Exemplo n.º 1
0
 /// <summary>
 /// Sanitizes the specified HTML, removing scripts, styles, and tags
 /// which might pose a security concern
 /// </summary>
 /// <param name="html">The HTML content to minify. A <see cref="string"/> or <see cref="Stream"/> can also be used.</param>
 /// <param name="writer">Writer to which the sanitized HTML is written</param>
 /// <param name="settings">Settings controlling what CSS and HTML is permitted in the result</param>
 /// <remarks>
 /// The goal of sanitization is to prevent XSS patterns
 /// described on <a href="https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet">XSS Filter Evasion Cheat Sheet</a>
 /// </remarks>
 public static void Sanitize(TextSource html, XmlWriter writer, HtmlSanitizeSettings settings = null)
 {
     using (var reader = new HtmlReader(html, false))
     {
         reader.Sanitize(settings).ToHtml(writer);
     }
 }
Exemplo n.º 2
0
 private void TestSanitize(string input, string expected, HtmlSanitizeSettings settings = null, HtmlWriterSettings writerSettings = null)
 {
     using (var reader = new HtmlReader(input))
     {
         var rendered = reader.Sanitize(settings ?? HtmlSanitizeSettings.Default()).ToHtml(writerSettings);
         Assert.Equal(expected, rendered);
     }
 }
Exemplo n.º 3
0
        /// <summary>
        /// Sanitizes the specified HTML, removing scripts, styles, and tags
        /// which might pose a security concern
        /// </summary>
        /// <param name="html">The HTML content to minify. A <see cref="string"/> or <see cref="Stream"/> can also be used.</param>
        /// <param name="settings">Settings controlling what CSS and HTML is permitted in the result</param>
        /// <returns>An <see cref="HtmlString"/> containing only the permitted elements</returns>
        /// <remarks>
        /// The goal of sanitization is to prevent XSS patterns
        /// described on <a href="https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet">XSS Filter Evasion Cheat Sheet</a>
        /// </remarks>
        public static HtmlString Sanitize(TextSource html, HtmlSanitizeSettings settings = null)
        {
            var sb = new StringBuilder(html.Length);

            using (var reader = new HtmlReader(html, false))
                using (var sw = new StringWriter(sb))
                {
                    reader.Sanitize(settings).ToHtml(sw, new HtmlWriterSettings());
                    return(new HtmlString(sw.ToString()));
                }
        }
Exemplo n.º 4
0
        public void Example_KitchenSink()
        {
            var html = @"<div>  <script>alert('xss');</script>
                    <a href=""http://www.google.com/"">Google</a>
                    <a href=""http://www.yahoo.com/"">Yahoo</a>  </div>";

            using (var reader = new HtmlReader(html))
            {
                var result = (string)reader.Sanitize().Minify().ToHtml();
                Assert.Equal(@"<div><a href=""http://www.google.com/"">Google</a> <a href=""http://www.yahoo.com/"">Yahoo</a></div>"
                             , result);
            }
        }