예제 #1
0
        /// <summary>
        /// Sanitizes the text based on provided MarkupSanity configurations. A return value indicates whether the input text is already clean/sanitized.
        /// </summary>
        /// <param name="dirtyInput">The raw html input.</param>
        /// <param name="configurations">Custom MarkupSanity configurations to use for this method call.</param>
        /// <param name="sanitizedText">The sanitized results after processing the dirty input. Returns the same text if no dirty elements were found.</param>
        /// <returns>Returns True if output matches the input (no cleaning necessary), else False if the output was cleaned.</returns>
        public static Boolean TrySanitizeHtml(this String dirtyInput, SanitizeConfigurations configurations, out String sanitizedText)
        {
            String outputValue = SanitizeHtml(dirtyInput, configurations);

            sanitizedText = outputValue;

            return(dirtyInput.Equals(outputValue, StringComparison.InvariantCultureIgnoreCase));
        }
예제 #2
0
        /// <summary>
        /// Protect against cross-site scripting vulnerabilities by sanitizing the html input against unrecognized tags and attributes.
        /// </summary>
        /// <param name="dirtyInput">The raw html input.</param>
        /// <param name="whitelistedTags">The list of allowed tags. If this list is empty, the input string shall be returned as-is.</param>
        /// <param name="whitelistedAttributes">The list of allowed tag attributes.</param>
        /// <param name="scriptableAttributes">The list of attributes to check for scripts.</param>
        /// <returns></returns>
        public static String SanitizeHtml(this String dirtyInput, List <String> whitelistedTags, List <String> whitelistedAttributes, List <String> scriptableAttributes)
        {
            var configurations = new SanitizeConfigurations
            {
                CustomWhitelistedTags       = whitelistedTags,
                CustomWhitelistedAttributes = whitelistedAttributes,
                CustomScriptableAttributes  = scriptableAttributes
            };

            return(dirtyInput.SanitizeHtml(configurations));
        }
예제 #3
0
        /// <summary>
        /// Protect against cross-site scripting vulnerabilities by sanitizing the html input against unrecognized tags and attributes.
        /// </summary>
        /// <param name="dirtyInput">The raw html input.</param>
        /// <param name="configurations">Custom MarkupSanity configurations to use for this method call.</param>
        /// <returns></returns>
        public static String SanitizeHtml(this String dirtyInput, SanitizeConfigurations configurations)
        {
            var whitelistedTags = configurations.CustomWhitelistedTags;

            if (whitelistedTags == null || whitelistedTags.Count == 0)
            {
                whitelistedTags = configurations.InternalDefaultLists.WhitelistedTags;
            }

            var whitelistedAttributes = configurations.CustomWhitelistedAttributes;

            if (whitelistedAttributes == null || whitelistedAttributes.Count == 0)
            {
                whitelistedAttributes = configurations.InternalDefaultLists.WhitelistedAttributes;
            }

            var scriptableAttributes = configurations.CustomScriptableAttributes;

            if (scriptableAttributes == null || scriptableAttributes.Count == 0)
            {
                scriptableAttributes = configurations.InternalDefaultLists.ScriptableAttributes;
            }


            if (String.IsNullOrEmpty(dirtyInput) || whitelistedTags == null || whitelistedTags.Count == 0)
            {
                return(dirtyInput);
            }

            //-- Some "tags" are always required by HtmlAgilityPack, so make sure they are included.
            configurations.InternalDefaultLists.InternalRequiredTags
            .Where(internalTag => !configurations.InternalDefaultLists.WhitelistedTags.Exists(whitelistedTag => whitelistedTag.Equals(internalTag, StringComparison.OrdinalIgnoreCase)))
            .ToList()
            .ForEach(internalTag => whitelistedTags.Add(internalTag));

            //-- Remove black-listed tags from the whitelist.
            whitelistedTags = whitelistedTags.Except(configurations.CustomBlacklistedTags).ToList();


            var htmlDoc = new HtmlAgilityPack.HtmlDocument();

            htmlDoc.LoadHtml(dirtyInput);
            IEnumerable <HtmlNode> docNodes = htmlDoc.DocumentNode.DescendantsAndSelf();

            //-- Perform cleanup steps.
            docNodes.FilterWhiteListedTags(configurations.RemoveMarkupTagsOnly, whitelistedTags, htmlDoc)
            .CleanComments(configurations.RemoveComments)
            .RemoveDangerousTypeNodes(configurations.InternalDefaultLists.ScriptTypeSignatures)
            .FilterWhitelistedAttributes(whitelistedAttributes)
            .CleanScriptableAttributes(scriptableAttributes)
            .CleanScriptableStyleAttributes(configurations.InternalDefaultLists.ScriptableAttributesScriptSignatures);

            return(htmlDoc.DocumentNode.OuterHtml);
        }