private static XssFilter GetXssFilter()
{
if (HttpContext.Current == null)
{
return(null);
}
string key = "xssfilter";
if (HttpContext.Current.Items[key] != null)
{
return((XssFilter)HttpContext.Current.Items[key]);
}
else
{
string schemaFolder = HttpContext.Current.Server.MapPath(WebUtils.GetApplicationRoot() + "/NeatHtml/schema");
string schemaFile = Path.Combine(schemaFolder, "NeatHtml.xsd");
XssFilter filter = XssFilter.GetForSchema(schemaFile);
HttpContext.Current.Items[key] = filter;
return(filter);
}
}
public static string PreventCrossSiteScripting(String html, String errorHeader, bool removeMarkupOnFailure)
{
try
{
XssFilter filter = GetXssFilter();
if (filter == null)
{
log.Info("XssFilter was null");
return(html.Replace("script", "s cript"));
}
return(filter.FilterFragment(html));
}
catch (Exception ex)
{
if (removeMarkupOnFailure)
{
return(String.Format(@"<span style=""color: #ff0000;"">{0}</span><br />{1}", errorHeader,
HttpUtility.HtmlEncode(RemoveMarkup(html))));
}
else
{
return(String.Format(@"<span style=""color: #ff0000;"">{0}{1}</span>:<br />{2}", errorHeader,
HttpUtility.HtmlEncode(ex.Message), HttpUtility.HtmlEncode(html)));
}
}
}
public static string SanitizeHtml(String html)
{
try
{
XssFilter filter = GetXssFilter();
if (filter == null)
{
log.Info("XssFilter was null");
//return html.Replace("script", "s cript");
return(RemoveMarkup(html));
}
return(filter.FilterFragment(html));
}
catch (Exception)
{
return(RemoveMarkup(html));
}
}
