HtmlSanitizer
Cleans HTML documents and fragments from constructs that can lead to XSS attacks.
The default regex for disallowed CSS property values.
The default allowed CSS at-rules.
The default allowed HTML attributes.
The default allowed CSS classes.
The default allowed CSS properties.
The default allowed URI schemes.
The default allowed HTML tag names.
Gets or sets the default Func<T> object that creates the parser used for parsing the input.
Gets or sets the default value indicating whether to keep child nodes of elements that are removed. Default is false.
Gets or sets the default IMarkupFormatter object used for generating output. Default is Instance.
The default URI attributes.
Allow all HTML5 data attributes; the attributes prefixed with data-
Gets or sets the allowed CSS at-rules such as "@media" and "@font-face".
Gets or sets the allowed HTML attributes such as "href" and "alt".
Gets or sets the allowed CSS classes. If the set is empty, all classes will be allowed.
Gets or sets the allowed CSS properties such as "font" and "margin".
Gets or sets the allowed HTTP schemes such as "http" and "https".
Gets or sets the allowed HTML tag names such as "a" and "div".
Gets or sets a regex that must not match for legal CSS property values.
Gets or sets the Func<T> object the creates the parser used for parsing the input.
Gets or sets a value indicating whether to keep child nodes of elements that are removed. Default is DefaultKeepChildNodes.
Gets or sets the IMarkupFormatter object used for generating output. Default is DefaultOutputFormatter.
Gets or sets the HTML attributes that can contain a URI such as "href".
Occurs when a URL is being sanitized.
Occurs after sanitizing the document and post processing nodes.
Occurs for every node after sanitizing.
Occurs before an at-rule is removed.
Occurs before an attribute is removed.
Occurs before a comment is removed.
Occurs before a CSS class is removed.
Occurs before a style is removed.
Occurs before a tag is removed.
public HtmlSanitizer(IEnumerable<string> allowedTags = null, IEnumerable<string> allowedSchemes = null, IEnumerable<string> allowedAttributes = null, IEnumerable<string> uriAttributes = null, IEnumerable<string> allowedCssProperties = null)
Initializes a new instance of the HtmlSanitizer class.
Decodes CSS unicode escapes and removes comments.
Tries to create a safe Iri object from a string.
Raises the RemovingUrl event.
Raises the PostProcessDom event.
Raises the PostProcessNode event.
Raises the RemovingAtRule event.
Raises the RemovingAttribute event.
Raises the RemovingComment event.
Raises the RemovingCSSClass event.
Raises the RemovingStyle event.
Raises the RemovingTag event.
Sanitizes the specified HTML body fragment. If a document is given, only the body part will be returned.
public string SanitizeDocument(string html, string baseUrl = "", IMarkupFormatter outputFormatter = null)
Sanitizes the specified HTML document. Even if only a fragment is given, a whole document will be returned.
public string SanitizeDocument(Stream html, string baseUrl = "", IMarkupFormatter outputFormatter = null)
Sanitizes the specified HTML document. Even if only a fragment is given, a whole document will be returned.
Sanitizes the specified HTML body fragment. If a document is given, only the body part will be returned.
public IHtmlDocument SanitizeDom(IHtmlDocument document, IHtmlElement context = null, string baseUrl = "")
Sanitizes the specified parsed HTML body fragment.
If the document has not been parsed with CSS support then all styles will be removed.
Sanitizes the style.
Sanitizes a URL.