Skip to content
Michael Ganss edited this page Jun 12, 2020 · 13 revisions

Sanitizing Options

HtmlSanitizer has a few flags that can be set to affect how the input string is parsed:

Name Description Default
KeepChildNodes If true, child nodes of elements that are removed will be kept. false
AllowDataAttributes If true, all HTML5 data attributes (attributes prefixed with data-) are allowed. false

Default values allowed by HtmlSanitizer:

HtmlSanitizer works by allowing only a set of specific elements/attributes, rather than looking for specific exploits.

Allowed Tags

The following HTML elements are allowed by default:

a abbr acronym address area article
aside b bdi big blockquote br
button caption center cite code col
colgroup data datalist dd del details
dfn dir div dl dt em
fieldset figcaption figure font footer form
h1 h2 h3 h4 h5 h6
header hr i img input ins
kbd keygen label legend li main
map mark menu menuitem meter nav
ol optgroup option output p pre
progress q rp rt ruby s
samp section select small span strike
strong sub summary sup table tbody
td textarea tfoot th thead time
tr tt u ul var wbr

Allowed Attributes

The following attributes are allowed by default:

abbr accept accept-charset accesskey action
align alt autocomplete autosave axis
bgcolor border cellpadding cellspacing challenge
char charoff charset checked cite
clear color cols colspan compact
contenteditable coords datetime dir disabled
draggable dropzone enctype for frame
headers height high href hreflang
hspace ismap keytype label lang
list longdesc low max maxlength
media method min multiple name
nohref noshade novalidate nowrap open
optimum pattern placeholder prompt pubdate
radiogroup readonly rel required rev
reversed rows rowspan rules scope
selected shape size span spellcheck
src start

Note: to prevent classjacking and interference with classes where the sanitized fragment is to be integrated, the class attribute is not in the whitelist by default. It can be added as follows:

var sanitizer = new HtmlSanitizer();
sanitizer.AllowedAttributes.Add("class");
var sanitized = sanitizer.Sanitize(html);

Allowed CSS properties

The following properties are allowed when using a style attribute:

background background-attachment background-color background-image
background-position background-repeat border border-bottom
border-bottom-color border-bottom-style border-bottom-width border-collapse
border-color border-left border-left-color border-left-style
border-left-width border-right border-right-color border-right-style
border-right-width border-spacing border-style border-top
border-top-color border-top-style border-top-width border-width
bottom caption-side clear clip
color content counter-increment counter-reset
cursor direction display empty-cells
float font font-family font-size
font-style font-variant font-weight height
left letter-spacing line-height list-style
list-style-image list-style-position list-style-type margin
margin-bottom margin-left margin-right margin-top
max-height max-width min-height min-width
opacity orphans outline outline-color
outline-style outline-width overflow padding
padding-bottom padding-left padding-right padding-top
page-break-after page-break-before page-break-inside quotes
right table-layout text-align text-decoration
text-indent text-transform top unicode-bidi
vertical-align visibility white-space widows
width word-spacing z-index

Allowed CSS at-rules

namespace, style

style refers to style declarations within other at-rules such as @media. Disallowing @namespace while allowing other types of at-rules can lead to errors. Property declarations in @font-face and @viewport are not sanitized.

Note: the style tag is disallowed by default.

Allowed URI schemes

http, https

Note: Protocol-relative URLs (e.g. //github.com) are allowed by default (as are other relative URLs).

to allow mailto: links:

sanitizer.AllowedSchemes.Add("mailto");

Allowed attributes that contain URIs

action, background, dynsrc, href, lowsrc, src