public static string SanitizeHtml(String html)
{
//string schemaFolder = HttpContext.Current.Server.MapPath(WebUtils.GetApplicationRoot() + "/NeatHtml/schema");
//string schemaFile = Path.Combine(schemaFolder, "NeatHtml.xsd");
// ANTS Profiler showed this line to be expensive so changed to cache the object for re-use
//XssFilter filter = XssFilter.GetForSchema(schemaFile);
XssFilter filter = GetXssFilter();
if (filter == null)
{
log.Info("XssFilter was null");
//return html.Replace("script", "s cript");
return(RemoveMarkup(html));
}
try
{
return(filter.FilterFragment(html));
}
catch (Exception)
{
return(RemoveMarkup(html));
}
}
private static XssFilter GetXssFilter()
{
if (HttpContext.Current == null)
{
return(null);
}
string key = "xssfilter";
if (HttpContext.Current.Items[key] != null)
{
return((XssFilter)HttpContext.Current.Items[key]);
}
else
{
string schemaFolder = HttpContext.Current.Server.MapPath(WebUtils.GetApplicationRoot() + "/NeatHtml/schema");
string schemaFile = Path.Combine(schemaFolder, "NeatHtml.xsd");
XssFilter filter = XssFilter.GetForSchema(schemaFile);
HttpContext.Current.Items[key] = filter;
return(filter);
}
//return null;
}
public static string PreventCrossSiteScripting(String html, String errorHeader, bool removeMarkupOnFailure)
{
// This can be disabled by setting UseNeatHtmlForXSSPrevention to "false" in appSettings.
//string useNeatHtmlXSSPrevention = ConfigurationManager.AppSettings["UseNeatHtmlForXSSPrevention"];
//bool useNeatHtml = true;
//if (useNeatHtmlXSSPrevention != null)
//{
// useNeatHtml = bool.Parse(useNeatHtmlXSSPrevention);
//}
//if (!useNeatHtml)
//{
// return html.Replace("script", "s cript");
//}
//if (
// (ConfigurationManager.AppSettings["UseClientSideNeatHtml"] != null)
// && (ConfigurationManager.AppSettings["UseClientSideNeatHtml"] == "true")
// )
//{
// return html;
//}
//string schemaFolder = HttpContext.Current.Server.MapPath(WebUtils.GetApplicationRoot() + "/NeatHtml/schema");
//string schemaFile = Path.Combine(schemaFolder, "NeatHtml.xsd");
// ANTS Profiler showed this line to be expensive so changed to cache the object for re-use
//XssFilter filter = XssFilter.GetForSchema(schemaFile);
XssFilter filter = GetXssFilter();
if (filter == null)
{
log.Info("XssFilter was null");
return(html.Replace("script", "s cript"));
}
try
{
return(filter.FilterFragment(html));
}
catch (Exception ex)
{
if (removeMarkupOnFailure)
{
return(String.Format(@"<span style=""color: #ff0000;"">{0}</span><br />{1}", errorHeader,
HttpUtility.HtmlEncode(RemoveMarkup(html))));
}
else
{
return(String.Format(@"<span style=""color: #ff0000;"">{0}{1}</span>:<br />{2}", errorHeader,
HttpUtility.HtmlEncode(ex.Message), HttpUtility.HtmlEncode(html)));
}
}
}