I'm creating a web application where a textarea control sets the output of some text in another area of the site. I want the user to enter text in paragraphs and these honoured in the output page (most likely with <br /> tags).
Normally I'd just use the MS AntiXSS library for this and protect on input (and output for paranoia), however it's stripping out my line breaks.
I've been trying to create some extension methods to replace newlines with <br /> tags and then sanitize, but this converts my <br /> tags to <br> - I would prefer my application to render legal HTML (without another level of hacks of converting after the santize).
How can I render valid HTML and protect myself against XSS?
