/// <summary> /// Checks the passed attribute content agains the configured list of css classes. /// </summary> public SanitizerOperation SanitizeAttribute(HtmlAttribute attribute, HtmlSanitizerTagRule tagRule) { if (!ApplyCssWhitelist(attribute)) { return(SanitizerOperation.RemoveAttribute); } return(SanitizerOperation.DoNothing); }
public static HtmlSanitizerTagRule CheckAttribute(this HtmlSanitizerTagRule rule, string attribute, HtmlSanitizerCheckType check) { switch (check) { case HtmlSanitizerCheckType.Url: rule.CheckAttributeUrl(attribute); break; } return(rule); }
/// <summary> /// Checks if the attribute contains a valid URL. /// </summary> /// <param name="attribute"></param> /// <param name="tagRule"></param> /// <returns></returns> public virtual SanitizerOperation SanitizeAttribute(HtmlAttribute attribute, HtmlSanitizerTagRule tagRule) { // Check the url. We assume that there's no use in keeping for example a link tag without a href, so flatten the tag on failure. if (!AttributeUrlCheck(attribute)) { return(SanitizerOperation.FlattenTag); } return(SanitizerOperation.DoNothing); }
/// <summary> /// Specifies that the specified space seperated list of attributes are allowed on this tag. /// </summary> /// <param name="rule"></param> /// <param name="attributes"></param> /// <returns></returns> public static HtmlSanitizerTagRule AllowAttributes(this HtmlSanitizerTagRule rule, params string[] attributes) { foreach (var attribute in attributes) { var trimmed = attribute.Trim(); if (string.IsNullOrEmpty(trimmed)) { continue; } rule.CheckAttributes[trimmed] = HtmlSanitizerCheckType.AllowAttribute; } return(rule); }
/// <summary> /// Specifies the passed attribute sanitizer is to be applied to the space seperated list of attributes on this tag. /// </summary> /// <param name="rule"></param> /// <param name="attributes"></param> /// <param name="attributeSanitizer"></param> /// <returns></returns> public static HtmlSanitizerTagRule SanitizeAttributes(this HtmlSanitizerTagRule rule, string attributes, IHtmlAttributeSanitizer attributeSanitizer) { foreach (var attribute in attributes.Split(' ')) { var trimmed = attribute.Trim(); if (string.IsNullOrEmpty(trimmed)) { continue; } rule.AttributeChecks[trimmed] = attributeSanitizer; } return(rule); }
/// <summary> /// White lists the specified HTML tag, creating a rule for it which allows further specification of what is to be done /// with the tag. /// </summary> /// <param name="sanitizer">The sanitizer.</param> /// <param name="tagName">Name of the tag.</param> /// <param name="replace">if set to <c>true</c> replace.</param> /// <returns></returns> public static HtmlSanitizerTagRule Tag(this HtmlSanitizer sanitizer, string tagName, bool replace) { HtmlSanitizerTagRule rule; if (sanitizer.Rules.TryGetValue(tagName, out rule)) { if (replace) { sanitizer.Rules.Remove(tagName); } else { return(rule); } } rule = new HtmlSanitizerTagRule(tagName); sanitizer.Rules.Add(tagName, rule); return(rule); }
/// <summary> /// Removes the tag but preserves it's contents in place of the tag matched by this rule. /// </summary> /// <param name="rule"></param> public static void Flatten(this HtmlSanitizerTagRule rule) { rule.Operation = SanitizerOperation.FlattenTag; }
/// <summary> /// Removes the tag and it's contents of the tag matched by this rule. /// </summary> /// <param name="rule"></param> public static void Remove(this HtmlSanitizerTagRule rule) { rule.Operation = SanitizerOperation.RemoveTag; }
/// <summary>Specifies the operation to perform if this node does not have any attributes set.</summary> /// <param name="rule">The rule.</param> /// <param name="operation">The operation.</param> /// <returns></returns> public static HtmlSanitizerTagRule NoAttributes(this HtmlSanitizerTagRule rule, SanitizerOperation operation) { rule.NoAttributesOperation = operation; return(rule); }
/// <summary> /// Specifies that empty tags matching this rule should be removed. /// </summary> /// <param name="rule"></param> /// <returns></returns> public static HtmlSanitizerTagRule RemoveEmpty(this HtmlSanitizerTagRule rule) { rule.RemoveEmpty = true; return(rule); }
/// <summary> /// Applies the default URL check to the specified attribute. /// </summary> public static HtmlSanitizerTagRule CheckAttributeUrl(this HtmlSanitizerTagRule rule, string attribute) { rule.AttributeChecks.Add(attribute, UrlCheckerAttributeSanitizer.Default); return(rule); }
/// <summary> /// Specifies that the value of any attribute with the given name is to be set to the specified value. /// </summary> /// <param name="rule"></param> /// <param name="attribute"></param> /// <param name="value"></param> /// <returns></returns> public static HtmlSanitizerTagRule SetAttribute(this HtmlSanitizerTagRule rule, string attribute, string value) { rule.SetAttributes[attribute] = value; return(rule); }
/// <summary> /// Renames the tag to the specified tag name. Usefull for preserving content in unwanted HTML tags. /// </summary> /// <param name="rule"></param> /// <param name="newName"></param> /// <returns></returns> public static HtmlSanitizerTagRule Rename(this HtmlSanitizerTagRule rule, string newName) { rule.RenameTag = newName; return(rule); }
public SanitizerOperation SanitizeAttribute(HtmlAttribute attribute, HtmlSanitizerTagRule tagRule) { attribute.Value = "123"; return(SanitizerOperation.DoNothing); }
/// <summary> /// Specifies that the specified space seperated list of attributes are allowed on this tag. /// </summary> /// <param name="rule"></param> /// <param name="attributes"></param> /// <returns></returns> public static HtmlSanitizerTagRule AllowAttributes(this HtmlSanitizerTagRule rule, string attributes) { rule.SanitizeAttributes(attributes, WhiteListingAttributeSanitizer.Default); return(rule); }
/// <summary> /// Applies the specified global operation to a tag matching this rule. /// </summary> /// <param name="rule"></param> /// <param name="operation"></param> public static HtmlSanitizerTagRule Operation(this HtmlSanitizerTagRule rule, SanitizerOperation operation) { rule.Operation = operation; return(rule); }
private SanitizerOperation SanitizeAttribute(HtmlAttribute attribute, HtmlSanitizerTagRule rule) { // Ensure that the attribute name does not contain any caps. attribute.Name = attribute.Name.ToLowerInvariant(); // Apply global CSS class whitelist. If the attribute is complete removed, we are done. // TODO: Implement this as a global attribute check? if (attribute.Name == "class") { if (!ApplyCssWhitelist(attribute)) { return(SanitizerOperation.DoNothing); } } HtmlSanitizerCheckType checkType; SanitizerOperation operation; // Apply attribute checks. If the check fails, remove the attribute completely and return. if (rule.CheckAttributes.TryGetValue(attribute.Name, out checkType)) { operation = AttributeCheckRegistry[checkType](attribute); switch (operation) { case SanitizerOperation.FlattenTag: case SanitizerOperation.RemoveTag: // Can't handle these at this level. Return now as all attributes will be discared. return(operation); case SanitizerOperation.RemoveAttribute: attribute.Remove(); return(SanitizerOperation.DoNothing); case SanitizerOperation.DoNothing: break; default: throw new InvalidOperationException("Unspported sanitation operation."); } } string valueOverride; // Apply value override if it is specified by the rule. if (rule.SetAttributes.TryGetValue(attribute.Name, out valueOverride)) { attribute.Value = valueOverride; } // If we are in white listing mode and no check or override is specified, simply remove the attribute. // TODO: Wouldn't it be nicer is we generalized attribute rules for both checks and overrides? Would untangle code. if (WhiteListMode && !rule.SetAttributes.ContainsKey(attribute.Name) && !rule.CheckAttributes.ContainsKey(attribute.Name) && attribute.Name != "class") { attribute.Remove(); return(SanitizerOperation.DoNothing); } // Do nothing else. return(SanitizerOperation.DoNothing); }
/// <summary> /// Specifies that the given check is be performed on any attribute with the given name. /// </summary> /// <param name="rule"></param> /// <param name="attribute"></param> /// <param name="check"></param> /// <returns></returns> public static HtmlSanitizerTagRule CheckAttribute(this HtmlSanitizerTagRule rule, string attribute, HtmlSanitizerCheckType check) { rule.CheckAttributes[attribute] = check; return(rule); }