/// <summary> /// Strips a lot of unsafe Javascript/Html/CSS from the markup, if the feature is enabled. /// </summary> private string RemoveHarmfulTags(string html) { if (_applicationSettings.UseHtmlWhiteList) { HtmlWhiteList htmlWhiteList = GetCachedWhiteList(); string[] allowedTags = htmlWhiteList.ElementWhiteList.Select(x => x.Name).ToArray(); string[] allowedAttributes = htmlWhiteList.ElementWhiteList.SelectMany(x => x.AllowedAttributes.Select(y => y.Name)).ToArray(); if (allowedTags.Length == 0) { allowedTags = null; } if (allowedAttributes.Length == 0) { allowedAttributes = null; } var sanitizer = new HtmlSanitizer(allowedTags, null, allowedAttributes); sanitizer.AllowDataAttributes = false; sanitizer.AllowedAttributes.Add("class"); sanitizer.AllowedAttributes.Add("id"); sanitizer.AllowedSchemes.Add("mailto"); sanitizer.RemovingAttribute += Sanitizer_RemovingAttribute; return(sanitizer.Sanitize(html)); } else { return(html); } }
private HtmlWhiteList GetCachedWhiteList() { HtmlWhiteList whiteList = _memoryCache.Get(_cacheKey) as HtmlWhiteList; if (whiteList == null) { whiteList = HtmlWhiteList.Deserialize(_applicationSettings); _memoryCache.Add(_cacheKey, whiteList, new CacheItemPolicy()); } return(whiteList); }