/// <summary>
/// Checks the passed attribute content agains the configured list of css classes.
/// </summary>
public SanitizerOperation SanitizeAttribute(HtmlAttribute attribute, HtmlSanitizerTagRule tagRule)
{
if (!ApplyCssWhitelist(attribute))
{
return(SanitizerOperation.RemoveAttribute);
}
return(SanitizerOperation.DoNothing);
}
public static HtmlSanitizerTagRule CheckAttribute(this HtmlSanitizerTagRule rule, string attribute, HtmlSanitizerCheckType check)
{
switch (check)
{
case HtmlSanitizerCheckType.Url:
rule.CheckAttributeUrl(attribute);
break;
}
return(rule);
}
/// <summary>
/// Checks if the attribute contains a valid URL.
/// </summary>
/// <param name="attribute"></param>
/// <param name="tagRule"></param>
/// <returns></returns>
public virtual SanitizerOperation SanitizeAttribute(HtmlAttribute attribute, HtmlSanitizerTagRule tagRule)
{
// Check the url. We assume that there's no use in keeping for example a link tag without a href, so flatten the tag on failure.
if (!AttributeUrlCheck(attribute))
{
return(SanitizerOperation.FlattenTag);
}
return(SanitizerOperation.DoNothing);
}
/// <summary>
/// Specifies that the specified space seperated list of attributes are allowed on this tag.
/// </summary>
/// <param name="rule"></param>
/// <param name="attributes"></param>
/// <returns></returns>
public static HtmlSanitizerTagRule AllowAttributes(this HtmlSanitizerTagRule rule, params string[] attributes)
{
foreach (var attribute in attributes)
{
var trimmed = attribute.Trim();
if (string.IsNullOrEmpty(trimmed))
{
continue;
}
rule.CheckAttributes[trimmed] = HtmlSanitizerCheckType.AllowAttribute;
}
return(rule);
}
/// <summary>
/// Specifies the passed attribute sanitizer is to be applied to the space seperated list of attributes on this tag.
/// </summary>
/// <param name="rule"></param>
/// <param name="attributes"></param>
/// <param name="attributeSanitizer"></param>
/// <returns></returns>
public static HtmlSanitizerTagRule SanitizeAttributes(this HtmlSanitizerTagRule rule, string attributes, IHtmlAttributeSanitizer attributeSanitizer)
{
foreach (var attribute in attributes.Split(' '))
{
var trimmed = attribute.Trim();
if (string.IsNullOrEmpty(trimmed))
{
continue;
}
rule.AttributeChecks[trimmed] = attributeSanitizer;
}
return(rule);
}
/// <summary>
/// White lists the specified HTML tag, creating a rule for it which allows further specification of what is to be done
/// with the tag.
/// </summary>
/// <param name="sanitizer">The sanitizer.</param>
/// <param name="tagName">Name of the tag.</param>
/// <param name="replace">if set to <c>true</c> replace.</param>
/// <returns></returns>
public static HtmlSanitizerTagRule Tag(this HtmlSanitizer sanitizer, string tagName, bool replace)
{
HtmlSanitizerTagRule rule;
if (sanitizer.Rules.TryGetValue(tagName, out rule))
{
if (replace)
{
sanitizer.Rules.Remove(tagName);
}
else
{
return(rule);
}
}
rule = new HtmlSanitizerTagRule(tagName);
sanitizer.Rules.Add(tagName, rule);
return(rule);
}
/// <summary>
/// Removes the tag but preserves it's contents in place of the tag matched by this rule.
/// </summary>
/// <param name="rule"></param>
public static void Flatten(this HtmlSanitizerTagRule rule)
{
rule.Operation = SanitizerOperation.FlattenTag;
}
/// <summary>
/// Removes the tag and it's contents of the tag matched by this rule.
/// </summary>
/// <param name="rule"></param>
public static void Remove(this HtmlSanitizerTagRule rule)
{
rule.Operation = SanitizerOperation.RemoveTag;
}
/// <summary>Specifies the operation to perform if this node does not have any attributes set.</summary>
/// <param name="rule">The rule.</param>
/// <param name="operation">The operation.</param>
/// <returns></returns>
public static HtmlSanitizerTagRule NoAttributes(this HtmlSanitizerTagRule rule, SanitizerOperation operation)
{
rule.NoAttributesOperation = operation;
return(rule);
}
/// <summary>
/// Specifies that empty tags matching this rule should be removed.
/// </summary>
/// <param name="rule"></param>
/// <returns></returns>
public static HtmlSanitizerTagRule RemoveEmpty(this HtmlSanitizerTagRule rule)
{
rule.RemoveEmpty = true;
return(rule);
}
/// <summary>
/// Applies the default URL check to the specified attribute.
/// </summary>
public static HtmlSanitizerTagRule CheckAttributeUrl(this HtmlSanitizerTagRule rule, string attribute)
{
rule.AttributeChecks.Add(attribute, UrlCheckerAttributeSanitizer.Default);
return(rule);
}
/// <summary>
/// Specifies that the value of any attribute with the given name is to be set to the specified value.
/// </summary>
/// <param name="rule"></param>
/// <param name="attribute"></param>
/// <param name="value"></param>
/// <returns></returns>
public static HtmlSanitizerTagRule SetAttribute(this HtmlSanitizerTagRule rule, string attribute, string value)
{
rule.SetAttributes[attribute] = value;
return(rule);
}
/// <summary>
/// Renames the tag to the specified tag name. Usefull for preserving content in unwanted HTML tags.
/// </summary>
/// <param name="rule"></param>
/// <param name="newName"></param>
/// <returns></returns>
public static HtmlSanitizerTagRule Rename(this HtmlSanitizerTagRule rule, string newName)
{
rule.RenameTag = newName;
return(rule);
}
public SanitizerOperation SanitizeAttribute(HtmlAttribute attribute, HtmlSanitizerTagRule tagRule)
{
attribute.Value = "123";
return(SanitizerOperation.DoNothing);
}
/// <summary>
/// Specifies that the specified space seperated list of attributes are allowed on this tag.
/// </summary>
/// <param name="rule"></param>
/// <param name="attributes"></param>
/// <returns></returns>
public static HtmlSanitizerTagRule AllowAttributes(this HtmlSanitizerTagRule rule, string attributes)
{
rule.SanitizeAttributes(attributes, WhiteListingAttributeSanitizer.Default);
return(rule);
}
/// <summary>
/// Applies the specified global operation to a tag matching this rule.
/// </summary>
/// <param name="rule"></param>
/// <param name="operation"></param>
public static HtmlSanitizerTagRule Operation(this HtmlSanitizerTagRule rule, SanitizerOperation operation)
{
rule.Operation = operation;
return(rule);
}
private SanitizerOperation SanitizeAttribute(HtmlAttribute attribute, HtmlSanitizerTagRule rule)
{
// Ensure that the attribute name does not contain any caps.
attribute.Name = attribute.Name.ToLowerInvariant();
// Apply global CSS class whitelist. If the attribute is complete removed, we are done.
// TODO: Implement this as a global attribute check?
if (attribute.Name == "class")
{
if (!ApplyCssWhitelist(attribute))
{
return(SanitizerOperation.DoNothing);
}
}
HtmlSanitizerCheckType checkType;
SanitizerOperation operation;
// Apply attribute checks. If the check fails, remove the attribute completely and return.
if (rule.CheckAttributes.TryGetValue(attribute.Name, out checkType))
{
operation = AttributeCheckRegistry[checkType](attribute);
switch (operation)
{
case SanitizerOperation.FlattenTag:
case SanitizerOperation.RemoveTag:
// Can't handle these at this level. Return now as all attributes will be discared.
return(operation);
case SanitizerOperation.RemoveAttribute:
attribute.Remove();
return(SanitizerOperation.DoNothing);
case SanitizerOperation.DoNothing:
break;
default:
throw new InvalidOperationException("Unspported sanitation operation.");
}
}
string valueOverride;
// Apply value override if it is specified by the rule.
if (rule.SetAttributes.TryGetValue(attribute.Name, out valueOverride))
{
attribute.Value = valueOverride;
}
// If we are in white listing mode and no check or override is specified, simply remove the attribute.
// TODO: Wouldn't it be nicer is we generalized attribute rules for both checks and overrides? Would untangle code.
if (WhiteListMode &&
!rule.SetAttributes.ContainsKey(attribute.Name) &&
!rule.CheckAttributes.ContainsKey(attribute.Name) && attribute.Name != "class")
{
attribute.Remove();
return(SanitizerOperation.DoNothing);
}
// Do nothing else.
return(SanitizerOperation.DoNothing);
}
/// <summary>
/// Specifies that the given check is be performed on any attribute with the given name.
/// </summary>
/// <param name="rule"></param>
/// <param name="attribute"></param>
/// <param name="check"></param>
/// <returns></returns>
public static HtmlSanitizerTagRule CheckAttribute(this HtmlSanitizerTagRule rule, string attribute, HtmlSanitizerCheckType check)
{
rule.CheckAttributes[attribute] = check;
return(rule);
}
