 |
VOOZH | about |
|
VOOZH | about |
dotnet add package Vereyon.Web.HtmlSanitizer --version 1.8.0
NuGet\Install-Package Vereyon.Web.HtmlSanitizer -Version 1.8.0
<PackageReference Include="Vereyon.Web.HtmlSanitizer" Version="1.8.0" />
<PackageVersion Include="Vereyon.Web.HtmlSanitizer" Version="1.8.0" />Directory.Packages.props
<PackageReference Include="Vereyon.Web.HtmlSanitizer" />Project file
paket add Vereyon.Web.HtmlSanitizer --version 1.8.0
#r "nuget: Vereyon.Web.HtmlSanitizer, 1.8.0"
#:package Vereyon.Web.HtmlSanitizer@1.8.0
#addin nuget:?package=Vereyon.Web.HtmlSanitizer&version=1.8.0Install as a Cake Addin
#tool nuget:?package=Vereyon.Web.HtmlSanitizer&version=1.8.0Install as a Cake Tool
HtmlRuleSanitizer is a white list rule based HTML sanitizer built on top of the HTML Agility Pack. Use it to cleanup HTML and removing malicious content.
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
string cleanHtml = sanitizer.Sanitize(dirtyHtml);
Without configuration HtmlRuleSanitizer will strip absolutely everything. This ensures that you are in control of what HTML is getting through. It was inspired by the client side parser of the wysihtml5 editor.
HtmlRuleSanitizer was designed with the following use cases in mind:
Install the HtmlRuleSanitizer NuGet package.
Optionally add the following using statement in the file where you intend to use HtmlRuleSanitizer:
using Vereyon.Web;
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
string cleanHtml = sanitizer.Sanitize(dirtyHtml);
Note: the SimpleHtml5Sanitizer returns a rule set which does not allow for a full document definition. Use SimpleHtml5DocumentSanitizer
When dealing with full HTML documents including the html and body tags, use SimpleHtml5DocumentSanitizer:
var sanitizer = HtmlSanitizer.SimpleHtml5DocumentSanitizer();
string cleanHtml = sanitizer.Sanitize(dirtyHtml);
The code below demonstrates how to configure a rule set which only allows strong, i and a tags and which enforces the link tags to have a valid url, be no-follow and open in a new window. In addition, any b tag is renamed to strong because they more or less do the same anyway and b is deprecated. Any empty tags are removed to get rid of them. This would be a nice example for comment processing.
var sanitizer = new HtmlSanitizer();
sanitizer.Tag("strong").RemoveEmpty();
sanitizer.Tag("b").Rename("strong").RemoveEmpty();
sanitizer.Tag("i").RemoveEmpty();
sanitizer.Tag("a").SetAttribute("target", "_blank")
.SetAttribute("rel", "nofollow")
.CheckAttributeUrl("href")
.RemoveEmpty();
string cleanHtml = sanitizer.Sanitize(dirtyHtml);
Global CSS class whitelisting is achieved as follows where CSS classes are space separated:
sanitizer.AllowCss("legal also-legal");
Attribute sanitization can be peformed by implementing a custom IHtmlAttributeSanitizer. The code below illustrates a simple custom sanitizer which overrides the attribute value:
class CustomSanitizer : IHtmlAttributeSanitizer
{
public SanitizerOperation SanitizeAttribute(HtmlAttribute attribute, HtmlSanitizerTagRule tagRule)
{
// Override the attribute value and leave the attribute as be.
attribute.Value = "123";
return SanitizerOperation.DoNothing;
}
}
The custom sanitizer can then be assigned to the desired attributes as follows:
var sanitizer = new HtmlSanitizer();
var attributeSanitizer = new CustomSanitizer();
sanitizer.Tag("span").SanitizeAttributes("style", attributeSanitizer);
Element sanitization can be performed by implement a customer IHtmlElementSanitizer, much like custom attribute sanitization.
The code below illustrates a custom sanitizer which will remove span elements which contain the text "remove me":
var sanitizer = new HtmlSanitizer();
sanitizer.Tag("span").Sanitize(new CustomSanitizer(element =>
{
return element.InnerText == "remove me"
? SanitizerOperation.RemoveTag
: SanitizerOperation.DoNothing;
}));
Contributions are welcome through a GitHub pull request.
dotnet restore
Got tests? Yes, see the tests project. It uses xUnit.
cd Web.HtmlSanitizer.Tests/
dotnet test
| Product | Versions Compatible and additional computed target framework versions. |
|---|---|
| .NET | net5.0 net5.0 was computed. net5.0-windows net5.0-windows was computed. net6.0 net6.0 is compatible. net6.0-android net6.0-android was computed. net6.0-ios net6.0-ios was computed. net6.0-maccatalyst net6.0-maccatalyst was computed. net6.0-macos net6.0-macos was computed. net6.0-tvos net6.0-tvos was computed. net6.0-windows net6.0-windows was computed. net7.0 net7.0 is compatible. net7.0-android net7.0-android was computed. net7.0-ios net7.0-ios was computed. net7.0-maccatalyst net7.0-maccatalyst was computed. net7.0-macos net7.0-macos was computed. net7.0-tvos net7.0-tvos was computed. net7.0-windows net7.0-windows was computed. net8.0 net8.0 was computed. net8.0-android net8.0-android was computed. net8.0-browser net8.0-browser was computed. net8.0-ios net8.0-ios was computed. net8.0-maccatalyst net8.0-maccatalyst was computed. net8.0-macos net8.0-macos was computed. net8.0-tvos net8.0-tvos was computed. net8.0-windows net8.0-windows was computed. net9.0 net9.0 was computed. net9.0-android net9.0-android was computed. net9.0-browser net9.0-browser was computed. net9.0-ios net9.0-ios was computed. net9.0-maccatalyst net9.0-maccatalyst was computed. net9.0-macos net9.0-macos was computed. net9.0-tvos net9.0-tvos was computed. net9.0-windows net9.0-windows was computed. net10.0 net10.0 was computed. net10.0-android net10.0-android was computed. net10.0-browser net10.0-browser was computed. net10.0-ios net10.0-ios was computed. net10.0-maccatalyst net10.0-maccatalyst was computed. net10.0-macos net10.0-macos was computed. net10.0-tvos net10.0-tvos was computed. net10.0-windows net10.0-windows was computed. |
| .NET Core | netcoreapp2.0 netcoreapp2.0 was computed. netcoreapp2.1 netcoreapp2.1 was computed. netcoreapp2.2 netcoreapp2.2 was computed. netcoreapp3.0 netcoreapp3.0 was computed. netcoreapp3.1 netcoreapp3.1 was computed. |
| .NET Standard | netstandard2.0 netstandard2.0 is compatible. netstandard2.1 netstandard2.1 is compatible. |
| .NET Framework | net461 net461 was computed. net462 net462 is compatible. net463 net463 was computed. net47 net47 was computed. net471 net471 was computed. net472 net472 was computed. net48 net48 is compatible. net481 net481 was computed. |
| MonoAndroid | monoandroid monoandroid was computed. |
| MonoMac | monomac monomac was computed. |
| MonoTouch | monotouch monotouch was computed. |
| Tizen | tizen40 tizen40 was computed. tizen60 tizen60 was computed. |
| Xamarin.iOS | xamarinios xamarinios was computed. |
| Xamarin.Mac | xamarinmac xamarinmac was computed. |
| Xamarin.TVOS | xamarintvos xamarintvos was computed. |
| Xamarin.WatchOS | xamarinwatchos xamarinwatchos was computed. |
Showing the top 1 NuGet packages that depend on Vereyon.Web.HtmlSanitizer:
| Package | Downloads |
|---|---|
|
SuperiorAcumaticaPackage
Dependencies required to compile the SuperiorAcumaticaSolution for Acumatica 2026 R1 Build 26.100.0175 |
This package is not used by any popular GitHub repositories.
| Version | Downloads | Last Updated |
|---|---|---|
| 1.8.0 | 304,043 | 10/28/2023 |
| 1.7.1 | 42,284 | 8/6/2023 |
| 1.7.0 | 83,138 | 4/8/2023 |
| 1.6.0.1 | 616,694 | 2/6/2021 |
| 1.6.0 | 27,477 | 4/19/2020 |
| 1.6.0-beta1 | 690 | 3/29/2020 |
| 1.5.1 | 292,276 | 10/27/2019 |
| 1.5.0 | 42,831 | 12/26/2018 |
| 1.4.0 | 36,279 | 12/26/2017 |
| 1.3.1.1 | 119,118 | 9/26/2017 |
| 1.3.1 | 23,659 | 6/14/2017 |
| 1.3.0 | 8,128 | 1/15/2017 |
| 1.2.1 | 3,150 | 1/15/2017 |
| 1.2.0 | 7,333 | 8/15/2016 |
| 1.1.4 | 4,940 | 5/13/2016 |
| 1.1.3 | 10,974 | 1/15/2016 |
| 1.1.2 | 5,438 | 11/7/2015 |
| 1.1.1 | 4,147 | 7/8/2015 |
This release adds support for custom element sanitizers, implements attribute quote normalization and enables nullable references types to reduce the chances of NullReferenceExceptions.