HtmlSanitizer
Cleans HTML documents and fragments from constructs that can lead to XSS attacks.
The default regex for disallowed CSS property values.
Gets or sets the default Func<T> object that creates the parser used for parsing the input.
Gets or sets the default value indicating whether to keep child nodes of elements that are removed. Default is false.
Gets or sets the default IMarkupFormatter object used for generating output. Default is Instance.
Gets or sets the default IStyleFormatter object used for generating CSS output. Default is Instance.
Allow all HTML5 data attributes; the attributes prefixed with data-.
Gets or sets the allowed CSS at-rules such as "@media" and "@font-face".
Gets or sets the allowed HTML attributes such as "href" and "alt".
Gets or sets the allowed CSS classes. If the set is empty, all classes will be allowed.
Gets or sets the allowed CSS properties such as "font" and "margin".
Gets or sets the allowed URI schemes such as "http" and "https".
Gets or sets the allowed HTML tag names such as "a" and "div".
Gets or sets a regex that must not match for legal CSS property values.
Gets or sets the default Action<T> method that encodes comments.
Gets or sets the default Action<T> method that encodes literal text content.
Gets or sets the Func<T> object the creates the parser used for parsing the input.
Gets or sets a value indicating whether to keep child nodes of elements that are removed. Default is DefaultKeepChildNodes.
Gets or sets the IMarkupFormatter object used for generating output. Default is DefaultOutputFormatter.
Gets or sets the IStyleFormatter object used for generating CSS output. Default is DefaultStyleFormatter.
Gets or sets the HTML attributes that can contain a URI such as "href".
Occurs when a URL is being sanitized.
Occurs after sanitizing the document and post processing nodes.
Occurs for every node after sanitizing.
Occurs before an at-rule is removed.
Occurs before an attribute is removed.
Occurs before a comment is removed.
Occurs before a CSS class is removed.
Occurs before a style is removed.
Occurs before a tag is removed.
public HtmlSanitizer()
Initializes a new instance of the HtmlSanitizer class
with the default options.
Initializes a new instance of the HtmlSanitizer class
with the given options.
Decodes CSS Unicode escapes and removes comments.
Tries to create a safe Iri object from a string.
Raises the FilterUrl event.
Raises the PostProcessDom event.
Raises the PostProcessNode event.
Raises the RemovingAtRule event.
Raises the RemovingAttribute event.
Raises the RemovingComment event.
Raises the RemovingCSSClass event.
Raises the RemovingStyle event.
Raises the RemovingTag event.
Sanitizes the specified HTML body fragment. If a document is given, only the body part will be returned.
public string SanitizeDocument(string html, string baseUrl = "", IMarkupFormatter outputFormatter = null)
Sanitizes the specified HTML document. Even if only a fragment is given, a whole document will be returned.
public string SanitizeDocument(Stream html, string baseUrl = "", IMarkupFormatter outputFormatter = null)
Sanitizes the specified HTML document. Even if only a fragment is given, a whole document will be returned.
Sanitizes the specified HTML body fragment. If a document is given, only the body part will be returned.
public IHtmlDocument SanitizeDom(IHtmlDocument document, IHtmlElement context = null, string baseUrl = "")
Sanitizes the specified parsed HTML body fragment.
If the document has not been parsed with CSS support then all styles will be removed.
Sanitizes the style.
Sanitizes a URL.