The current approach to sanitize HTML tag attributes by TagBuilder can be improved to only allow certain characters. As TagBuilder is a low-level API to create arbitrary HTML tags, the goal is not to prevent any JavaScript from being executed because this might be a desired behavior in some use cases.
Thus, developers are still responsible to further validate any data passed from users to TagBuilder, especially when it concerns JavaScript events defined directly in HTML.
The current approach to sanitize HTML tag attributes by TagBuilder can be improved to only allow certain characters. As TagBuilder is a low-level API to create arbitrary HTML tags, the goal is not to prevent any JavaScript from being executed because this might be a desired behavior in some use cases.
We would like to prevent the following:
While still allowing the following:
Thus, developers are still responsible to further validate any data passed from users to
TagBuilder, especially when it concerns JavaScript events defined directly in HTML.