/// <summary>
/// Create a new cleaner, that sanitizes documents using the supplied whitelist.
/// </summary>
/// <param name="whitelist">white-list to clean with</param>
public Cleaner(Whitelist whitelist)
{
if (whitelist == null)
{
throw new ArgumentNullException("whitelist");
}
this._whitelist = whitelist;
}
/// <summary>
/// Create a new cleaner, that sanitizes documents using the supplied whitelist.
/// </summary>
/// <param name="whitelist">white-list to clean with</param>
public Cleaner(Whitelist whitelist)
{
if (whitelist == null)
{
throw new ArgumentNullException("whitelist");
}
this._whitelist = whitelist;
}
public void addsTagOnAttributesIfNotSet()
{
String html = "<p class='foo' src='bar'>One</p>";
Whitelist whitelist = new Whitelist()
.AddAttributes("p", "class");
// ^^ whitelist does not have explicit tag add for p, inferred from add attributes.
String clean = NSoupClient.Clean(html, whitelist);
Assert.AreEqual("<p class=\"foo\">One</p>", clean);
}
/// <summary>
/// Test if the input HTML has only tags and attributes allowed by the Whitelist. Useful for form validation. The input HTML should
/// still be run through the cleaner to set up enforced attributes, and to tidy the output.
/// </summary>
/// <param name="bodyHtml">HTML to test</param>
/// <param name="whitelist">whitelist to test against</param>
/// <returns>true if no tags or attributes were removed; false otherwise</returns>
/// <seealso cref="Clean(string, NSoup.Safety.Whitelist)"/>
public static bool IsValid(string bodyHtml, Whitelist whitelist)
{
Document dirty = ParseBodyFragment(bodyHtml, string.Empty);
Cleaner cleaner = new Cleaner(whitelist);
return cleaner.IsValid(dirty);
}
/// <summary>
/// Get safe HTML from untrusted input HTML, by parsing input HTML and filtering it through a white-list of
/// permitted tags and attributes.
/// </summary>
/// <param name="bodyHtml">Input untrusted HTML (body fragment)</param>
/// <param name="baseUri">URL to resolve relative URLs against</param>
/// <param name="whitelist">White-list of permitted HTML elements</param>
/// <param name="outputSettings">Document output settings; use to control pretty-printing and entity escape modes</param>
/// <returns>Safe HTML (body fragment)</returns>
/// <see cref="Cleaner.Clean(Document)"/>
public static string Clean(string bodyHtml, string baseUri, Whitelist whitelist, OutputSettings outputSettings)
{
Document dirty = ParseBodyFragment(bodyHtml, baseUri);
Cleaner cleaner = new Cleaner(whitelist);
Document clean = cleaner.Clean(dirty);
clean.OutputSettings(outputSettings);
return clean.Body.Html();
}
/// <summary>
/// Get safe HTML from untrusted input HTML, by parsing input HTML and filtering it through a white-list of permitted
/// tags and attributes.
/// </summary>
/// <param name="bodyHtml">Input untrusted HTML (body fragment)</param>
/// <param name="whitelist">White-list of permitted HTML elements</param>
/// <returns>Safe HTML (body fragment)</returns>
/// <seealso cref="Cleaner.Clean(Document)"/>
public static string Clean(string bodyHtml, Whitelist whitelist)
{
return Clean(bodyHtml, string.Empty, whitelist);
}
public void handlesAllPseudoTag()
{
String html = "<p class='foo' src='bar'><a class='qux'>link</a></p>";
Whitelist whitelist = new Whitelist()
.AddAttributes(":all", "class")
.AddAttributes("p", "style")
.AddTags("p", "a");
String clean = NSoupClient.Clean(html, whitelist);
Assert.AreEqual("<p class=\"foo\"><a class=\"qux\">link</a></p>", clean);
}