Comments (4)
I can't repro so far. Can you provide an example string that can be used as input to the Sanitize()
method?
Using the string above as is yields:
<%25whscheck onmouseover=""alert(1)"">mouseOverThisText""
Same goes for using only one double quote and also within a div.
from htmlsanitizer.
Hi Michael,
Thanks for the Quick Response. This looks like its just html encoded..
I would have hoped the Html the text is completely stripped out.
For example:
var sanitizer = new HtmlSanitizer();
sanitizer.AllowedAttributes.Add("class");
var sanitized = sanitizer.Sanitize(html: @"<whscheck onmouseover=""alert(1)"">mouseOverThisText"" />", outputFormatter: new FormatDefault(DomRenderingOptions.QuoteAllAttributes, HtmlEncoders.Default));
returns back an empty string and that is good. but the text above just returns htmlencoded value no events are fired ..
from htmlsanitizer.
That's expected behavior. The parser (correctly) does not recognize the input as containing an element but rather text which it encodes properly. Because there are no elements to strip events won't be fired either. If you still want to filter out all occurrences of <...> in text nodes you can try something like this:
sanitizer.PostProcessNode += (s, e) =>
{
var t = e.Node as IDomText;
if (t != null) t.NodeValue = Regex.Replace(t.NodeValue, "<[^>]*>", "");
};
from htmlsanitizer.
OK Thanks...
from htmlsanitizer.
Related Issues (20)
- Style attribute triggers a RemovingAttribute Event with an empty value HOT 8
- How to convert < into < and similar things using HtmlSanitizer.sanitize call HOT 3
- list-style-type cjk-ideographic is not allowed? HOT 2
- Newer list-style-type values unsupported HOT 1
- Configuration option to bypass changes for security advisory HOT 10
- Sanitize Vue.js scripts HOT 1
- MSO conditional comments HOT 2
- htmlsanitizer is missing NuGet package README file HOT 1
- AngleSharp missing dependency HOT 2
- Url extra escaping HOT 3
- Error on sanitizing simple post without any invalid char. HOT 3
- about slash in background property HOT 1
- Allow outlook conditional comments HOT 1
- Sanitizer removes "px" from the source style attributes when it's "0px" HOT 1
- Properties in @font-face declaration are removed (font-display, mso-generic-font-family, mso-font-alt) HOT 1
- FilterUrl event not raised for relative URLs if baseUrl is used HOT 1
- href's allow inline javascript? HOT 2
- AngleSharp dependency issue in .NET Framework (IIS-hosted WCF service) HOT 9
- RemovingTag and/or RemovingAttribute does not fire for "<BODY ONLOAD=alert('XSS')>" HOT 1
- css attribute white-space is being removed by default HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from htmlsanitizer.