Comments (5)
mganss
commented on June 8, 2024
This happens because <style> and <script> in isolation are parsed into the head portion of the HTML document. But we are operating only on the body portion. As a workaround you can wrap the string to be sanitized in <body>...</body>, forcing the elements into the body.
This also means you cannot currently sanitize complete HTML documents, only (body) fragments. I know this is not an ideal situation, but I have no idea how to fix this right now without making the sanitizer overly complex and thus error prone. Suggestions are very welcome 😄
from htmlsanitizer.
304NotModified
commented on June 8, 2024
Was this also in v2?
As a workaround you can wrap the string to be sanitized in ..., forcing the elements into the body.
You can do that also in this lib?
from htmlsanitizer.
mganss
commented on June 8, 2024
This was not in v2 because CsQuery is not as sophisticated a parser as AngleSharp.
I've added wrapping the input in <body>...</body> so the workaround will no longer be necessary in the next version (though doesn't do any harm either).
from htmlsanitizer.
Alpalhao
commented on June 8, 2024
Thanks Michael.
Any idea when this fix will be released?
from htmlsanitizer.
mganss
commented on June 8, 2024
Released as 3.1.93.
from htmlsanitizer.
Related Issues (20)
- Style attribute triggers a RemovingAttribute Event with an empty value HOT 8
- How to convert < into < and similar things using HtmlSanitizer.sanitize call HOT 3
- list-style-type cjk-ideographic is not allowed? HOT 2
- Newer list-style-type values unsupported HOT 1
- Configuration option to bypass changes for security advisory HOT 10
- Sanitize Vue.js scripts HOT 1
- MSO conditional comments HOT 2
- htmlsanitizer is missing NuGet package README file HOT 1
- AngleSharp missing dependency HOT 2
- Url extra escaping HOT 3
- Error on sanitizing simple post without any invalid char. HOT 3
- about slash in background property HOT 1
- Allow outlook conditional comments HOT 1
- Sanitizer removes "px" from the source style attributes when it's "0px" HOT 1
- Properties in @font-face declaration are removed (font-display, mso-generic-font-family, mso-font-alt) HOT 1
- FilterUrl event not raised for relative URLs if baseUrl is used HOT 1
- href's allow inline javascript? HOT 2
- AngleSharp dependency issue in .NET Framework (IIS-hosted WCF service) HOT 9
- RemovingTag and/or RemovingAttribute does not fire for "<BODY ONLOAD=alert('XSS')>" HOT 1
- css attribute white-space is being removed by default HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from htmlsanitizer.