mganss/HtmlSanitizer mganss/HtmlSanitizer

  • Stars
    star
    1,534
  • Rank 30,498 (Top 0.7 %)
  • Language
    C#
  • License
    MIT License
  • Created over 11 years ago
  • Updated 4 months ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
mganss/HtmlSanitizer
github

mganss

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

Cleans HTML to avoid XSS attacks

HtmlSanitizer

NuGet version Build status codecov.io Sonarcloud Quality Gate

netstandard2.0 net46

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. It uses AngleSharp to parse, manipulate, and render HTML and CSS.

Because HtmlSanitizer is based on a robust HTML parser it can also shield you from deliberate or accidental "tag poisoning" where invalid HTML in one fragment can corrupt the whole document leading to broken layout or style.

In order to facilitate different use cases, HtmlSanitizer can be customized at several levels:

  • Configure allowed HTML tags through the property AllowedTags. All other tags will be stripped.
  • Configure allowed HTML attributes through the property AllowedAttributes. All other attributes will be stripped.
  • Configure allowed CSS property names through the property AllowedCssProperties. All other styles will be stripped.
  • Configure allowed CSS at-rules through the property AllowedAtRules. All other at-rules will be stripped.
  • Configure allowed URI schemes through the property AllowedSchemes. All other URIs will be stripped.
  • Configure HTML attributes that contain URIs (such as "src", "href" etc.) through the property UriAttributes.
  • Provide a base URI that will be used to resolve relative URIs against.
  • Cancelable events are raised before a tag, attribute, or style is removed.

Usage

Install the HtmlSanitizer NuGet package. Then:

using Ganss.Xss;
var sanitizer = new HtmlSanitizer();
var html = @"<script>alert('xss')</script><div onload=""alert('xss')"""
    + @"style=""background-color: rgba(0, 0, 0, 1)"">Test<img src=""test.png"""
    + @"style=""background-image: url(javascript:alert('xss')); margin: 10px""></div>";
var sanitized = sanitizer.Sanitize(html, "https://www.example.com");
var expected = @"<div style=""background-color: rgba(0, 0, 0, 1)"">"
    + @"Test<img src=""https://www.example.com/test.png"" style=""margin: 10px""></div>";
Assert.Equal(expected, sanitized);

There's an online demo, plus there's also a .NET Fiddle you can play with.

More example code and a description of possible options can be found in the Wiki.

Tags allowed by default

a, abbr, acronym, address, area, article, aside, b, bdi, big, blockquote, body br, button, caption, center, cite, code, col, colgroup, data, datalist, dd, del, details, dfn, dir, div, dl, dt, em, fieldset, figcaption, figure, font, footer, form, h1, h2, h3, h4, h5, h6, head, header, hr, html, i, img, input, ins, kbd, keygen, label, legend, li, main, map, mark, menu, menuitem, meter, nav, ol, optgroup, option, output, p, pre, progress, q, rp, rt, ruby, s, samp, section, select, small, span, strike, strong, sub, summary, sup, table, tbody, td, textarea, tfoot, th, thead, time, tr, tt, u, ul, var, wbr

Attributes allowed by default

abbr, accept-charset, accept, accesskey, action, align, alt, autocomplete, autosave, axis, bgcolor, border, cellpadding, cellspacing, challenge, char, charoff, charset, checked, cite, clear, color, cols, colspan, compact, contenteditable, coords, datetime, dir, disabled, draggable, dropzone, enctype, for, frame, headers, height, high, href, hreflang, hspace, ismap, keytype, label, lang, list, longdesc, low, max, maxlength, media, method, min, multiple, name, nohref, noshade, novalidate, nowrap, open, optimum, pattern, placeholder, prompt, pubdate, radiogroup, readonly, rel, required, rev, reversed, rows, rowspan, rules, scope, selected, shape, size, span, spellcheck, src, start, step, style, summary, tabindex, target, title, type, usemap, valign, value, vspace, width, wrap

Note: to prevent classjacking and interference with classes where the sanitized fragment is to be integrated, the class attribute is disallowed by default. It can be added as follows:

var sanitizer = new HtmlSanitizer();
sanitizer.AllowedAttributes.Add("class");
var sanitized = sanitizer.Sanitize(html);

CSS properties allowed by default

align-content, align-items, align-self, all, animation, animation-delay, animation-direction, animation-duration, animation-fill-mode, animation-iteration-count, animation-name, animation-play-state, animation-timing-function, backface-visibility, background, background-attachment, background-blend-mode, background-clip, background-color, background-image, background-origin, background-position, background-position-x, background-position-y, background-repeat, background-repeat-x, background-repeat-y, background-size, border, border-bottom, border-bottom-color, border-bottom-left-radius, border-bottom-right-radius, border-bottom-style, border-bottom-width, border-collapse, border-color, border-image, border-image-outset, border-image-repeat, border-image-slice, border-image-source, border-image-width, border-left, border-left-color, border-left-style, border-left-width, border-radius, border-right, border-right-color, border-right-style, border-right-width, border-spacing, border-style, border-top, border-top-color, border-top-left-radius, border-top-right-radius, border-top-style, border-top-width, border-width, bottom, box-decoration-break, box-shadow, box-sizing, break-after, break-before, break-inside, caption-side, caret-color, clear, clip, color, column-count, column-fill, column-gap, column-rule, column-rule-color, column-rule-style, column-rule-width, column-span, column-width, columns, content, counter-increment, counter-reset, cursor, direction, display, empty-cells, filter, flex, flex-basis, flex-direction, flex-flow, flex-grow, flex-shrink, flex-wrap, float, font, font-family, font-feature-settings, font-kerning, font-language-override, font-size, font-size-adjust, font-stretch, font-style, font-synthesis, font-variant, font-variant-alternates, font-variant-caps, font-variant-east-asian, font-variant-ligatures, font-variant-numeric, font-variant-position, font-weight, gap, grid, grid-area, grid-auto-columns, grid-auto-flow, grid-auto-rows, grid-column, grid-column-end, grid-column-gap, grid-column-start, grid-gap, grid-row, grid-row-end, grid-row-gap, grid-row-start, grid-template, grid-template-areas, grid-template-columns, grid-template-rows, hanging-punctuation, height, hyphens, image-rendering, isolation, justify-content, left, letter-spacing, line-break, line-height, list-style, list-style-image, list-style-position, list-style-type, margin, margin-bottom, margin-left, margin-right, margin-top, mask, mask-clip, mask-composite, mask-image, mask-mode, mask-origin, mask-position, mask-repeat, mask-size, mask-type, max-height, max-width, min-height, min-width, mix-blend-mode, object-fit, object-position, opacity, order, orphans, outline, outline-color, outline-offset, outline-style, outline-width, overflow, overflow-wrap, overflow-x, overflow-y, padding, padding-bottom, padding-left, padding-right, padding-top, page-break-after, page-break-before, page-break-inside, perspective, perspective-origin, pointer-events, position, quotes, resize, right, row-gap, scroll-behavior, tab-size, table-layout, text-align, text-align-last, text-combine-upright, text-decoration, text-decoration-color, text-decoration-line, text-decoration-skip, text-decoration-style, text-indent, text-justify, text-orientation, text-overflow, text-shadow, text-transform, text-underline-position, top, transform, transform-origin, transform-style, transition, transition-delay, transition-duration, transition-property, transition-timing-function, unicode-bidi, user-select, vertical-align, visibility, white-space, widows, width, word-break, word-spacing, word-wrap, writing-mode, z-index

CSS at-rules allowed by default

namespace, style

style refers to style declarations within other at-rules such as @media. Disallowing @namespace while allowing other types of at-rules can lead to errors. Property declarations in @font-face and @viewport are not sanitized.

Note: the style tag is disallowed by default.

URI schemes allowed by default

http, https

Note: Protocol-relative URLs (e.g. //github.com) are allowed by default (as are other relative URLs).

to allow mailto: links:

sanitizer.AllowedSchemes.Add("mailto");

Default attributes that contain URIs

action, background, dynsrc, href, lowsrc, src

Thread safety

The Sanitize() and SanitizeDocument() methods are thread-safe, i.e. you can use these methods on a single shared instance from different threads provided you do not simultaneously set instance or static properties. A typical use case is that you prepare an HtmlSanitizer instance once (i.e. set desired properties such as AllowedTags etc.) from a single thread, then call Sanitize()/SanitizeDocument() from multiple threads.

Text content not necessarily preserved as-is

Please note that as the input is parsed by AngleSharp's HTML parser and then rendered back out, you cannot expect the text content to be preserved exactly as it was input, even if no elements or attributes were removed. Examples:

  • 4 < 5 becomes 4 &lt; 5
  • <SPAN>test</p> becomes <span>test<p></p></span>
  • <span title='test'>test</span> becomes <span title="test">test</span>

On the other hand, although some broken HTML is fixed by the parser, the output might still contain invalid HTML. Examples:

  • <div><li>test</li></div>
  • <ul><br><li>test</li></ul>
  • <h3><p>test</p></h3>

License

MIT License

More Repositories

1

ExcelMapper

An Excel to object mapper. Maps POCOs to and from Excel. Configuration via convention, attributes, or fluent methods.
C#
781
star
2

XmlSchemaClassGenerator

Generate C# classes from XML Schema files
HTML
589
star
3

SyncChanges

Synchronize/Replicate database changes using SQL Server Change Tracking
C#
124
star
4

CueGen

Create Rekordbox cue points from Mixed in Key
C#
87
star
5

Aicd

Acid pattern generator
Max
77
star
6

BorderlessForm

Borderless windows in Windows Forms with custom window decoration controls
C#
74
star
7

pdjs

JavaScript External for Pure Data based on V8
C++
66
star
8

Glob.cs

Path globbing for .NET
C#
61
star
9

AhoCorasick

Aho-Corasick multi-string search for .NET and SQL Server.
C#
57
star
10

DrumBrain

Drum pattern generator Max for Live device.
Max
48
star
11

MidiMorph

Max for Live device to interpolate between two MIDI clips
JavaScript
26
star
12

EmojiAddIn

Emoji for Outlook and Thunderbird
JavaScript
22
star
13

AsyncPluggableProtocol

C# Asynchronous Pluggable Protocol Handler
C#
16
star
14

MicroJson

A small two-file JSON serializer in C# that works on MonoDroid/MonoTouch
C#
11
star
15

IS24RestApi

Access the Immobilienscout24 Import/Export REST API using C#
C#
10
star
16

AttachFromClipboard

Create message attachments from the clipboard in Thunderbird
JavaScript
6
star
17

FileWatcher

File System Change Notification Service
C#
5
star
18

AutoLink

C# Autolinking
C#
3
star
19

RegexReplaceProvider

IIS Rewrite custom provider to perform regex replacements
C#
2
star
20

CheckboxColumn

A checkbox column for Thunderbird
JavaScript
2
star
21

ZopfliDll

Zopfli for IIS
C
2
star
22

NuGetFeed

NuGet Package Versions RSS Feed
C#
2
star
23

XmlValidator

Validate XML files against XML schemas.
C#
1
star
24

IisGzip

A command line wrapper around the IIS gzip compression DLL
C++
1
star