private SanitizerOperation SanitizeAttribute(HtmlAttribute attribute, HtmlSanitizerTagRule rule)
{
// Ensure that the attribute name does not contain any caps.
attribute.Name = attribute.Name.ToLowerInvariant();
// Apply global CSS class whitelist. If the attribute is complete removed, we are done.
// TODO: Implement this as a global attribute check?
if (attribute.Name == "class")
{
if (!ApplyCssWhitelist(attribute))
{
return(SanitizerOperation.DoNothing);
}
}
HtmlSanitizerCheckType checkType;
SanitizerOperation operation;
// Apply attribute checks. If the check fails, remove the attribute completely and return.
if (rule.CheckAttributes.TryGetValue(attribute.Name, out checkType))
{
operation = AttributeCheckRegistry[checkType](attribute);
switch (operation)
{
case SanitizerOperation.FlattenTag:
case SanitizerOperation.RemoveTag:
// Can't handle these at this level. Return now as all attributes will be discared.
return(operation);
case SanitizerOperation.RemoveAttribute:
attribute.Remove();
return(SanitizerOperation.DoNothing);
case SanitizerOperation.DoNothing:
break;
default:
throw new InvalidOperationException("Unspported sanitation operation.");
}
}
string valueOverride;
// Apply value override if it is specified by the rule.
if (rule.SetAttributes.TryGetValue(attribute.Name, out valueOverride))
{
attribute.Value = valueOverride;
}
// If we are in white listing mode and no check or override is specified, simply remove the attribute.
// TODO: Wouldn't it be nicer is we generalized attribute rules for both checks and overrides? Would untangle code.
if (WhiteListMode &&
!rule.SetAttributes.ContainsKey(attribute.Name) &&
!rule.CheckAttributes.ContainsKey(attribute.Name) && attribute.Name != "class")
{
attribute.Remove();
return(SanitizerOperation.DoNothing);
}
// Do nothing else.
return(SanitizerOperation.DoNothing);
}
/// <summary>
/// Registers the out of the box supported sanitation checks.
/// </summary>
private void RegisterChecks()
{
AttributeCheckRegistry.Add(HtmlSanitizerCheckType.Url, new HtmlSanitizerAttributeCheckHandler(UrlCheckHandler));
AttributeCheckRegistry.Add(HtmlSanitizerCheckType.AllowAttribute, new HtmlSanitizerAttributeCheckHandler(x => SanitizerOperation.DoNothing));
}
/// <summary>
/// Registers the out of the box supported sanitation checks.
/// </summary>
private void RegisterChecks()
{
AttributeCheckRegistry.Add(HtmlSanitizerCheckType.Url, new UrlCheckHandler());
AttributeCheckRegistry.Add(HtmlSanitizerCheckType.AllowAttribute, new AllowAttributeHandler());
AttributeCheckRegistry.Add(HtmlSanitizerCheckType.UrlOrBase64Data, new UrlOrBase64DataCheckHandler());
}