private SanitizerOperation SanitizeAttribute(HtmlAttribute attribute, HtmlSanitizerTagRule rule) { // Ensure that the attribute name does not contain any caps. attribute.Name = attribute.Name.ToLowerInvariant(); // Apply global CSS class whitelist. If the attribute is complete removed, we are done. // TODO: Implement this as a global attribute check? if (attribute.Name == "class") { if (!ApplyCssWhitelist(attribute)) { return(SanitizerOperation.DoNothing); } } HtmlSanitizerCheckType checkType; SanitizerOperation operation; // Apply attribute checks. If the check fails, remove the attribute completely and return. if (rule.CheckAttributes.TryGetValue(attribute.Name, out checkType)) { operation = AttributeCheckRegistry[checkType](attribute); switch (operation) { case SanitizerOperation.FlattenTag: case SanitizerOperation.RemoveTag: // Can't handle these at this level. Return now as all attributes will be discared. return(operation); case SanitizerOperation.RemoveAttribute: attribute.Remove(); return(SanitizerOperation.DoNothing); case SanitizerOperation.DoNothing: break; default: throw new InvalidOperationException("Unspported sanitation operation."); } } string valueOverride; // Apply value override if it is specified by the rule. if (rule.SetAttributes.TryGetValue(attribute.Name, out valueOverride)) { attribute.Value = valueOverride; } // If we are in white listing mode and no check or override is specified, simply remove the attribute. // TODO: Wouldn't it be nicer is we generalized attribute rules for both checks and overrides? Would untangle code. if (WhiteListMode && !rule.SetAttributes.ContainsKey(attribute.Name) && !rule.CheckAttributes.ContainsKey(attribute.Name) && attribute.Name != "class") { attribute.Remove(); return(SanitizerOperation.DoNothing); } // Do nothing else. return(SanitizerOperation.DoNothing); }
/// <summary> /// Registers the out of the box supported sanitation checks. /// </summary> private void RegisterChecks() { AttributeCheckRegistry.Add(HtmlSanitizerCheckType.Url, new HtmlSanitizerAttributeCheckHandler(UrlCheckHandler)); AttributeCheckRegistry.Add(HtmlSanitizerCheckType.AllowAttribute, new HtmlSanitizerAttributeCheckHandler(x => SanitizerOperation.DoNothing)); }
/// <summary> /// Registers the out of the box supported sanitation checks. /// </summary> private void RegisterChecks() { AttributeCheckRegistry.Add(HtmlSanitizerCheckType.Url, new UrlCheckHandler()); AttributeCheckRegistry.Add(HtmlSanitizerCheckType.AllowAttribute, new AllowAttributeHandler()); AttributeCheckRegistry.Add(HtmlSanitizerCheckType.UrlOrBase64Data, new UrlOrBase64DataCheckHandler()); }