I have an ASP.NET Core MVC app, and I want to protect my website from XSS attacks. I am planning to integrateTinyMCE in my site for users. To display their input, I want to use HtmlHelper.Raw, but using it on unsanitized input is unsafe, as you know. To address this, I was planning to purify whatever HtmlHelper.Raw outputs (something like this) in the Razor view, itself, so that this would shut down the possibility of an XSS attack. I am not sure if that is enough to protect just the HTML part of my site, however.
I read this article and was wondering if there were any good HTML purifiers out there. If I have to write my own purifier, would the only thing I have to worry about purifying be the "<script>" tag? Also, Iread that an '&' followed by a '#' is unsafe, but I am not sure why.
Any recommendations for HTML purifiers? Thanks.