In order to use this assembly in Visual Studio Extensions, it must be signed.

Hello there,

I found that is it possible to craft inputs to bypass the HtmlRule sanitizer and achieve XSS. It is not quite clear how to report them without dumping them in a public Github issue, which I'd rather avoid for obvious reasons.
I tried messaging [email protected] but got no response - so is there a better way to get in touch?

Cheers,
leeN

If you are using VS2017 as your IDE, you can convert the project so that it will build against multiple target framework versions (e.g. 3.5, 4.0, 4.5 and .NET Standard 2.0) and automatically package them into a NuGet package. If this is something you'd consider doing, let me know and I'll do the work and submit a Pull Request. This would help on a project I'm doing.

In case of cleaning HTML as following, sanitizer generates invalid HTML output [closing tags are missing].
Perhaps this is a problem with void tags.
I used HtmlSanitizer.SimpleHtml5Sanitizer() in this example.

INPUT

<p><img src="./x.jpg"></p>
<p><img src="./y.jpg"></p>
<p><img src="./z.jpg"></p>
<p>Tekst<br></p>
<p><svg viewBox="0 0 120 120" xmlns="http://www.w3.org/2000/svg"><rect x="10" y="10" width="100" height="100" rx="15"/></svg></p>
<p><input type="text"></p>

OUTPUT

<p><p><p><p>Tekst<br></p><p><p>

Link to .NETFiddle with this case -> https://dotnetfiddle.net/mvVdbQ

The following unit test runs correctly:

        [Fact]
        public void AHrefUrlCheckMailToTest()
        {

	        string result;
	        var sanitizer = new HtmlSanitizer();
	        sanitizer.Tag("a").CheckAttribute("href", HtmlSanitizerCheckType.Url);

	        // Test a relative url, which should pass.
	        var input = @"<a href=""mailto:[email protected]?subject=test"">MailTo</a>";
	        var expected = @"<a href=""mailto:[email protected]?subject=test"">MailTo</a>";
	        result = sanitizer.Sanitize(input);
	        Assert.Equal(expected, result);
        }

Howver, if you have a space in the subject argument:

        [Fact]
        public void AHrefUrlCheckMailToTest()
        {

	        string result;
	        var sanitizer = new HtmlSanitizer();
	        sanitizer.Tag("a").CheckAttribute("href", HtmlSanitizerCheckType.Url);

	        // Test a relative url, which should pass.
	        var input = @"<a href=""mailto:[email protected]?subject=test this"">MailTo</a>";
	        var expected = @"<a href=""mailto:[email protected]?subject=test this"">MailTo</a>";
	        result = sanitizer.Sanitize(input);
	        Assert.Equal(expected, result);
        }

The test fails. You can work around this by using %20 instead of space in the input string.

Investigate alternative HTML parsers as the HTML Agility pack development seems stalled.

https://github.com/AngleSharp/AngleSharp

Hello,

I've spotted that you do not remove empty closing tags which is very dangerous i.e:
\"><style>html {background:pink;} body{ display:none; }</style>

Is there any plan to implement it or should i contrib with it?

Currently the allowed url schemes collection is static, making it difficult to configure the allowed schemes per sanitizer instance.

Much alike custom attribute sanitizers, which are already implemented.

https://learn.microsoft.com/en-us/dotnet/csharp/nullable-references

            var san = HtmlSanitizer.SimpleHtml5Sanitizer();
            foreach (var t in "p br i b tt strong".Split(" "))
            {
                san.Tag(t).RemoveEmpty();
            }
            var s = san.Sanitize("<html><script src=\"abc\"><body><p>ABC<b>abc</b><p>XYZ<b>xyz</p><u><li>abc<li>xyz</li></body></html>");

returns an empty string. Does your class sanitize not HTML documents but HTML fragments? This is not very useful when HTML comes from external sources beyond our control because it would then require preliminary stripping of
<html>, <head>, <body>
etc containers.

sanitizer.Tag("p").RemoveEmpty();
<p> </p> results in <p>&#160;</p>

Could RemoveEmpty() be extended to cover RemoveEmptyOrWhitespace() ??

Hi, when I trying to update NuGet reference to HtmlAgilityPack to latest stable version, this causing unexpected breakage when I try to run;

System.IO.FileLoadException: Could not load file or assembly 'HtmlAgilityPack, Version=1.4.9.5, Culture=neutral, PublicKeyToken=bd319b19eaf3b43a' or one of its dependencies. The located assembly's manifest definition does not match the assembly reference. (Exception from HRESULT: 0x80131040)**

Stacktrace
Vereyon.Web.HtmlSanitizer.Sanitize(String html)

M.b. I'm doing something wrong, however...

Hi,
This library works fine for all my use cases. But for some cases, I need to add the HTML attribute in single quotes instead of double.

Like
original string <a href='www.example.com'>
after setting target attribute it becomes <a href='www.example.com' target="_blank">
but need <a href='www.example.com' target='_blank'>

Do you have any option to do it?

Is it safe to craft an instance of HtmlSanitizer either by lazy singleton or as a static memeber field, and then use it from various threads (i.e. from multiple parallel http requests processing) ?
Or the only way is to create a new instance for each thread - in my case for each http request ?

Previously I was able to create my own sanitizer AllowWhiteListedIframeDomains based on UrlCheckerAttributeSanitizer

It was like:

internal class AllowWhiteListedIframeDomains : UrlCheckerAttributeSanitizer
{
    private AllowWhiteListedIframeDomains() { }
    public static AllowWhiteListedIframeDomains Default { get; private set; } = new AllowWhiteListedIframeDomains();

    protected override bool AttributeUrlCheck(HtmlAttribute attribute)
    {
        var baseResult = base.AttributeUrlCheck(attribute);
        if (!baseResult)
        {
            return false;
        }

        if (attribute.Value.StartsWith("https://music.yandex.ru/iframe/")
            || attribute.Value.StartsWith("https://www.youtube.com/embed/")
            || attribute.Value.StartsWith("https://ok.ru/videoembed/")
            )
        {
            return true;
        }

        return false;
    }
}

Now its no longer possible, because UrlCheckerAttributeSanitizer defaults to empty list of allowed schemes and only code internal to HtmlRuleSanitizer assembly can set schemes.

Solutions:

1. If UrlCheckerAttributeSanitizer doesn't mean to use outside of assembly, let's make it internal (and remove virtual from AttributeUrlCheck)
   2a. Make setter for AllowedUriSchemes publicly accessible (or at least protected internal).
   2b. Or even make it constructor argument.

em tag gets deleted completely as shown in below:

Its supposed to be, but after sanitization whole text gets deleted.

Bold text

I have included p, em, strong, along with other html tags in whitelist . Still its getting deleted.

How could I allow adding iframes only to whitelisted domains? I like to allow youtube.com, but not evilsiteexample.com

Can you provide in ReadMe Comparison with HtmlSanitizer package https://github.com/mganss/HtmlSanitizer?
It’s hard to choose one, and description when one or another is more suitable will be useful.

Changing your UrlCheckTest() to
var inputIllegal = @"<a href=""../relative.htm"">Relative link</a>";

causes AttributeUrlCheck() to throw an InvalidOperationException by the uri.Scheme property. You need to add an absolute uri check
if (!uri.IsWellFormedOriginalString() || !uri.IsAbsoluteUri)

When I build the project on my local machine in release mode, the generated NuGet package contains the Vereyon.Web.HtmlSanitizer.xml file inside the NuGet package.

However, the file hosted on NuGet.org (https://www.nuget.org/packages/Vereyon.Web.HtmlSanitizer/1.6.0) does not contain this file.

When using HtmlSanitizer in a project, IntelliSense does not show the documentation:

Local generated NuGet package (release mode):

Online hosted NuGet package:

Hi There,

The library works fine for me except for some of the special characters. Changing the html text of some special characters to some unicode format is the problem for me.
For instance,
This is initial text.

Sanitized:

Initial:

Sanitized:

Initial:

Sanitized:

I don't want these changes to happen, is there anyway to prevent this or put them in white list or so?

Thanks,
Laxman Mankala