/// <summary> /// Sanitizes the text based on provided MarkupSanity configurations. A return value indicates whether the input text is already clean/sanitized. /// </summary> /// <param name="dirtyInput">The raw html input.</param> /// <param name="configurations">Custom MarkupSanity configurations to use for this method call.</param> /// <param name="sanitizedText">The sanitized results after processing the dirty input. Returns the same text if no dirty elements were found.</param> /// <returns>Returns True if output matches the input (no cleaning necessary), else False if the output was cleaned.</returns> public static Boolean TrySanitizeHtml(this String dirtyInput, SanitizeConfigurations configurations, out String sanitizedText) { String outputValue = SanitizeHtml(dirtyInput, configurations); sanitizedText = outputValue; return(dirtyInput.Equals(outputValue, StringComparison.InvariantCultureIgnoreCase)); }
/// <summary> /// Protect against cross-site scripting vulnerabilities by sanitizing the html input against unrecognized tags and attributes. /// </summary> /// <param name="dirtyInput">The raw html input.</param> /// <param name="whitelistedTags">The list of allowed tags. If this list is empty, the input string shall be returned as-is.</param> /// <param name="whitelistedAttributes">The list of allowed tag attributes.</param> /// <param name="scriptableAttributes">The list of attributes to check for scripts.</param> /// <returns></returns> public static String SanitizeHtml(this String dirtyInput, List <String> whitelistedTags, List <String> whitelistedAttributes, List <String> scriptableAttributes) { var configurations = new SanitizeConfigurations { CustomWhitelistedTags = whitelistedTags, CustomWhitelistedAttributes = whitelistedAttributes, CustomScriptableAttributes = scriptableAttributes }; return(dirtyInput.SanitizeHtml(configurations)); }
/// <summary> /// Protect against cross-site scripting vulnerabilities by sanitizing the html input against unrecognized tags and attributes. /// </summary> /// <param name="dirtyInput">The raw html input.</param> /// <param name="configurations">Custom MarkupSanity configurations to use for this method call.</param> /// <returns></returns> public static String SanitizeHtml(this String dirtyInput, SanitizeConfigurations configurations) { var whitelistedTags = configurations.CustomWhitelistedTags; if (whitelistedTags == null || whitelistedTags.Count == 0) { whitelistedTags = configurations.InternalDefaultLists.WhitelistedTags; } var whitelistedAttributes = configurations.CustomWhitelistedAttributes; if (whitelistedAttributes == null || whitelistedAttributes.Count == 0) { whitelistedAttributes = configurations.InternalDefaultLists.WhitelistedAttributes; } var scriptableAttributes = configurations.CustomScriptableAttributes; if (scriptableAttributes == null || scriptableAttributes.Count == 0) { scriptableAttributes = configurations.InternalDefaultLists.ScriptableAttributes; } if (String.IsNullOrEmpty(dirtyInput) || whitelistedTags == null || whitelistedTags.Count == 0) { return(dirtyInput); } //-- Some "tags" are always required by HtmlAgilityPack, so make sure they are included. configurations.InternalDefaultLists.InternalRequiredTags .Where(internalTag => !configurations.InternalDefaultLists.WhitelistedTags.Exists(whitelistedTag => whitelistedTag.Equals(internalTag, StringComparison.OrdinalIgnoreCase))) .ToList() .ForEach(internalTag => whitelistedTags.Add(internalTag)); //-- Remove black-listed tags from the whitelist. whitelistedTags = whitelistedTags.Except(configurations.CustomBlacklistedTags).ToList(); var htmlDoc = new HtmlAgilityPack.HtmlDocument(); htmlDoc.LoadHtml(dirtyInput); IEnumerable <HtmlNode> docNodes = htmlDoc.DocumentNode.DescendantsAndSelf(); //-- Perform cleanup steps. docNodes.FilterWhiteListedTags(configurations.RemoveMarkupTagsOnly, whitelistedTags, htmlDoc) .CleanComments(configurations.RemoveComments) .RemoveDangerousTypeNodes(configurations.InternalDefaultLists.ScriptTypeSignatures) .FilterWhitelistedAttributes(whitelistedAttributes) .CleanScriptableAttributes(scriptableAttributes) .CleanScriptableStyleAttributes(configurations.InternalDefaultLists.ScriptableAttributesScriptSignatures); return(htmlDoc.DocumentNode.OuterHtml); }