. OWASP AntiSamy.NET used to do that, but I don't think it's maintained anymore. If data is always delivered to JSON, you could also run in through DOMPurify on the client side, before adding it to the DOM. Having malicious HTML in the JSON itself isn't all that dangerous (at least not as long as you set the content-type and X-content-type-options: nosniff headers correctly). The code will not trigger until it's rendered into the DOM.