Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add HtmlSanitizerOptions #359

Merged
merged 14 commits into from
Jul 12, 2022
Merged

Add HtmlSanitizerOptions #359

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
14 commits
Select commit Hold shift + click to select a range
1ad5bc5
Add a constructor that takes HtmlSanitizerOptions
vanillajonathan Jun 14, 2022
15f3438
Create HtmlSanitizerOptions.cs
vanillajonathan Jun 14, 2022
f695457
Update HtmlSanitizerOptions.cs
vanillajonathan Jun 14, 2022
c48510c
Update HtmlSanitizerOptions.cs
vanillajonathan Jun 14, 2022
a4cb09f
Update HtmlSanitizerOptions.cs
vanillajonathan Jun 14, 2022
c546954
Update HtmlSanitizer.cs
vanillajonathan Jun 14, 2022
3de042b
Update HtmlSanitizerOptions.cs
vanillajonathan Jun 14, 2022
4310587
Update HtmlSanitizer.cs
vanillajonathan Jun 14, 2022
02beb04
Update HtmlSanitizerOptions.cs
vanillajonathan Jun 16, 2022
454b5d7
Update HtmlSanitizerOptions.cs
vanillajonathan Jun 16, 2022
3530ba6
Update HtmlSanitizerOptions.cs
vanillajonathan Jun 19, 2022
96cef32
Update HtmlSanitizerOptions.cs
vanillajonathan Jul 11, 2022
d46e769
Update Tests.cs
vanillajonathan Jul 11, 2022
b21e34a
Set comparer
vanillajonathan Jul 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
15 changes: 15 additions & 0 deletions src/HtmlSanitizer/HtmlSanitizer.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -66,6 +66,21 @@ public class HtmlSanitizer : IHtmlSanitizer

private static readonly HtmlParser defaultHtmlParser = new(new HtmlParserOptions(), BrowsingContext.New(defaultConfiguration));

/// <summary>
/// Initializes a new instance of the <see cref="HtmlSanitizer"/> class.
/// </summary>
/// <param name="options">Options to control the sanitizing.</param>
public HtmlSanitizer(HtmlSanitizerOptions options)
{
AllowedTags = new HashSet<string>(options.AllowedTags, StringComparer.OrdinalIgnoreCase);
AllowedSchemes = new HashSet<string>(options.AllowedSchemes, StringComparer.OrdinalIgnoreCase);
AllowedAttributes = new HashSet<string>(options.AllowedAttributes, StringComparer.OrdinalIgnoreCase);
UriAttributes = new HashSet<string>(options.UriAttributes, StringComparer.OrdinalIgnoreCase);
AllowedClasses = new HashSet<string>(options.AllowedCssClasses, StringComparer.OrdinalIgnoreCase);
AllowedCssProperties = new HashSet<string>(options.AllowedCssProperties, StringComparer.OrdinalIgnoreCase);
AllowedAtRules = new HashSet<CssRuleType>(options.AllowedAtRules);
}

/// <summary>
/// Initializes a new instance of the <see cref="HtmlSanitizer"/> class.
/// </summary>
Expand Down
47 changes: 47 additions & 0 deletions src/HtmlSanitizer/HtmlSanitizerOptions.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,47 @@
using AngleSharp.Css.Dom;
using System;
using System.Collections.Generic;

namespace Ganss.XSS
{
/// <summary>
/// Provides options to be used with <see cref="HtmlSanitizer"/>.
/// </summary>
public class HtmlSanitizerOptions
{
/// <summary>
/// Gets or sets the allowed tag names such as "a" and "div".
/// </summary>
public ISet<string> AllowedTags { get; set; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);

/// <summary>
/// Gets or sets the allowed HTML attributes such as "href" and "alt".
/// </summary>
public ISet<string> AllowedAttributes { get; set; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);

/// <summary>
/// Gets or sets the allowed CSS classes.
/// </summary>
public ISet<string> AllowedCssClasses { get; set; } = new HashSet<string>();

/// <summary>
/// Gets or sets the allowed CSS properties such as "font" and "margin".
/// </summary>
public ISet<string> AllowedCssProperties { get; set; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);

/// <summary>
/// Gets or sets the allowed CSS at-rules such as "@media" and "@font-face".
/// </summary>
public ISet<CssRuleType> AllowedAtRules { get; set; } = new HashSet<CssRuleType>();

/// <summary>
/// Gets or sets the allowed URI schemes such as "http" and "https".
/// </summary>
public ISet<string> AllowedSchemes { get; set; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);

/// <summary>
/// Gets or sets the HTML attributes that can contain a URI such as "href".
/// </summary>
public ISet<string> UriAttributes { get; set; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
}
}
25 changes: 25 additions & 0 deletions test/HtmlSanitizer.Tests/Tests.cs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3352,5 +3352,30 @@ public void HexColorTest()

Assert.Equal(@"<p style=""color: rgba(0, 0, 0, 1)"">Text</p>", sanitized);
}

[Fact]
public void WithOptions()
{
// Arrange
var options = new HtmlSanitizerOptions
{
AllowedTags = new HashSet<string>() { "strong", "em", "p" },
AllowedAttributes = new HashSet<string>() { "title" },
AllowedCssClasses = new HashSet<string>(),
AllowedCssProperties = new HashSet<string>(),
AllowedAtRules = new HashSet<CssRuleType>(),
AllowedSchemes = new HashSet<string>() { "https" },
UriAttributes = new HashSet<string>()
};
var sanitizer = new HtmlSanitizer(options);

// Act
var htmlFragment = "<strong>Lorem ipsum</strong>";
var actual = sanitizer.Sanitize(htmlFragment);

// Assert
var expected = "<strong>Lorem ipsum</strong>";
Assert.Equal(expected, actual);
}
}
}