JacksonBruce/HtmlSanitizer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
34 Commits 1 Branch 0 Tags
c8b5e5f806f9d3f0c452ee463fc6e13e2e469c53
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Michael Ganss c8b5e5f806 Add .gitattributes
2014-11-25 17:34:29 +01:00
HtmlSanitizer
Fix crlf issue
2014-11-25 17:28:08 +01:00
HtmlSanitizer.Tests
fixing namespace for unittests
2014-11-25 16:08:39 +01:00
.gitattributes
Add .gitattributes
2014-11-25 17:34:29 +01:00
.gitignore
Remove NuGet packages from repo
2014-01-21 17:44:40 +01:00
HtmlSanitizer.sln
- split tests into separate project
2013-06-26 17:05:51 +02:00
LICENSE.md
added LICENSE.md
2013-06-25 17:24:36 +02:00
README.md
Update README.md
2014-11-25 17:09:35 +01:00

README.md

HtmlSanitizer

HtmlSanitizer is a class for cleaning HTML fragments from constructs that can lead to XSS attacks. It uses the excellent C# jQuery port CsQuery to parse, manipulate, and render HTML and CSS.

In order to facilitate different use cases, HtmlSanitizer can be customized at several levels:

  • Configure allowed HTML tags through the property AllowedTags. All other tags will be stripped.
  • Configure allowed HTML attributes through the property AllowedAttributes. All other attributes will be stripped.
  • Configure allowed CSS property names through the property AllowedCssProperties. All other styles will be stripped.
  • Configure allowed URI schemes through the property AllowedSchemes. All other URIs will be stripped.
  • Configure HTML attributes that contain URIs (such as "src", "href" etc.) through the property UriAttributes.
  • Provide a base URI that will be used to resolve relative URIs against.
  • Cancelable events are raised before a tag, attribute, or style is removed.

Tags allowed by default

a, abbr, acronym, address, area, article, aside, b, bdi, big, blockquote, br, button, caption, center, cite, code, col, colgroup, data, datalist, dd, del, details, dfn, dir, div, dl, dt, em, fieldset, figcaption, figure, font, footer, form, h1, h2, h3, h4, h5, h6, header, hr, i, img, input, ins, kbd, keygen, label, legend, li, main, map, mark, menu, menuitem, meter, nav, ol, optgroup, option, output, p, pre, progress, q, rp, rt, ruby, s, samp, section, select, small, span, strike, strong, sub, summary, sup, table, tbody, td, textarea, tfoot, th, thead, time, tr, tt, u, ul, var, wbr

Attributes allowed by default

abbr, accept, accept-charset, accesskey, action, align, alt, autocomplete, autosave, axis, bgcolor, border, cellpadding, cellspacing, challenge, char, charoff, charset, checked, cite, clear, color, cols, colspan, compact, contenteditable, coords, datetime, dir, disabled, draggable, dropzone, enctype, for, frame, headers, height, high, href, hreflang, hspace, ismap, keytype, label, lang, list, longdesc, low, max, maxlength, media, method, min, multiple, name, nohref, noshade, novalidate, nowrap, open, optimum, pattern, placeholder, prompt, pubdate, radiogroup, readonly, rel, required, rev, reversed, rows, rowspan, rules, scope, selected, shape, size, span, spellcheck, src, start, step, style, summary, tabindex, target, title, type, usemap, valign, value, vspace, width, wrap

CSS properties allowed by default

background, background-attachment, background-color, background-image, background-position, background-repeat, border, border-bottom, border-bottom-color, border-bottom-style, border-bottom-width, border-collapse, border-color, border-left, border-left-color, border-left-style, border-left-width, border-right, border-right-color, border-right-style, border-right-width, border-spacing, border-style, border-top, border-top-color, border-top-style, border-top-width, border-width, bottom, caption-side, clear, clip, color, content, counter-increment, counter-reset, cursor, direction, display, empty-cells, float, font, font-family, font-size, font-style, font-variant, font-weight, height, left, letter-spacing, line-height, list-style, list-style-image, list-style-position, list-style-type, margin, margin-bottom, margin-left, margin-right, margin-top, max-height, max-width, min-height, min-width, opacity, orphans, outline, outline-color, outline-style, outline-width, overflow, padding, padding-bottom, padding-left, padding-right, padding-top, page-break-after, page-break-before, page-break-inside, quotes, right, table-layout, text-align, text-decoration, text-indent, text-transform, top, unicode-bidi, vertical-align, visibility, white-space, widows, width, word-spacing, z-index

URI schemes allowed by default

http, https

Default attributes that contain URIs

action, background, dynsrc, href, lowsrc, src

Usage

Install the HtmlSanitizer NuGet package. Then:

var sanitizer = new HtmlSanitizer();
var html = @"<script>alert('xss')</script><div onload=""alert('xss')"""
    + @"style=""background-color: test"">Test<img src=""test.gif"""
    + @"style=""background-image: url(javascript:alert('xss')); margin: 10px""></div>";
var sanitized = sanitizer.Sanitize(html, "http://www.example.com");
Assert.That(sanitized, Is.EqualTo(@"<div style=""background-color: test"">"
    + @"Test<img style=""margin: 10px"" src=""http://www.example.com/test.gif""></div>");

License

MIT X11

Description
No description provided
Readme 2 MiB
Languages
C# 100%