We are using the HtmlSanitizer .Net library, which:
- Is open-source (MIT) – GitHub link
- Is fully customizable, e.g. configure which elements should be removed. see wiki
- Is actively maintained
- Doesn’t have the problems like Microsoft Anti-XSS library
- Is unit tested with the
OWASP XSS Filter Evasion Cheat Sheet - Is special built for this (in contrast to HTML Agility Pack, which is a parser – not a sanitizer)
- Doesn’t use regular expressions (HTML isn’t a regular language!)
Also on NuGet