diff --git a/HtmlSanitizer/EventArgs.cs b/HtmlSanitizer/EventArgs.cs
index 3048a47..c381968 100644
--- a/HtmlSanitizer/EventArgs.cs
+++ b/HtmlSanitizer/EventArgs.cs
@@ -6,7 +6,7 @@ using System.Linq;
using System.Text;
using System.Threading.Tasks;
-namespace Html
+namespace XSS
{
///
/// Provides data for the event.
diff --git a/HtmlSanitizer/HtmlSanitizer.cs b/HtmlSanitizer/HtmlSanitizer.cs
index 16e4bb8..11a332d 100644
--- a/HtmlSanitizer/HtmlSanitizer.cs
+++ b/HtmlSanitizer/HtmlSanitizer.cs
@@ -6,7 +6,7 @@ using System.Globalization;
using System.Linq;
using System.Text.RegularExpressions;
-namespace Html
+namespace XSS
{
///
/// Cleans HTML fragments from constructs that can lead to XSS attacks.
@@ -45,8 +45,18 @@ namespace Html
///
///
public class HtmlSanitizer
- {
- private IEnumerable _allowedSchemes;
+ {
+ ///
+ /// Initializes a new instance of the class.
+ ///
+ public HtmlSanitizer()
+ {
+ AllowedTags = new HashSet(DefaultAllowedTags);
+ AllowedSchemes = new HashSet(DefaultAllowedSchemes);
+ AllowedAttributes = new HashSet(DefaultAllowedAttributes);
+ UriAttributes = new HashSet(DefaultUriAttributes);
+ AllowedCssProperties = new HashSet(DefaultAllowedCssProperties);
+ }
///
/// Gets or sets the allowed HTTP schemes such as "http" and "https".
@@ -54,18 +64,12 @@ namespace Html
///
/// The allowed HTTP schemes.
///
- public IEnumerable AllowedSchemes
- {
- get { return _allowedSchemes ?? DefaultAllowedSchemes; }
- set { _allowedSchemes = value; }
- }
+ public ISet AllowedSchemes { get; private set; }
///
/// The default allowed URI schemes.
///
- public static readonly IEnumerable DefaultAllowedSchemes = new[] { "http", "https" };
-
- private IEnumerable _allowedTags;
+ public static readonly ISet DefaultAllowedSchemes = new HashSet { "http", "https" };
///
/// Gets or sets the allowed HTML tag names such as "a" and "div".
@@ -73,16 +77,12 @@ namespace Html
///
/// The allowed tag names.
///
- public IEnumerable AllowedTags
- {
- get { return _allowedTags ?? DefaultAllowedTags; }
- set { _allowedTags = value; }
- }
-
+ public ISet AllowedTags { get; private set; }
+
///
/// The default allowed HTML tag names.
///
- public static readonly IEnumerable DefaultAllowedTags = new[] { "a", "abbr", "acronym", "address", "area", "b",
+ public static readonly ISet DefaultAllowedTags = new HashSet { "a", "abbr", "acronym", "address", "area", "b",
"big", "blockquote", "br", "button", "caption", "center", "cite",
"code", "col", "colgroup", "dd", "del", "dfn", "dir", "div", "dl", "dt",
"em", "fieldset", "font", "form", "h1", "h2", "h3", "h4", "h5", "h6",
@@ -98,27 +98,12 @@ namespace Html
///
/// The allowed HTML attributes.
///
- public IEnumerable AllowedAttributes
- {
- get { return AllowedAttributesSet.ToArray(); }
- set
- {
- AllowedAttributesSet = new HashSet(value, StringComparer.OrdinalIgnoreCase);
- }
- }
-
- private HashSet _allowedAttributesSet;
-
- private HashSet AllowedAttributesSet
- {
- get { return _allowedAttributesSet ?? DefaultAllowedAttributesSet; }
- set { _allowedAttributesSet = value; }
- }
+ public ISet AllowedAttributes { get; private set; }
///
/// The default allowed HTML attributes.
///
- public static readonly IEnumerable DefaultAllowedAttributes = new[] { "abbr", "accept", "accept-charset", "accesskey",
+ public static readonly ISet DefaultAllowedAttributes = new HashSet { "abbr", "accept", "accept-charset", "accesskey",
"action", "align", "alt", "axis", "bgcolor", "border", "cellpadding",
"cellspacing", "char", "charoff", "charset", "checked", "cite", /* "class", */
"clear", "cols", "colspan", "color", "compact", "coords", "datetime",
@@ -129,7 +114,6 @@ namespace Html
"rows", "rowspan", "rules", "scope", "selected", "shape", "size",
"span", "src", "start", "style", "summary", "tabindex", "target", "title",
"type", "usemap", "valign", "value", "vspace", "width" };
- private static HashSet DefaultAllowedAttributesSet = new HashSet(DefaultAllowedAttributes, StringComparer.OrdinalIgnoreCase);
///
/// Gets or sets the HTML attributes that can contain a URI.
@@ -137,28 +121,12 @@ namespace Html
///
/// The URI attributes.
///
- public IEnumerable UriAttributes
- {
- get { return _uriAttributesSet.ToArray(); }
- set
- {
- UriAttributesSet = new HashSet(value, StringComparer.OrdinalIgnoreCase);
- }
- }
-
- private HashSet _uriAttributesSet;
-
- private HashSet UriAttributesSet
- {
- get { return _uriAttributesSet ?? DefaultUriAttributesSet; }
- set { _uriAttributesSet = value; }
- }
+ public ISet UriAttributes { get; private set; }
///
/// The default URI attributes.
///
- public static readonly IEnumerable DefaultUriAttributes = new[] { "action", "background", "dynsrc", "href", "lowsrc", "src" };
- private static HashSet DefaultUriAttributesSet = new HashSet(DefaultUriAttributes, StringComparer.OrdinalIgnoreCase);
+ public static readonly ISet DefaultUriAttributes = new HashSet { "action", "background", "dynsrc", "href", "lowsrc", "src" };
///
/// Gets or sets the allowed CSS properties.
@@ -166,27 +134,12 @@ namespace Html
///
/// The allowed CSS properties.
///
- public IEnumerable AllowedCssProperties
- {
- get { return AllowedCssPropertiesSet.ToArray(); }
- set
- {
- AllowedCssPropertiesSet = new HashSet(value, StringComparer.OrdinalIgnoreCase);
- }
- }
-
- private HashSet _allowedCssPropertiesSet;
-
- private HashSet AllowedCssPropertiesSet
- {
- get { return _allowedCssPropertiesSet ?? DefaultAllowedCssPropertiesSet; }
- set { _allowedCssPropertiesSet = value; }
- }
+ public ISet AllowedCssProperties { get; private set; }
///
/// The default allowed CSS properties.
///
- public static readonly IEnumerable DefaultAllowedCssProperties = new[] {
+ public static readonly ISet DefaultAllowedCssProperties = new HashSet {
// CSS 3 properties
"background", "background-attachment", "background-color",
"background-image", "background-position", "background-repeat",
@@ -212,7 +165,6 @@ namespace Html
"text-align", "text-decoration", "text-indent", "text-transform",
"top", "unicode-bidi", "vertical-align", "visibility", "white-space",
"widows", "width", "word-spacing", "z-index" };
- private static HashSet DefaultAllowedCssPropertiesSet = new HashSet(DefaultAllowedCssProperties, StringComparer.OrdinalIgnoreCase);
private Regex _disallowedCssPropertyValue;
@@ -289,7 +241,7 @@ namespace Html
{
var dom = CQ.Create(html);
- foreach (var tag in dom["*"].Not(string.Join(",", AllowedTags.ToArray())).ToList())
+ foreach (var tag in dom["*"].Not(string.Join(",", AllowedTags)).ToList())
{
var e = new RemovingTagEventArgs { Tag = tag };
OnRemovingTag(e);
@@ -298,12 +250,12 @@ namespace Html
foreach (var tag in dom["*"])
{
- foreach (var attribute in tag.Attributes.Where(a => !AllowedAttributesSet.Contains(a.Key)).ToList())
+ foreach (var attribute in tag.Attributes.Where(a => !AllowedAttributes.Contains(a.Key)).ToList())
{
RemoveAttribute(tag, attribute);
}
- foreach (var attribute in tag.Attributes.Where(a => UriAttributesSet.Contains(a.Key)).ToList())
+ foreach (var attribute in tag.Attributes.Where(a => UriAttributes.Contains(a.Key)).ToList())
{
var url = SanitizeUrl(attribute.Value, baseUrl);
if (url == null)
@@ -366,7 +318,7 @@ namespace Html
var key = DecodeCss(style.Key);
var val = DecodeCss(style.Value);
- if (!AllowedCssPropertiesSet.Contains(key) || CssExpression.IsMatch(val) || DisallowCssPropertyValue.IsMatch(val))
+ if (!AllowedCssProperties.Contains(key) || CssExpression.IsMatch(val) || DisallowCssPropertyValue.IsMatch(val))
removeStyles.Add(style);
else
{
diff --git a/HtmlSanitizer/Properties/AssemblyInfo.cs b/HtmlSanitizer/Properties/AssemblyInfo.cs
index ae9018d..4cb05eb 100644
--- a/HtmlSanitizer/Properties/AssemblyInfo.cs
+++ b/HtmlSanitizer/Properties/AssemblyInfo.cs
@@ -32,4 +32,4 @@ using System.Runtime.InteropServices;
// You can specify all the values or you can default the Build and Revision Numbers
// by using the '*' as shown below:
// [assembly: AssemblyVersion("1.0.*")]
-[assembly: AssemblyVersion("1.1.*")]
+[assembly: AssemblyVersion("2.0.*")]