Hi,

I see for some days "build failed"

https://ci.appveyor.com/project/mganss/htmlsanitizer/build/1.0.42

Is PublishCoverity not working well? (we are also looking at PublishCoverity for NLog)

For your info,

I added this library to the OWASP pages:

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job

Hi,

I have a few questions that are probably obvious to you (the creator), but as user I'm not sure.

• Why we need the uriAttributes white list?
• Is the urlAttributes list also used for CSS sanitizing? (style tag), or how are URL'S sanitized in CSS?
• Why is the class attribute not in the white list? Do you have some examples or references to XSS attacks on this one?
• Are relative URL's sanitized?
• How do I add the Protocol Relative URL (//) to the white list? Will and empty string work?
• Are the properties background and background-image safe in CSS as result of the URL sanitation?
• Is content CSS property sanitized and how?
• Regular expressions are cool, but it's difficult too read due too all (subtle) details. Can you add some documentation to the regexes? (I always use RegexOptions.IgnorePatternWhitespace and #)

Thanks!

PS: maybe expand the documentation with above questions/answers?

From the OWASP top-10 (2013)

A9 Using Components with Known Vulnerabilities

• Libraries which has a lot of issues and aren't actively maintained, are as risk.
• The CsQuery library is not actively maintained and has a growing amount of issues.

Consider replacing CsQuery with AngleSharp in the (near) future - as suggested by the creator and only owner of CsQuery.

I'm not 100% sure this is a bug, but it's an issue we've faced.
When inserting a background-image style attribute on IE9, the browser always quotes it with double quotes (").
However, when sanitizing, double quotes get translated into single quotes, and the single quotes on background-image get encoded.

Here's a test case:

        [Test]
        public void QuotedBackgroundImageFromIE9()
        {
            // Arrange
            var s = new HtmlSanitizer();

            // Act
            var htmlFragment = "<span style='background-image: url(\"/api/users/defaultAvatar\");'></span>";
            var actual = s.Sanitize(htmlFragment);

            // Assert
            var expected = "<span style=\"background-image: url('/api/users/defaultAvatar')\"></span>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }

I was able to work around this, and will be improving the solution to avoid false matches, but it doesn't feel right:

            s.PostProcessNode +=
                (sender, args) =>
                {
                    if (!args.Node.HasStyle("background-image")) return;
                    args.Node.Style["background-image"] =
                        args.Node.Style["background-image"].Replace("url(%22", "url('").Replace("%22)", "')");
                };

Opinions?

Example:

<p>
    <strong>Hello <em>World</em></strong>
</p>

With allowed tags: "p", "em"

<p>
    Hello <em>World</em>
</p>

Though I'd expect that for tags like <script> you'd always want to strip the content.

Complied dll is missing a strong name so It is not possible to use it in strong named project.

Is it possible to add strong name during the build ?

Hi,
I am using HtmlSanitizer library. My use case is to whitelist some html attributes like OnMouseHover but I don't want javascript "alert" as a value of OnMouseHover. For example: following is my Html which I want to sanitize:
<h1 onmouseover="alert('This is XSS attack')">XSS</h1>

So I want Sanitization library to check the value of attributes which is not currently supported. Currently I downloaded the source code and made customizations as per my requirement. Do you have any plans to support attribute value sanitization? Please do let me know.

Thanks
Amit

I'm trying to embed images (base64 encoded) in some html that's stored in a db. The encoded data is stored in the src attribute. The src attribute is supposed to be included by default but when I run the sanitizer it removes the src and its contents. The attribute looks something like this: ``src="data:image/png;base64,iVBORw0KGgoAAAANSU

Is there a way to do this? I even tried adding the src attribute to my sanitizer. Thanks.

(feature request)
Please support HTML5:

• HTML5 tags like header, nav, section etc
• HTML5 attributes, like data- , autocomplete, novalidate etc

This can be done of course when setting the properties, but I would be convenient if the library supported. This could be the defaults, or a 'switch' like boolean AllowHtml5Tags, boolean AllowDataAttributes etc

This library uses heavily the CsQuery project, which is a good thing. CsQuery is a port of jQuery.

Would not it be cool if this library got ported to Javascript / jQuery?

Hi! Is there any option to not HTMLEncode certain symbols. For example, to not encode & to &?

Hi,

First of all thanks for this library and the quick responses.

I was working with this library and I realized that adding an allowed item (tag, attribute etc) is a bit unpractical. This is the result of using IEnumerable for those properties.

For example, I'm adding an attribute to the allowed list with the following code:

var allowedAttributes = htmlSanitizer.AllowedAttributes.ToList();
allowedAttributes.Add(attributename);
htmlSanitizer.AllowedAttributes = allowedAttributes;

But I would prefer:

htmlSanitizer.AllowedAttributes.Add(attributename);

I suggest:

• change the property signatures from IEnumerable<string> to ICollection<string> for easy adding and removal. This for the following properties:
  • AllowedSchemes
  • AllowedTags
  • AllowedAttributes
  • UriAttributes
  • AllowedCssProperties
• use internal only the 'HashSet(withStringComparer.InvariantCultureIgnoreCase) so noLists orArray`s. This for performance reasons and clarity.

Hi,

I am using your HtmlSanitizer and it works great. But I found an issue with one kind of input.

html = 1

When I give this input it just does not give response,

but when I give encode input

html = 1<svg%20onload=alert(111)/>

it works great.

Edit: Since issue editor was not allowing my inputs (thinking its an injection.) So, I have uploaded an image to show you my inputs.

Hi!

In our application, we are using an Infragistics WebHtmlEditor, which when you set a font face, you will end up with the following markup : "< p > < font face = "Impact" size = "3" > font face test < /font > < /p >".
After I sanitize this, I end up with : "< p > < font size = "3" > font face test < /font > < /p >". Shouldn't "face" attribute be supported?
I did fix this by using sanitizer.AllowedAttributes.Add("face"), however, my concern is what other tags/attributes, etc might be missing from this list : https://pythonhosted.org/feedparser/html-sanitization.html as we might be having trouble with some other stylings as well.
Thanks

I see that the namespace has been changed to XSS. In my opinion this is too generic and could lead to name clashes.

From the MSDN guidlines: http://msdn.microsoft.com/en-us/library/893ke618%28v=vs.71%29.aspx

The general rule for naming namespaces is to use the company name followed by the technology name and optionally the feature and design as follows.

CompanyName.TechnologyName[.Feature][.Design]

Sanitizing

<div style="background-image: url('some/random/url.img')"></div>

Removes the first '. This seems like a bug.

This was tested with nuget HtmlSanitizer 2.0.5623.30465

Here's a test case:

var _sanitizer = new Ganss.XSS.HtmlSanitizer();
var html = "<div style=\"background-image: url('some/random/url.img')\"></div>";
Assert.Equals("<div style=\"background-image: url('some/random/url.img')\"></div>", _sanitizer.Sanitize(html))

I noticed that some .contains operations works on sets, and some on lists

For performance reasons .contains on a set always preferred over lists, if it possible. (the trade off is after 3-4 items if I'm correct)

UriAttributes.Contains is now working on a non-set. It would be wise to build a set first.

Hey,

So I am unable to install your 3.x NuGet package. Tried running as Admin and normal user.

Error: "Could not be found in your workspace, or you do not have permission to access it."

Packages:
Microsoft.Bcl.Build.1.0.14
Microsoft.Bcl.Async.1.0.168
AngleSharp 0.9.4
HtmlSanitizer 3.1.79

Any help would be greatly appreciated. It seems I am able to install HtmlSanitize version 2.x is that stable and version 3.x still in beta?

I know you can allow or disallow the class tag. It would be great if it were possible to be able to specify a list of valid class names. For example, if I wanted to allow the class tag and only allow the "control" class name, something like this:

var sanitizer = new HtmlSanitizer();
sanitizer.AllowedTags.Add("class");
sanitizer.AllowedClassNames.Add("control");
sanitizer.Sanitize("<div class=\"control\">"); // Passes sanitation
sanitizer.Sanitize("<div class=\"tiger\">"); // Should remove class "tiger"

RFC 2397 specifies data URL scheme. I understand that it may lead to an XSS attack if using text/html or text/plain media type, but I think media type like image/png in img tag should pass as browser will try to render it as image. Or is there any particular reason it wasn't?

I created 4 tests for this issue

[Test]
public void DataUrlSchemeImgTagUsingImageMediaTypeTest()
{
    // Arrange
    var s = new HtmlSanitizer();

    // Act
    var htmlFragment = "<img src=\"data:image/gif;base64,R0lGODdhMAAwAPAAAAAAAP///ywAAAAAMAAwAAAC8IyPqcvt3wCcDkiLc7C0qwyGHhSWpjQu5yqmCYsapyuvUUlvONmOZtfzgFzByTB10QgxOR0TqBQejhRNzOfkVJ+5YiUqrXF5Y5lKh/DeuNcP5yLWGsEbtLiOSpa/TPg7JpJHxyendzWTBfX0cxOnKPjgBzi4diinWGdkF8kjdfnycQZXZeYGejmJlZeGl9i2icVqaNVailT6F5iJ90m6mvuTS4OK05M0vDk0Q4XUtwvKOzrcd3iq9uisF81M1OIcR7lEewwcLp7tuNNkM3uNna3F2JQFo97Vriy/Xl4/f1cf5VWzXyym7PHhhx4dbgYKAAA7\" alt=\"Larry\">";
    var actual = s.Sanitize(htmlFragment);

    // Assert
    var expected = "<img src=\"data:image/gif;base64,R0lGODdhMAAwAPAAAAAAAP///ywAAAAAMAAwAAAC8IyPqcvt3wCcDkiLc7C0qwyGHhSWpjQu5yqmCYsapyuvUUlvONmOZtfzgFzByTB10QgxOR0TqBQejhRNzOfkVJ+5YiUqrXF5Y5lKh/DeuNcP5yLWGsEbtLiOSpa/TPg7JpJHxyendzWTBfX0cxOnKPjgBzi4diinWGdkF8kjdfnycQZXZeYGejmJlZeGl9i2icVqaNVailT6F5iJ90m6mvuTS4OK05M0vDk0Q4XUtwvKOzrcd3iq9uisF81M1OIcR7lEewwcLp7tuNNkM3uNna3F2JQFo97Vriy/Xl4/f1cf5VWzXyym7PHhhx4dbgYKAAA7\" alt=\"Larry\">";
    Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}

[Test]
public void DataUrlSchemeImgTagUsingImageMediaTypeContainMaliciousJavaScriptTest()
{
    // Arrange
    var s = new HtmlSanitizer();

    // Act
    // base 64 encoded string of of <script>alert("Hello");</script> but specified as image/gif
    var htmlFragment = "<img src=\"data:image/gif;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=\">";
    var actual = s.Sanitize(htmlFragment);

    // Assert
    var expected = "<img src=\"data:image/gif;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=\">";
    Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}

[Test]
public void DataUrlSchemeImgTagWithNonImageMediaType()
{
    // Arrange
    var s = new HtmlSanitizer();

    // Act
    // base 64 encoded string of of <script>alert("Hello");</script>
    var htmlFragment = "<img src=\"data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=\">";
    var actual = s.Sanitize(htmlFragment);

    // Assert
    var expected = "<img>";
    Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}

[Test]
public void DataUrlSchemeScriptTagTest()
{
    // Arrange
    var s = new HtmlSanitizer();

    // Act
    // base 64 encoded string of of <script>alert("Hello");</script>
    var htmlFragment = "<script src=\"data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGVsbG8iKTs8L3NjcmlwdD4=\"></script>";
    var actual = s.Sanitize(htmlFragment);

    // Assert
    var expected = "";
    Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}

Thank you for your answer #29. But it breaks the protection:

    var sanitizer = new HtmlSanitizer();
    var html = @"<div title=""&lt;foo&gt;"">Тест</div>";
    var outputFormatter = new CsQuery.Output.FormatDefault(DomRenderingOptions.RemoveComments | DomRenderingOptions.QuoteAllAttributes, HtmlEncoders.Minimum);
    var actual = sanitizer.Sanitize(html, "", outputFormatter);
    Assert.That(actual, Is.EqualTo(@"<div title=""&lt;foo&gt;"">Тест</div>").IgnoreCase);

  Expected string length 35 but was 29. Strings differ at index 12.
  Expected: "<div title="&lt;foo&gt;">Тест</div>", ignoring case
  But was:  "<div title="<foo>">Тест</div>"
  -----------------------^

Iframes with src to youtube should not be stripped.

Sanitize the following HTML with enabled mailto: scheme:

<a href="mailto:[email protected],[email protected]">Bang Bang</a>

Actual:

System.UriFormatException : Invalid URI: The hostname could not be parsed.
   at System.Uri.CreateHostStringHelper(String str, UInt16 idx, UInt16 end, ref Flags flags, ref String scopeId)
   at System.Uri.CreateHostString()
   at System.Uri.GetComponentsHelper(UriComponents uriComponents, UriFormat uriFormat)
   at System.Uri.GetComponents(UriComponents components, UriFormat format)
   at System.Uri.get_AbsoluteUri()
   at Ganss.XSS.HtmlSanitizer.SanitizeUrl(String url, String baseUrl)
   at Ganss.XSS.HtmlSanitizer.Sanitize(String html, String baseUrl, IOutputFormatter outputFormatter)

Expected:
No exception is thrown.

Is it possible to allow all data- attributes?

Before updating to the latest version of HtmlSanitizer that uses AngleSharp, HtmlSanitizer was working in my application. After updating, however, calling Sanitize throws an exception. Here is how I'm using it (in an extension method):

        public static string Sanitize(this string htmlString)
        {
            var sanitizer = new HtmlSanitizer();
            return sanitizer.Sanitize(htmlString);
        }

And here are the details:
System.MissingMethodException was unhandled by user code
HResult=-2146233069
Message=Method not found: 'System.String AngleSharp.IMarkupFormattable.ToHtml(AngleSharp.IMarkupFormatter)'.
Source=HtmlSanitizer
StackTrace:
at Ganss.XSS.HtmlSanitizer.Sanitize(String html, String baseUrl, IMarkupFormatter outputFormatter)
at Tcbcsl.Presentation.Helpers.ExtensionMethods.Sanitize(String htmlString) in C:\Users\Jay\Documents\GitHubVisualStudio\Tcbcsl\Presentation\Helpers\ExtensionMethods.cs:line 119
at lambda_method(Closure , NewsEditModel )
at AutoMapper.Internal.DelegateBasedResolver2.Resolve(ResolutionResult source) at AutoMapper.NullReferenceExceptionSwallowingResolver.Resolve(ResolutionResult source) at AutoMapper.PropertyMap.<>c.<ResolveValue>b__44_0(ResolutionResult current, IValueResolver resolver) at System.Linq.Enumerable.Aggregate[TSource,TAccumulate](IEnumerable1 source, TAccumulate seed, Func`3 func)
at AutoMapper.PropertyMap.ResolveValue(ResolutionContext context)
at AutoMapper.Mappers.TypeMapObjectMapperRegistry.PropertyMapMappingStrategy.MapPropertyValue(ResolutionContext context, Object mappedObject, PropertyMap propertyMap)
InnerException:

When typing @Html. in a .cshtml file, Visual Studio 2013 Ultimate Update 2 Intellisense shows HtmlSanitizer instead of the HtmlHelper methods when HtmlSanitizer has been added as a reference to the MVC5 Web project. The problem seems to be that the Html property of the view is colliding with the Html namespace of HtmlSanitizer.

A less generic namespace would likely solve the problem.

I have a problem with russian text:

Code:

[Test]
        public void TestRussianText()
        {
            // Arrange
            var s = new HtmlSanitizer();

            // Act
            var htmlFragment = "Тест";
            var actual = s.Sanitize(htmlFragment);

            // Assert
            var expected = htmlFragment;
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }

Test result:

 Expected string length 4 but was 28. Strings differ at index 0.
  Expected: "Тест", ignoring case
  But was:  "Тест"
  -----------^

Hi,!

I saw there is a new release on nuget. Is there a changelog of the new release(s)?

I've just been playing around with a few different HTML sanitizer libraries. This one was looking promising until I realized it changed:

<img src="..." />

to:

<img src="...">

Which is invalid XHTML. Although technically this is allowed in HTML I don't think it looks good and usually most people prefer to use a self closing tag.

Is there an estimate when to release version 2?

Hi,
After updating to HtmlSanitizer with AngleSharp, we detect the follow behaviour:

When sanitizing a text only containing a element "script" or "style", the RemovingTag event isn't fired.

Here's a test case:

        [Test]
        public void RemoveEventForNotAllowedTag_ScriptTag()
        {
            RemoveReason? actual = null;
            var s = new HtmlSanitizer();
            s.RemovingTag += (sender, args) =>
            {
                actual = args.Reason;
            };
            s.Sanitize("<script>alert('Hello world!')</script>");
            Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedTag));
        }

        [Test]
        public void RemoveEventForNotAllowedTag_StyleTag()
        {
            RemoveReason? actual = null;
            var s = new HtmlSanitizer();
            s.RemovingTag += (sender, args) =>
            {
                actual = args.Reason;
            };
            s.Sanitize("<style> body {background-color:lightgrey;}</style>");
            Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedTag));
        }

Adding another tag to the text, works fine.

        [Test]
        public void RemoveEventForNotAllowedTag_ScriptTagAndSpan()
        {
            RemoveReason? actual = null;
            var s = new HtmlSanitizer();
            s.RemovingTag += (sender, args) =>
            {
                actual = args.Reason;
            };
            s.Sanitize("<span>Hi</span><script>alert('Hello world!')</script>");
            Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedTag));
        }

Thanks

Hi,

Mailto gets stripped. Is there a way to allow this?

Example:
Input: <a href="mailto:[email protected]">Contact me!</a>
Output: <a>Contact me!</a>

Kind regards,
Paul.

When installs HtmlSanitizer and NuGet packages on project targeting .NET Framework 4.0, the command line tool throws the next error message:

Install-Package : Could not install package 'HtmlSanitizer 1.0.4925.29815'. You are trying to install this package into a project that targets '.NETFramework,Version=v4.0', but the package does not contain any assembly references or content files that are compatible with that framework.

It would be nice that NuGet packages allows installation on .NET Framework 4.0 projects.

While using Sanitize in ASP.net MVC using AngleSharp 0.9.5 I get the following error:

Could not load type 'AngleSharp.FormatExtensions' from assembly 'AngleSharp, Version=0.9.5.41771, Culture=neutral, PublicKeyToken=e83494dcdc6d31ea'.

The binding is properly set to:

<dependentAssembly>
  <assemblyIdentity name="AngleSharp" publicKeyToken="e83494dcdc6d31ea" culture="neutral" />
  <bindingRedirect oldVersion="0.0.0.0-0.9.5.41771" newVersion="0.9.5.41771" />
</dependentAssembly>

It does not happen with 0.9.4.

Current version (as of 2015-AUG-10) failed 55 unit tests, but passed 66.

The consistent issues for failures include (SanitizeUnicodeUrlTest() and others):

1. Empty style tag (which is permitted)
   Expected string length 14 but was 20. Strings differ at index 4.
   Expected: "
   XSS
   ", ignoring case
   But was: "
   XSS
   "
   ---------------^
2. Closed tag is valid but not expected (JavaScriptIncludeAndAngleBracketsTest() and others):
   Expected string length 4 but was 6. Strings differ at index 3.
   Expected: "
   ", ignoring case
   But was: "
   "
   --------------^
3. Semi-colon in Style attribute is not expected (DisallowCssPropertyValueTest() and others):
   Expected string length 47 but was 48. Strings differ at index 35.
   Expected: "
   Test
   ", ignoring case
   But was: "
   Test
   "
   ----------------------------------------------^

I am willing to contribute but the question arises as the intended results. All tests would pass HTML validation, though fail "good" html syntax verification (i.e. open tags are not considered a syntax failure in HTML). Please let me know if / how I might participate in this project.

Paul
(PS, Code passed Fortify SCA 4.30 scans with 0 issues)

Any plans to move to xproj / with CoreCLR support?

AngleSharp has it already, so won't be that difficult I guess.

Hi @mganss

I'm using your library HtmlSanitizer in my website. It works very well. This week we got a problem that the HtmlSanitizer() remove an image url from photobucket.
Input: <a href="http://media.photobucket.com/user/jade95_2010/media/PHOTOGRAPHY-VARIED/cat-face.jpg.html?filters[term]=cat&amp;filters[primary]=images&amp;filters[featured_media]=1220&amp;filters[secondary]=videos&amp;sort=1&amp;o=2" target="">text</a>.
Output: <a target>text</a>

The image url doesn't pass this check uri.IsWellFormedOriginalString(). Can you explain why we treat this url unsafe? Is there any security concern?

Thanks.

Please add the default allowed attributes, tags etc to the documentation.

HI

All international charters are being converted to HTMLEntities values. This is fine if you are protecting on output but we need to sanatize before it's stored to the database. There is no real alternative to this for us.

Is there any way that the international characters could be left as they are without html decoding and introducing security issues, breaking the html when < characters appear etc?

Looking @ https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Character_escape_sequences

I don't see where all of these combinations are tested. Is this a new test? If so, are there other tests that need to be added/reexamined?

Hi,

I am using HtmlSanitization library in my project to sanitize the input data. It works very nicely in all inputs and thanks a lot for the library. While testing I came across scenario in which I want HtmlSanitizer to recursively sanitize the input string which it is not currently doing.

Following is my input string:
<<abc></abc>script>alert('XSS')<<abc></abc>/script>

"abc" is my custom tag which is not whitelisted. As expected HtmlSanitizer removes the <abc></abc> tag. But since this one level sanitization, it the output string still contains malicious input data which is
<script>alert('XSS')</script>

HtmlSanitization should be iteration based and it should recursively sanitize the input string. Do you have any plans to support such functionality as it will be much needed functionality.

Please do let me know your road map and your thoughts.

Thanks
Amit.

Hi.

HtmlSanitizer sounds cool. Is there any online demo available somewhere? Thanks!

Hi !
How can one avoid the transformation of
< a href="http://domain.com/index.html?test=#value#" >
to < a href="http://domain.com/index.html?test=#value%23" >

Thanks.

Please consider the following piece of text:

<%25whscheck onmouseover=""alert(1)"">mouseOverThisText""

This Text when Inserted into an text field on IE9 will actually cause the javascript to fire (IE9 Closes the tag).. For some reason The Library does not sanitize this. COuld you please check?

We're trying to sanitize full html documents and we're losing the outer parts of the document. From the looks of the code it is automatically wrapping the html text in a body tag before passing it through. Is there any way around this?

We're loading html emails into a browser window which is why they are full documents. We put them into an iframe so they don't mess with the surrounding page. The iframe is sandboxed, but it would be nice to have the peace of mind of knowing we tried to sanitize the html as well.

I would really like to be able to have an Exception occur when an unallowed tag occurs, instead of just stripping it. This is useful when you can expect input will NOT contain malicious or unwanted HTML, but you want to make sure and also be notified if it DOES.

Sample cases:

• If you have no control over input, but it is provided by external party, and could turn out to be malicious or this party to be compromised themselves at some point in the future.
• Or in the case when you do have control over the input, but disallow or strip HTML in your own system. And then want to be notified when this functionality turns out not to work or has a fail-over, in order to be able to then quickly fix this yourself.

In my system the exception would just bubble up and we would be notified though some health monitoring that we have running.

Note that this issue is not a bug report, but a feature request. If I have time I could fork this project, implement it myself and do a pull request.

Would it be possible to update license.md into text file containing license text instead of a link to wikipedia article? That article could be changed or removed and something more permanent in git is preferable... Thanks.

After updating to AngleSharp 0.9.4, HtmlSanitizer.Sanitize() started throwing a MissingMethodException.

Method not found: 'System.String AngleSharp.IStyleFormattable.ToCss()'
at Ganss.XSS.HtmlSanitizer.SanitizeStyle(IHtmlElement element, String baseUrl)
at Ganss.XSS.HtmlSanitizer.Sanitize(String html, String baseUrl, IMarkupFormatter outputFormatter)

Reverting to AngleSharp 0.9.3 fixed the problem.