public static string GetSafeHtml(string currentHtml, SafeHtmlFlags flags, out bool wasBad)
{
string newHtml = string.Empty;
wasBad = BuildSafeHtml(currentHtml, flags, out newHtml);
return(newHtml);
}
/// <summary>
/// Get a safe version of a given string representing HTML. Note that this function is marked unsafe because
/// it calls an unsafe extern function.
/// </summary>
/// <param name="currentHtml">HTML string to make a safe version of</param>
/// <param name="flags">Flags as to how to process the string</param>
/// <param name="newHtml">The safe HTML string</param>
/// <returns>true if the given HTML string had potentially dangerous content, else false</returns>
private static unsafe bool BuildSafeHtml(string existingHtml, SafeHtmlFlags flags, out string newHtml)
{
byte *rgbTmp = null;
// Set newHtml to a blank string in case we encounter a failure
newHtml = String.Empty;
// Early exit if the existing Html is null or an empty string.
// The native call below doesn't return when the existing Html is an empty string.
if (existingHtml == null || existingHtml.Length == 0)
{
return(false);
}
try
{
byte[] rgbSrc = Encoding.UTF8.GetBytes(existingHtml);
int iSrc = rgbSrc.Length;
int cbDst = 0;
// Note that we do not have the SafeHtml component write out the "byte order mark" to indicate
// Unicode/UTF-8 - that is handled separately by callers.
uint returnCode = NativeMethods.OshFGetSafeHTMLAllocForManaged2(
rgbSrc,
iSrc,
(int)SafeHtmlCodePages.CodePageUTF8,
&rgbTmp,
out cbDst,
(int)SafeHtmlCodePages.CodePageUnicode,
(int)(flags | SafeHtmlFlags.DebugNoPopup | SafeHtmlFlags.IndicateIfUnsafe | SafeHtmlFlags.NoWriteBOM)
);
StringBuilder Result = new StringBuilder(cbDst / 2);
for (int i = 0; i < cbDst; i += 2)
{
char ch = *(char *)(rgbTmp + i);
Result.Append(ch);
}
newHtml = Result.ToString();
return(returnCode == 1);
}
finally
{
if (rgbTmp != null)
{
NativeMethods.OshFreePv((void *)rgbTmp);
}
}
}
