Merge pull request #359 from vanillajonathan/patch-2

mganss · web-flow · commit d9368e1c8313 · 2022-07-12T10:54:18.000+02:00
Add HtmlSanitizerOptions
diff --git a/src/HtmlSanitizer/HtmlSanitizer.cs b/src/HtmlSanitizer/HtmlSanitizer.cs
@@ -66,6 +66,21 @@ public class HtmlSanitizer : IHtmlSanitizer
 
         private static readonly HtmlParser defaultHtmlParser = new(new HtmlParserOptions(), BrowsingContext.New(defaultConfiguration));
 
+        /// <summary>
+        /// Initializes a new instance of the <see cref="HtmlSanitizer"/> class.
+        /// </summary>
+        /// <param name="options">Options to control the sanitizing.</param>
+        public HtmlSanitizer(HtmlSanitizerOptions options)
+        {
+            AllowedTags = new HashSet<string>(options.AllowedTags, StringComparer.OrdinalIgnoreCase);
+            AllowedSchemes = new HashSet<string>(options.AllowedSchemes, StringComparer.OrdinalIgnoreCase);
+            AllowedAttributes = new HashSet<string>(options.AllowedAttributes, StringComparer.OrdinalIgnoreCase);
+            UriAttributes = new HashSet<string>(options.UriAttributes, StringComparer.OrdinalIgnoreCase);
+            AllowedClasses = new HashSet<string>(options.AllowedCssClasses, StringComparer.OrdinalIgnoreCase);
+            AllowedCssProperties = new HashSet<string>(options.AllowedCssProperties, StringComparer.OrdinalIgnoreCase);
+            AllowedAtRules = new HashSet<CssRuleType>(options.AllowedAtRules);
+        }
+
         /// <summary>
         /// Initializes a new instance of the <see cref="HtmlSanitizer"/> class.
         /// </summary>
diff --git a/src/HtmlSanitizer/HtmlSanitizerOptions.cs b/src/HtmlSanitizer/HtmlSanitizerOptions.cs
@@ -0,0 +1,47 @@
+using AngleSharp.Css.Dom;
+using System;
+using System.Collections.Generic;
+
+namespace Ganss.XSS
+{
+    /// <summary>
+    /// Provides options to be used with <see cref="HtmlSanitizer"/>.
+    /// </summary>
+    public class HtmlSanitizerOptions
+    {
+        /// <summary>
+        /// Gets or sets the allowed tag names such as "a" and "div".
+        /// </summary>
+        public ISet<string> AllowedTags { get; set; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        
+        /// <summary>
+        /// Gets or sets the allowed HTML attributes such as "href" and "alt".
+        /// </summary>
+        public ISet<string> AllowedAttributes { get; set; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        
+        /// <summary>
+        /// Gets or sets the allowed CSS classes.
+        /// </summary>
+        public ISet<string> AllowedCssClasses { get; set; } = new HashSet<string>();
+        
+        /// <summary>
+        /// Gets or sets the allowed CSS properties such as "font" and "margin".
+        /// </summary>
+        public ISet<string> AllowedCssProperties { get; set; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        
+        /// <summary>
+        /// Gets or sets the allowed CSS at-rules such as "@media" and "@font-face".
+        /// </summary>
+        public ISet<CssRuleType> AllowedAtRules { get; set; } = new HashSet<CssRuleType>();
+        
+        /// <summary>
+        /// Gets or sets the allowed URI schemes such as "http" and "https".
+        /// </summary>
+        public ISet<string> AllowedSchemes { get; set; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        
+        /// <summary>
+        /// Gets or sets the HTML attributes that can contain a URI such as "href".
+        /// </summary>
+        public ISet<string> UriAttributes { get; set; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+    }
+}
diff --git a/test/HtmlSanitizer.Tests/Tests.cs b/test/HtmlSanitizer.Tests/Tests.cs
@@ -3352,5 +3352,30 @@ public void HexColorTest()
 
             Assert.Equal(@"<p style=""color: rgba(0, 0, 0, 1)"">Text</p>", sanitized);
         }
+        
+        [Fact]
+        public void WithOptions()
+        {
+            // Arrange
+            var options = new HtmlSanitizerOptions
+            {
+                AllowedTags = new HashSet<string>() { "strong", "em", "p" },
+                AllowedAttributes = new HashSet<string>() { "title" },
+                AllowedCssClasses = new HashSet<string>(),
+                AllowedCssProperties = new HashSet<string>(),
+                AllowedAtRules = new HashSet<CssRuleType>(),
+                AllowedSchemes = new HashSet<string>() { "https" },
+                UriAttributes = new HashSet<string>()
+            };
+            var sanitizer = new HtmlSanitizer(options);
+
+            // Act
+            var htmlFragment = "<strong>Lorem ipsum</strong>";
+            var actual = sanitizer.Sanitize(htmlFragment);
+
+            // Assert
+            var expected = "<strong>Lorem ipsum</strong>";
+            Assert.Equal(expected, actual);
+        }
     }
 }
