 |
VOOZH | about |
|
VOOZH | about |
dotnet add package HtmlSanitizer --version 9.0.892
NuGet\Install-Package HtmlSanitizer -Version 9.0.892
<PackageReference Include="HtmlSanitizer" Version="9.0.892" />
<PackageVersion Include="HtmlSanitizer" Version="9.0.892" />Directory.Packages.props
<PackageReference Include="HtmlSanitizer" />Project file
paket add HtmlSanitizer --version 9.0.892
#r "nuget: HtmlSanitizer, 9.0.892"
#:package HtmlSanitizer@9.0.892
#addin nuget:?package=HtmlSanitizer&version=9.0.892Install as a Cake Addin
#tool nuget:?package=HtmlSanitizer&version=9.0.892Install as a Cake Tool
👁 NuGet version
👁 Build status
👁 codecov.io
👁 Sonarcloud Quality Gate
👁 netstandard2.0
👁 net46
👁 net8.0
HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. It uses AngleSharp to parse, manipulate, and render HTML and CSS.
Because HtmlSanitizer is based on a robust HTML parser it can also shield you from deliberate or accidental "tag poisoning" where invalid HTML in one fragment can corrupt the whole document leading to broken layout or style.
In order to facilitate different use cases, HtmlSanitizer can be customized at several levels:
AllowedTags. All other tags will be stripped.AllowedAttributes. All other attributes will be stripped.AllowedCssProperties. All other styles will be stripped.AllowedAtRules. All other at-rules will be stripped.AllowedSchemes. All other URIs will be stripped.UriAttributes.Install the HtmlSanitizer NuGet package. Then:
using Ganss.Xss;
var sanitizer = new HtmlSanitizer();
var html = @"<script>alert('xss')</script><div onload=""alert('xss')"""
+ @"style=""background-color: rgba(0, 0, 0, 1)"">Test<img src=""test.png"""
+ @"style=""background-image: url(javascript:alert('xss')); margin: 10px""></div>";
var sanitized = sanitizer.Sanitize(html, "https://www.example.com");
var expected = @"<div style=""background-color: rgba(0, 0, 0, 1)"">"
+ @"Test<img src=""https://www.example.com/test.png"" style=""margin: 10px""></div>";
Assert.Equal(expected, sanitized);
There's an online demo, plus there's also a .NET Fiddle you can play with.
More example code and a description of possible options can be found in the Wiki.
a,
abbr,
acronym,
address,
area,
article,
aside,
b,
bdi,
big,
blockquote,
body,
br,
button,
caption,
center,
cite,
code,
col,
colgroup,
data,
datalist,
dd,
del,
details,
dfn,
dir,
div,
dl,
dt,
em,
fieldset,
figcaption,
figure,
font,
footer,
form,
h1,
h2,
h3,
h4,
h5,
h6,
head,
header,
hr,
html,
i,
img,
input,
ins,
kbd,
keygen,
label,
legend,
li,
main,
map,
mark,
menu,
menuitem,
meter,
nav,
ol,
optgroup,
option,
output,
p,
pre,
progress,
q,
rp,
rt,
ruby,
s,
samp,
section,
select,
small,
span,
strike,
strong,
sub,
summary,
sup,
table,
tbody,
td,
textarea,
tfoot,
th,
thead,
time,
tr,
tt,
u,
ul,
var,
wbr
abbr,
accept-charset,
accept,
accesskey,
action,
align,
alt,
autocomplete,
autosave,
axis,
bgcolor,
border,
cellpadding,
cellspacing,
challenge,
char,
charoff,
charset,
checked,
cite,
clear,
color,
cols,
colspan,
compact,
contenteditable,
coords,
datetime,
dir,
disabled,
draggable,
dropzone,
enctype,
for,
frame,
headers,
height,
high,
href,
hreflang,
hspace,
ismap,
keytype,
label,
lang,
list,
longdesc,
low,
max,
maxlength,
media,
method,
min,
multiple,
name,
nohref,
noshade,
novalidate,
nowrap,
open,
optimum,
pattern,
placeholder,
prompt,
pubdate,
radiogroup,
readonly,
rel,
required,
rev,
reversed,
rows,
rowspan,
rules,
scope,
selected,
shape,
size,
span,
spellcheck,
src,
start,
step,
style,
summary,
tabindex,
target,
title,
type,
usemap,
valign,
value,
vspace,
width,
wrap
Note: to prevent classjacking and interference with classes where the sanitized fragment is to be integrated, the class attribute is disallowed by default.
It can be added as follows:
var sanitizer = new HtmlSanitizer();
sanitizer.AllowedAttributes.Add("class");
var sanitized = sanitizer.Sanitize(html);
align-content,
align-items,
align-self,
all,
animation,
animation-delay,
animation-direction,
animation-duration,
animation-fill-mode,
animation-iteration-count,
animation-name,
animation-play-state,
animation-timing-function,
backface-visibility,
background,
background-attachment,
background-blend-mode,
background-clip,
background-color,
background-image,
background-origin,
background-position,
background-position-x,
background-position-y,
background-repeat,
background-repeat-x,
background-repeat-y,
background-size,
border,
border-bottom,
border-bottom-color,
border-bottom-left-radius,
border-bottom-right-radius,
border-bottom-style,
border-bottom-width,
border-collapse,
border-color,
border-image,
border-image-outset,
border-image-repeat,
border-image-slice,
border-image-source,
border-image-width,
border-left,
border-left-color,
border-left-style,
border-left-width,
border-radius,
border-right,
border-right-color,
border-right-style,
border-right-width,
border-spacing,
border-style,
border-top,
border-top-color,
border-top-left-radius,
border-top-right-radius,
border-top-style,
border-top-width,
border-width,
bottom,
box-decoration-break,
box-shadow,
box-sizing,
break-after,
break-before,
break-inside,
caption-side,
caret-color,
clear,
clip,
color,
column-count,
column-fill,
column-gap,
column-rule,
column-rule-color,
column-rule-style,
column-rule-width,
column-span,
column-width,
columns,
content,
counter-increment,
counter-reset,
cursor,
direction,
display,
empty-cells,
filter,
flex,
flex-basis,
flex-direction,
flex-flow,
flex-grow,
flex-shrink,
flex-wrap,
float,
font,
font-family,
font-feature-settings,
font-kerning,
font-language-override,
font-size,
font-size-adjust,
font-stretch,
font-style,
font-synthesis,
font-variant,
font-variant-alternates,
font-variant-caps,
font-variant-east-asian,
font-variant-ligatures,
font-variant-numeric,
font-variant-position,
font-weight,
gap,
grid,
grid-area,
grid-auto-columns,
grid-auto-flow,
grid-auto-rows,
grid-column,
grid-column-end,
grid-column-gap,
grid-column-start,
grid-gap,
grid-row,
grid-row-end,
grid-row-gap,
grid-row-start,
grid-template,
grid-template-areas,
grid-template-columns,
grid-template-rows,
hanging-punctuation,
height,
hyphens,
image-rendering,
isolation,
justify-content,
left,
letter-spacing,
line-break,
line-height,
list-style,
list-style-image,
list-style-position,
list-style-type,
margin,
margin-bottom,
margin-left,
margin-right,
margin-top,
mask,
mask-clip,
mask-composite,
mask-image,
mask-mode,
mask-origin,
mask-position,
mask-repeat,
mask-size,
mask-type,
max-height,
max-width,
min-height,
min-width,
mix-blend-mode,
object-fit,
object-position,
opacity,
order,
orphans,
outline,
outline-color,
outline-offset,
outline-style,
outline-width,
overflow,
overflow-wrap,
overflow-x,
overflow-y,
padding,
padding-bottom,
padding-left,
padding-right,
padding-top,
page-break-after,
page-break-before,
page-break-inside,
perspective,
perspective-origin,
pointer-events,
position,
quotes,
resize,
right,
row-gap,
scroll-behavior,
tab-size,
table-layout,
text-align,
text-align-last,
text-combine-upright,
text-decoration,
text-decoration-color,
text-decoration-line,
text-decoration-skip,
text-decoration-style,
text-indent,
text-justify,
text-orientation,
text-overflow,
text-shadow,
text-transform,
text-underline-position,
top,
transform,
transform-origin,
transform-style,
transition,
transition-delay,
transition-duration,
transition-property,
transition-timing-function,
unicode-bidi,
user-select,
vertical-align,
visibility,
white-space,
widows,
width,
word-break,
word-spacing,
word-wrap,
writing-mode,
z-index
namespace, style
style refers to style declarations within other at-rules such as @media. Disallowing @namespace while allowing other types of at-rules can lead to errors.
Property declarations in @font-face and @viewport are not sanitized.
Note: the style tag is disallowed by default.
http, https
Note: Protocol-relative URLs (e.g. <a href="//github.com">//github.com</a>) are allowed by default (as are other relative URLs).
to allow mailto: links:
sanitizer.AllowedSchemes.Add("mailto");
action, background, dynsrc, href, lowsrc, src
The Sanitize() and SanitizeDocument() methods are thread-safe, i.e. you can use these methods on a single shared instance from different threads provided you do not simultaneously set instance or static properties. A typical use case is that you prepare an HtmlSanitizer instance once (i.e. set desired properties such as AllowedTags etc.) from a single thread, then call Sanitize()/SanitizeDocument() from multiple threads.
Please note that as the input is parsed by AngleSharp's HTML parser and then rendered back out, you cannot expect the text content to be preserved exactly as it was input, even if no elements or attributes were removed. Examples:
4 < 5 becomes 4 < 5<SPAN>test</p> becomes <span>test<p></p></span><span title='test'>test</span> becomes <span title="test">test</span>On the other hand, although some broken HTML is fixed by the parser, the output might still contain invalid HTML. Examples:
<div><li>test</li></div><ul><br><li>test</li></ul><h3><p>test</p></h3>| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net5.0 net5.0 was computed. net5.0-windows net5.0-windows was computed. net6.0 net6.0 was computed. net6.0-android net6.0-android was computed. net6.0-ios net6.0-ios was computed. net6.0-maccatalyst net6.0-maccatalyst was computed. net6.0-macos net6.0-macos was computed. net6.0-tvos net6.0-tvos was computed. net6.0-windows net6.0-windows was computed. net7.0 net7.0 was computed. net7.0-android net7.0-android was computed. net7.0-ios net7.0-ios was computed. net7.0-maccatalyst net7.0-maccatalyst was computed. net7.0-macos net7.0-macos was computed. net7.0-tvos net7.0-tvos was computed. net7.0-windows net7.0-windows was computed. net8.0 net8.0 is compatible. net8.0-android net8.0-android was computed. net8.0-browser net8.0-browser was computed. net8.0-ios net8.0-ios was computed. net8.0-maccatalyst net8.0-maccatalyst was computed. net8.0-macos net8.0-macos was computed. net8.0-tvos net8.0-tvos was computed. net8.0-windows net8.0-windows was computed. net9.0 net9.0 was computed. net9.0-android net9.0-android was computed. net9.0-browser net9.0-browser was computed. net9.0-ios net9.0-ios was computed. net9.0-maccatalyst net9.0-maccatalyst was computed. net9.0-macos net9.0-macos was computed. net9.0-tvos net9.0-tvos was computed. net9.0-windows net9.0-windows was computed. net10.0 net10.0 was computed. net10.0-android net10.0-android was computed. net10.0-browser net10.0-browser was computed. net10.0-ios net10.0-ios was computed. net10.0-maccatalyst net10.0-maccatalyst was computed. net10.0-macos net10.0-macos was computed. net10.0-tvos net10.0-tvos was computed. net10.0-windows net10.0-windows was computed. |
| .NET Core | netcoreapp2.0 netcoreapp2.0 was computed. netcoreapp2.1 netcoreapp2.1 was computed. netcoreapp2.2 netcoreapp2.2 was computed. netcoreapp3.0 netcoreapp3.0 was computed. netcoreapp3.1 netcoreapp3.1 was computed. |
| .NET Standard | netstandard2.0 netstandard2.0 is compatible. netstandard2.1 netstandard2.1 was computed. |
| .NET Framework | net461 net461 was computed. net462 net462 is compatible. net463 net463 was computed. net47 net47 is compatible. net471 net471 was computed. net472 net472 was computed. net48 net48 was computed. net481 net481 was computed. |
| MonoAndroid | monoandroid monoandroid was computed. |
| MonoMac | monomac monomac was computed. |
| MonoTouch | monotouch monotouch was computed. |
| Tizen | tizen40 tizen40 was computed. tizen60 tizen60 was computed. |
| Xamarin.iOS | xamarinios xamarinios was computed. |
| Xamarin.Mac | xamarinmac xamarinmac was computed. |
| Xamarin.TVOS | xamarintvos xamarintvos was computed. |
| Xamarin.WatchOS | xamarinwatchos xamarinwatchos was computed. |
Showing the top 5 NuGet packages that depend on HtmlSanitizer:
| Package | Downloads |
|---|---|
|
OrchardCore.Infrastructure
Orchard Core CMS is a Web Content Management System (CMS) built on top of the Orchard Core Framework. Implementation for OrchardCoreCMS Infrastructure |
|
|
Kentico.Xperience.AspNetCore.WebApp
Contains assemblies and content items required to integrate Kentico Xperience into ASP.NET Core applications. |
|
|
FenixAlliance.ACL.Dependencies
Application Component for the Alliance Business Suite. |
|
|
VirtoCommerce.CatalogModule.Data
Package Description |
|
|
Abp.HtmlSanitizer
Abp.HtmlSanitizer |
Showing the top 20 popular GitHub repositories that depend on HtmlSanitizer:
| Repository | Stars |
|---|---|
|
abpframework/abp
Open-source web application framework for ASP.NET Core! Offers an opinionated architecture to build enterprise software solutions with best practices on top of the .NET. Provides the fundamental infrastructure, cross-cutting-concern implementations, startup templates, application modules, UI themes, tooling and documentation.
|
|
|
aspnetboilerplate/aspnetboilerplate
ASP.NET Boilerplate - Web Application Framework
|
|
|
dodyg/practical-aspnetcore
Practical samples of ASP.NET Core 11, 10, 9, 8.0, 7.0, 6.0, 5.0, 3.1, 2.2, and 2.1,projects you can use. Readme contains explanations on all projects.
|
|
|
OrchardCMS/OrchardCore
Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.
|
|
|
btcpayserver/btcpayserver
Accept Bitcoin payments. Free, open-source & self-hosted, Bitcoin payment processor.
|
|
|
SeriaWei/ZKEACMS
ZKEACMS build with .Net 8 (.Net CMS)可视化设计在线编辑内容管理系统
|
|
|
ErsatzTV/legacy
Open-source platform that transforms your personal media library into live, custom TV channels.
|
|
|
smartstore/SmartStoreNET
Open Source ASP.NET MVC Enterprise eCommerce Shopping Cart Solution
|
|
|
openbullet/OpenBullet2
OpenBullet reinvented
|
|
|
ElPumpo/TinyNvidiaUpdateChecker
The best NVIDIA GPU update checker for Windows power users/gamers. Fully open sourced and lightweight.
|
|
|
NuGet/NuGetGallery
NuGet Gallery is a package repository that powers https://www.nuget.org. Use this repo for reporting NuGet.org issues.
|
|
|
ariacom/Seal-Report
Database Reporting Tool and Tasks (.Net)
|
|
|
smartstore/Smartstore
A modular, scalable and ultra-fast open-source all-in-one eCommerce platform built on ASP.NET Core 10
|
|
|
bitfoundation/bitplatform
Build all of your apps using what you already know and love ❤️
|
|
|
dnnsoftware/Dnn.Platform
DNN (formerly DotNetNuke) is the leading open source web content management platform (CMS) in the Microsoft ecosystem.
|
|
|
cofoundry-cms/cofoundry
Cofoundry is an extensible and flexible .NET Core CMS & application framework focusing on code first development
|
|
|
lysilver/KopSoftWms
KopSoft仓库管理系统
|
|
|
replaysMike/Binner
Open source parts inventory system for makers, electronics hobby, and professional engineers
|
|
|
Sicos1977/ChromiumHtmlToPdf
Convert HTML to PDF with a Chromium based browser
|
|
|
blazorblueprintui/ui
A collection of accessible, headless primitives and beautifully-designed components for Blazor inspired by shadcn/ui.
|