/// <summary>
/// Strips a lot of unsafe Javascript/Html/CSS from the markup, if the feature is enabled.
/// </summary>
private string RemoveHarmfulTags(string html)
{
if (_applicationSettings.UseHtmlWhiteList)
{
HtmlWhiteList htmlWhiteList = GetCachedWhiteList();
string[] allowedTags = htmlWhiteList.ElementWhiteList.Select(x => x.Name).ToArray();
string[] allowedAttributes = htmlWhiteList.ElementWhiteList.SelectMany(x => x.AllowedAttributes.Select(y => y.Name)).ToArray();
if (allowedTags.Length == 0)
{
allowedTags = null;
}
if (allowedAttributes.Length == 0)
{
allowedAttributes = null;
}
var sanitizer = new HtmlSanitizer(allowedTags, null, allowedAttributes);
sanitizer.AllowDataAttributes = false;
sanitizer.AllowedAttributes.Add("class");
sanitizer.AllowedAttributes.Add("id");
sanitizer.AllowedSchemes.Add("mailto");
sanitizer.RemovingAttribute += Sanitizer_RemovingAttribute;
return(sanitizer.Sanitize(html));
}
else
{
return(html);
}
}
private HtmlWhiteList GetCachedWhiteList()
{
HtmlWhiteList whiteList = _memoryCache.Get(_cacheKey) as HtmlWhiteList;
if (whiteList == null)
{
whiteList = HtmlWhiteList.Deserialize(_applicationSettings);
_memoryCache.Add(_cacheKey, whiteList, new CacheItemPolicy());
}
return(whiteList);
}
