internal static HtmlSanitizer GetSanitizer(AntiXssPolicy policy)
{
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
return(new HtmlSanitizer(policy.AllowedTags, policy.AllowedSchemes, policy.AllowedAttributes, policy.UriAttributes, policy.AllowedCssProperties));
}
public static void ApplyPolicy(AntiXssPolicy policy, HttpRequestBase request)
{
if (request == null)
{
throw new ArgumentNullException(nameof(request));
}
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
//RefreshRequestParams(request.Unvalidated.Headers, request.Headers, policy);
RefreshRequestParams(request.Unvalidated.QueryString, request.QueryString, policy);
//RefreshRequestParams(request.Unvalidated.Form, request.Form, policy);
}
/// <summary> /// Set the origin html string safty /// </summary> /// <param name="originHtmlString"></param> /// <param name="policy"></param> /// <returns></returns> public static string ToSafeHtmlString(this string originHtmlString, AntiXssPolicy policy) => AntiXssSanitizer.Sanitize(originHtmlString, policy);
private static Dictionary <string, string> GetSanitizedDict(NameValueCollection unalidatedColl, AntiXssPolicy policy)
{
if (unalidatedColl == null)
{
throw new ArgumentNullException(nameof(unalidatedColl));
}
if (policy == null)
{
throw new ArgumentNullException(nameof(policy));
}
var sanitizer = GetSanitizer(policy);
var ret = new Dictionary <string, string>();
foreach (var key in unalidatedColl.AllKeys)
{
try
{
ret.Add(key, sanitizer.Sanitize(unalidatedColl[key], policy.BaseUrl, policy.OutputFormatter));
}
catch
{
ret.Add(key, unalidatedColl[key]);
}
}
return(ret);
}
private static void RefreshRequestParams(NameValueCollection unalidatedColl, NameValueCollection coll, AntiXssPolicy policy)
{
if (unalidatedColl == null || coll == null || policy == null)
{
return;
}
var cachedDict = GetSanitizedDict(unalidatedColl, policy);
SetReturnedRequest(cachedDict, coll);
}