/// <summary> /// Sanitizes the specified HTML. /// </summary> /// <param name="html">The HTML to sanitize.</param> /// <param name="baseUrl">The base URL relative URLs are resolved against. No resolution if empty.</param> /// <returns>The sanitized HTML.</returns> public string Sanitize(string html, string baseUrl = "") { var dom = CQ.Create(html); dom["*"].Not(string.Join(",", AllowedTags.ToArray())).Remove(); foreach (var tag in dom["*"]) { foreach (var attribute in tag.Attributes.Where(a => !AllowedAttributesSet.Contains(a.Key)).ToList()) { tag.RemoveAttribute(attribute.Key); } foreach (var attribute in tag.Attributes.Where(a => UriAttributes.Contains(a.Key)).ToList()) { var url = SanitizeUrl(attribute.Value, baseUrl); if (url == null) { tag.RemoveAttribute(attribute.Key); } else { tag.SetAttribute(attribute.Key, url); } } SanitizeStyle(tag.Style, baseUrl); foreach (var attribute in tag.Attributes.ToList()) { if (JSInclude.IsMatch(attribute.Value)) { tag.RemoveAttribute(attribute.Key); } var val = attribute.Value; if (val.Contains('<')) { val = val.Replace("<", "<"); tag.SetAttribute(attribute.Key, val); } if (val.Contains('>')) { val = val.Replace(">", ">"); tag.SetAttribute(attribute.Key, val); } } } var output = dom.Render(DomRenderingOptions.RemoveComments | DomRenderingOptions.QuoteAllAttributes); return(output); }
internal Md2HtmlSanitizer() { AllowedTags.Add(@"meta"); AllowedTags.Add(@"style"); AllowedAttributes.Add(@"content"); AllowedAttributes.Add(@"http-equiv"); AllowedCssProperties.Add(@"src"); RemovingAtRule += ChangedEvent; RemovingAttribute += ChangedEvent; RemovingCssClass += ChangedEvent; RemovingStyle += ChangedEvent; RemovingTag += ChangedEvent; }
public HtmlSanitizer() : base() { AllowedTags.Clear(); AllowedTags.Add("p"); AllowedTags.Add("h2"); AllowedTags.Add("strong"); AllowedTags.Add("em"); AllowedTags.Add("ul"); AllowedTags.Add("ol"); AllowedTags.Add("li"); AllowedTags.Add("a"); AllowedTags.Add("br"); AllowedAttributes.Clear(); AllowedAttributes.Add("href"); AllowedCssProperties.Clear(); AllowedAtRules.Clear(); }
internal Md2HtmlSanitizer() { AllowedTags.Add(@"meta"); AllowedTags.Add(@"style"); AllowedAttributes.Add(@"content"); AllowedAttributes.Add(@"http-equiv"); AllowedAttributes.Add(@"id"); AllowedAttributes.Add(@"class"); AllowedCssProperties.Add(@"src"); AllowedCssProperties.Add(@"word-break"); AllowedCssProperties.Add(@"word-wrap"); AllowedCssProperties.Add(@"-moz-tab-size"); AllowedCssProperties.Add(@"-o-tab-size"); AllowedCssProperties.Add(@"tab-size"); AllowedCssProperties.Add(@"-webkit-hyphens"); AllowedCssProperties.Add(@"-moz-hyphens"); AllowedCssProperties.Add(@"-ms-hyphens"); AllowedCssProperties.Add(@"hyphens"); AllowedCssProperties.Add(@"background-position-x"); AllowedCssProperties.Add(@"background-position-y"); AllowedCssProperties.Add(@"transition-property"); AllowedCssProperties.Add(@"transition-duration"); AllowedCssProperties.Add(@"transition-timing-function"); AllowedCssProperties.Add(@"transition-delay"); AllowedCssProperties.Add(@"box-shadow"); AllowedSchemes.Add(@"file"); AllowedSchemes.Add(@"data"); AllowedAtRules.Add(CssRuleType.Media); AllowedAtRules.Add(CssRuleType.Keyframe); AllowedAtRules.Add(CssRuleType.Keyframes); RemovingAtRule += ChangedEvent; RemovingAttribute += ChangedEvent; RemovingCssClass += ChangedEvent; RemovingStyle += ChangedEvent; RemovingTag += ChangedEvent; }
/// <summary> /// Determines whether the specified tag is allowed. /// </summary> /// <param name="tag">The tag.</param> /// <returns><c>true</c> if the tag is allowed; otherwise, <c>false</c>.</returns> private bool IsAllowedTag(IElement tag) { return(AllowedTags.Contains(tag.NodeName)); }
/// <summary> /// Determines whether the specified tag is allowed. /// </summary> /// <param name="tag">The tag.</param> /// <returns><c>true</c> if the tag is allowed; otherwise, <c>false</c>.</returns> private bool IsAllowedTag(IDomNode tag) { return(AllowedTags.Contains(tag.NodeName)); }
public TagDefinition GetTagDefinition(string tagName) { TagDefinition td; return(AllowedTags.TryGetValue(tagName, out td) ? td : null); }