/// <summary>
/// Returns an HTML-code representation of the node.
/// </summary>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public override String ToHtml(IMarkupFormatter formatter)
{
var open = formatter.OpenTag(this, false);
var children = _content.ChildNodes.ToHtml(formatter);
var close = formatter.CloseTag(this, false);
return String.Concat(open, children, close);
}
/// <summary>
/// Returns the serialization of the node guided by the formatter.
/// </summary>
/// <param name="markup">The markup node to format.</param>
/// <param name="formatter">The formatter to use.</param>
/// <returns>The source code snippet.</returns>
public static String ToHtml(this IMarkupFormattable markup, IMarkupFormatter formatter)
{
var sb = Pool.NewStringBuilder();
using (var writer = new StringWriter(sb))
{
markup.ToHtml(writer, formatter);
}
return sb.ToPool();
}
/// <summary>
/// Returns an HTML-code representation of the node.
/// </summary>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public override String ToHtml(IMarkupFormatter formatter)
{
return ChildNodes.ToHtml(formatter);
}
public override void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
writer.Write(formatter.Processing(this));
}
/// <summary>
/// Returns an HTML-code representation of the node.
/// </summary>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public override String ToHtml(IMarkupFormatter formatter)
{
return formatter.Processing(this);
}
/// <summary>
/// Returns an HTML-code representation of the node.
/// </summary>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public override String ToHtml(IMarkupFormatter formatter)
{
return formatter.Doctype(this);
}
/// <summary>
/// Sanitizes the specified HTML.
/// </summary>
/// <param name="html">The HTML to sanitize.</param>
/// <param name="baseUrl">The base URL relative URLs are resolved against. No resolution if empty.</param>
/// <param name="outputFormatter">The CsQuery output formatter used to render the DOM. Using the default formatter if null.</param>
/// <returns>The sanitized HTML.</returns>
public string Sanitize(string html, string baseUrl = "", IMarkupFormatter outputFormatter = null)
{
var parser = new HtmlParser(new Configuration().WithCss(e => e.Options = new CssParserOptions
{
IsIncludingUnknownDeclarations = true,
IsIncludingUnknownRules = true,
IsToleratingInvalidConstraints = true,
IsToleratingInvalidValues = true
}));
var dom = parser.Parse(html);
// remove non-whitelisted tags
foreach (var tag in dom.Body.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList())
{
RemoveTag(tag, RemoveReason.NotAllowedTag);
}
// cleanup attributes
foreach (var tag in dom.Body.QuerySelectorAll("*").OfType<IHtmlElement>().ToList())
{
// remove non-whitelisted attributes
foreach (var attribute in tag.Attributes.Where(a => !IsAllowedAttribute(a)).ToList())
{
RemoveAttribute(tag, attribute, RemoveReason.NotAllowedAttribute);
}
// sanitize URLs in URL-marked attributes
foreach (var attribute in tag.Attributes.Where(IsUriAttribute).ToList())
{
var url = SanitizeUrl(attribute.Value, baseUrl);
if (url == null)
RemoveAttribute(tag, attribute, RemoveReason.NotAllowedUrlValue);
else
tag.SetAttribute(attribute.Name, url);
}
// sanitize the style attribute
SanitizeStyle(tag, baseUrl);
// sanitize the value of the attributes
foreach (var attribute in tag.Attributes.ToList())
{
// The '& Javascript include' is a possible method to execute Javascript and can lead to XSS.
// (see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#.26_JavaScript_includes)
if (attribute.Value.Contains("&{"))
RemoveAttribute(tag, attribute, RemoveReason.NotAllowedValue);
else
{
// escape attribute value
var val = attribute.Value.Replace("<", "<").Replace(">", ">");
tag.SetAttribute(attribute.Name, val);
}
}
}
var nodes = GetAllNodes(dom.Body).ToList();
foreach (var comment in nodes.OfType<IComment>())
comment.Remove();
if (PostProcessNode != null)
{
foreach (var node in nodes)
{
var e = new PostProcessNodeEventArgs { Document = dom, Node = node };
OnPostProcessNode(e);
if (e.ReplacementNodes.Any())
((IChildNode)node).Replace(e.ReplacementNodes.ToArray());
}
}
var output = dom.Body.ChildNodes.ToHtml(outputFormatter ?? HtmlMarkupFormatter.Instance);
return output;
}
public override void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
writer.Write(formatter.Text(_content));
}
public String ToHtml(IMarkupFormatter formatter)
{
return(_host.ToHtml(formatter));
}
/// <summary>
/// In-lines the CSS within the HTML given.
/// </summary>
/// <param name="stream">The Stream input.</param>
/// <param name="removeStyleElements">If set to <c>true</c> the style elements are removed.</param>
/// <param name="ignoreElements">CSS selector for STYLE elements to ignore (e.g. mobile-specific styles etc.)</param>
/// <param name="css">A string containing a style-sheet for inlining.</param>
/// <param name="stripIdAndClassAttributes">True to strip ID and class attributes</param>
/// <param name="removeComments">True to remove comments, false to leave them intact</param>
/// <returns>Returns the html input, with styles moved to inline attributes.</returns>
public static InlineResult MoveCssInline(Stream stream, bool removeStyleElements = false, string ignoreElements = null, string css = null, bool stripIdAndClassAttributes = false, bool removeComments = false, IMarkupFormatter customFormatter = null)
{
return(new PreMailer(stream).MoveCssInline(removeStyleElements, ignoreElements, css, stripIdAndClassAttributes, removeComments, customFormatter));
}
/// <summary>
/// In-lines the CSS for the current HTML
/// </summary>
/// <param name="removeStyleElements">If set to <c>true</c> the style elements are removed.</param>
/// <param name="ignoreElements">CSS selector for STYLE elements to ignore (e.g. mobile-specific styles etc.)</param>
/// <param name="css">A string containing a style-sheet for inlining.</param>
/// <param name="stripIdAndClassAttributes">True to strip ID and class attributes</param>
/// <param name="removeComments">True to remove comments, false to leave them intact</param>
/// <returns>Returns the html input, with styles moved to inline attributes.</returns>
public InlineResult MoveCssInline(bool removeStyleElements = false, string ignoreElements = null, string css = null, bool stripIdAndClassAttributes = false, bool removeComments = false, IMarkupFormatter customFormatter = null)
{
// Store the variables used for inlining the CSS
_removeStyleElements = removeStyleElements;
_stripIdAndClassAttributes = stripIdAndClassAttributes;
_ignoreElements = ignoreElements;
_css = css;
// Gather all of the CSS that we can work with.
var cssSourceNodes = CssSourceNodes();
var cssLinkNodes = CssLinkNodes();
var cssSources = new List <ICssSource>(ConvertToStyleSources(cssSourceNodes));
cssSources.AddRange(ConvertToStyleSources(cssLinkNodes));
var cssBlocks = GetCssBlocks(cssSources);
if (_removeStyleElements)
{
RemoveStyleElements(cssSourceNodes);
RemoveStyleElements(cssLinkNodes);
}
var joinedBlocks = Join(cssBlocks);
var validSelectors = CleanUnsupportedSelectors(joinedBlocks);
var elementsWithStyles = FindElementsWithStyles(validSelectors);
var mergedStyles = MergeStyleClasses(elementsWithStyles);
StyleClassApplier.ApplyAllStyles(mergedStyles);
if (_stripIdAndClassAttributes)
{
StripElementAttributes("id", "class");
}
if (removeComments)
{
var comments = _document.Descendents <IComment>().ToList();
foreach (var comment in comments)
{
comment.Remove();
}
}
IMarkupFormatter markupFormatter = customFormatter ?? GetMarkupFormatterForDocType();
using (var sw = new StringWriter())
{
_document.ToHtml(sw, markupFormatter);
return(new InlineResult(sw.GetStringBuilder(), _warnings));
}
}
public override void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
writer.Write(formatter.OpenTag(this, false));
_content.ChildNodes.ToHtml(writer, formatter);
writer.Write(formatter.CloseTag(this, false));
}
private void DoSanitize(IHtmlDocument dom, IElement context, string baseUrl = "", IMarkupFormatter outputFormatter = null)
{
// remove non-whitelisted tags
foreach (var tag in context.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList())
{
RemoveTag(tag, RemoveReason.NotAllowedTag);
}
SanitizeStyleSheets(dom, baseUrl);
// cleanup attributes
foreach (var tag in context.QuerySelectorAll("*").OfType <IHtmlElement>().ToList())
{
// remove non-whitelisted attributes
foreach (var attribute in tag.Attributes.Where(a => !IsAllowedAttribute(a)).ToList())
{
RemoveAttribute(tag, attribute, RemoveReason.NotAllowedAttribute);
}
// sanitize URLs in URL-marked attributes
foreach (var attribute in tag.Attributes.Where(IsUriAttribute).ToList())
{
var url = SanitizeUrl(attribute.Value, baseUrl);
if (url == null)
{
RemoveAttribute(tag, attribute, RemoveReason.NotAllowedUrlValue);
}
else
{
tag.SetAttribute(attribute.Name, url);
}
}
// sanitize the style attribute
SanitizeStyle(tag, baseUrl);
// sanitize the value of the attributes
foreach (var attribute in tag.Attributes.ToList())
{
// The '& Javascript include' is a possible method to execute Javascript and can lead to XSS.
// (see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#.26_JavaScript_includes)
if (attribute.Value.Contains("&{"))
{
RemoveAttribute(tag, attribute, RemoveReason.NotAllowedValue);
}
else
{
// escape attribute value
var val = attribute.Value.Replace("<", "<").Replace(">", ">");
tag.SetAttribute(attribute.Name, val);
}
}
}
var nodes = GetAllNodes(context).ToList();
RemoveComments(nodes);
DoPostProcess(dom, nodes);
}
/// <summary>
/// In-lines the CSS within the HTML given.
/// </summary>
/// <param name="html">The HTML input.</param>
/// <param name="removeStyleElements">If set to <c>true</c> the style elements are removed.</param>
/// <param name="ignoreElements">CSS selector for STYLE elements to ignore (e.g. mobile-specific styles etc.)</param>
/// <param name="css">A string containing a style-sheet for inlining.</param>
/// <param name="stripIdAndClassAttributes">True to strip ID and class attributes</param>
/// <param name="removeComments">True to remove comments, false to leave them intact</param>
/// <param name="preserveMediaQueries">If set to true and removeStyleElements is true, it will instead preserve unsupported media queries in the style node and remove the other css, instead of removing the whole style node</param>
/// <returns>Returns the html input, with styles moved to inline attributes.</returns>
public static InlineResult MoveCssInline(string html, bool removeStyleElements = false, string ignoreElements = null, string css = null, bool stripIdAndClassAttributes = false, bool removeComments = false, IMarkupFormatter customFormatter = null, bool preserveMediaQueries = false)
{
return(new PreMailer(html).MoveCssInline(removeStyleElements, ignoreElements, css, stripIdAndClassAttributes, removeComments, customFormatter, preserveMediaQueries));
}
/// <summary>
/// Returns an HTML-code representation of the node.
/// </summary>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public virtual String ToHtml(IMarkupFormatter formatter)
{
return(TextContent);
}
public override void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
ChildNodes.ToHtml(writer, formatter);
}
/// <summary>
/// Returns an HTML-code representation of the comment.
/// </summary>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public override String ToHtml(IMarkupFormatter formatter)
{
return(formatter.Comment(this));
}
/// <summary>
/// Returns an HTML-code representation of the character data.
/// </summary>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public override String ToHtml(IMarkupFormatter formatter)
{
return formatter.Text(_content);
}
/// <summary>
/// Returns an HTML-code representation of the comment.
/// </summary>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public override String ToHtml(IMarkupFormatter formatter)
{
return formatter.Comment(this);
}
public override void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
if (Parent != null && ((Parent.Flags & NodeFlags.LiteralText) == NodeFlags.LiteralText))
{
writer.Write(Data);
}
else
{
base.ToHtml(writer, formatter);
}
}
public void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
}
/// <summary>
/// Returns an HTML-code representation of the node.
/// </summary>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public override String ToHtml(IMarkupFormatter formatter)
{
return(formatter.Doctype(this));
}
/// <summary>
/// Returns an HTML-code representation of the node.
/// </summary>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public override String ToHtml(IMarkupFormatter formatter)
{
return(formatter.Processing(this));
}
public String ToHtml(IMarkupFormatter formatter)
{
return _host.ToHtml(formatter);
}
public override void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
writer.Write(formatter.Text(_content));
}
/// <summary>
/// Returns an HTML-code representation of the node.
/// </summary>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public override String ToHtml(IMarkupFormatter formatter)
{
if (Parent != null && Parent.Flags.HasFlag(NodeFlags.LiteralText))
return Data;
return base.ToHtml(formatter);
}
public override void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
ChildNodes.ToHtml(writer, formatter);
}
public void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
_host.ToHtml(writer, formatter);
}
/// <summary>
/// Adds the specified <paramref name="formatter"/> to the policy.
/// </summary>
/// <param name="formatter"></param>
/// <returns>The current policy builder.</returns>
public AntiXssPolicyBuilder WithOutputFormatter(IMarkupFormatter formatter)
{
_policy.OutputFormatter = formatter;
return(this);
}
public void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
throw new NotImplementedException();
}
public override void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
writer.Write(formatter.Processing(this));
}
/// <summary>
/// Returns an HTML-code representation of the node.
/// </summary>
/// <param name="writer">The serialization output target.</param>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public override void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
writer.Write(formatter.Doctype(this));
}
/// <summary>
/// Returns an HTML-code representation of the node.
/// </summary>
/// <param name="writer">The serialization output target.</param>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public override void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
writer.Write(formatter.Doctype(this));
}
/// <summary>
/// Returns an HTML-code representation of the character data.
/// </summary>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public override String ToHtml(IMarkupFormatter formatter)
{
return(formatter.Text(_content));
}
public virtual void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
writer.Write(TextContent);
}
/// <summary>
/// Returns an HTML-code representation of the node.
/// </summary>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public String ToHtml(IMarkupFormatter formatter)
{
var sb = Pool.NewStringBuilder();
for (int i = 0; i < _entries.Count; i++)
{
var htmlCode = _entries[i].ToHtml(formatter);
sb.Append(htmlCode);
}
return sb.ToPool();
}
public override void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
writer.Write(formatter.OpenTag(this, false));
_content.ChildNodes.ToHtml(writer, formatter);
writer.Write(formatter.CloseTag(this, false));
}
/// <summary>
/// Returns an HTML-code representation of the node.
/// </summary>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public override String ToHtml(IMarkupFormatter formatter)
{
return(ChildNodes.ToHtml(formatter));
}
public void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
for (var i = 0; i < _entries.Count; i++)
{
_entries[i].ToHtml(writer, formatter);
}
}
/// <summary>
/// Returns an HTML-code representation of the node.
/// </summary>
/// <param name="formatter">The formatter to use.</param>
/// <returns>A string containing the HTML code.</returns>
public override String ToHtml(IMarkupFormatter formatter)
{
var selfClosing = Flags.HasFlag(NodeFlags.SelfClosing);
var open = formatter.OpenTag(this, selfClosing);
var children = String.Empty;
if (!selfClosing)
{
var sb = Pool.NewStringBuilder();
if (Flags.HasFlag(NodeFlags.LineTolerance) && FirstChild is IText)
{
var text = (IText)FirstChild;
if (text.Data.Length > 0 && text.Data[0] == Symbols.LineFeed)
sb.Append(Symbols.LineFeed);
}
foreach (var child in ChildNodes)
sb.Append(child.ToHtml(formatter));
children = sb.ToPool();
}
var close = formatter.CloseTag(this, selfClosing);
return String.Concat(open, children, close);
}
public void ToHtml(TextWriter writer, IMarkupFormatter formatter)
{
_host.ToHtml(writer, formatter);
}
