HtmlSanitizer 8.2.871-beta

This is a prerelease version of HtmlSanitizer.
dotnet add package HtmlSanitizer --version 8.2.871-beta                
NuGet\Install-Package HtmlSanitizer -Version 8.2.871-beta                
This command is intended to be used within the Package Manager Console in Visual Studio, as it uses the NuGet module's version of Install-Package.
<PackageReference Include="HtmlSanitizer" Version="8.2.871-beta" />                
For projects that support PackageReference, copy this XML node into the project file to reference the package.
paket add HtmlSanitizer --version 8.2.871-beta                
#r "nuget: HtmlSanitizer, 8.2.871-beta"                
#r directive can be used in F# Interactive and Polyglot Notebooks. Copy this into the interactive tool or source code of the script to reference the package.
// Install HtmlSanitizer as a Cake Addin
#addin nuget:?package=HtmlSanitizer&version=8.2.871-beta&prerelease

// Install HtmlSanitizer as a Cake Tool
#tool nuget:?package=HtmlSanitizer&version=8.2.871-beta&prerelease                

HtmlSanitizer

NuGet version Build status codecov.io Sonarcloud Quality Gate

netstandard2.0 net46

HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. It uses AngleSharp to parse, manipulate, and render HTML and CSS.

Because HtmlSanitizer is based on a robust HTML parser it can also shield you from deliberate or accidental "tag poisoning" where invalid HTML in one fragment can corrupt the whole document leading to broken layout or style.

In order to facilitate different use cases, HtmlSanitizer can be customized at several levels:

  • Configure allowed HTML tags through the property AllowedTags. All other tags will be stripped.
  • Configure allowed HTML attributes through the property AllowedAttributes. All other attributes will be stripped.
  • Configure allowed CSS property names through the property AllowedCssProperties. All other styles will be stripped.
  • Configure allowed CSS at-rules through the property AllowedAtRules. All other at-rules will be stripped.
  • Configure allowed URI schemes through the property AllowedSchemes. All other URIs will be stripped.
  • Configure HTML attributes that contain URIs (such as "src", "href" etc.) through the property UriAttributes.
  • Provide a base URI that will be used to resolve relative URIs against.
  • Cancelable events are raised before a tag, attribute, or style is removed.

Usage

Install the HtmlSanitizer NuGet package. Then:

using Ganss.Xss;
var sanitizer = new HtmlSanitizer();
var html = @"<script>alert('xss')</script><div onload=""alert('xss')"""
    + @"style=""background-color: rgba(0, 0, 0, 1)"">Test<img src=""test.png"""
    + @"style=""background-image: url(javascript:alert('xss')); margin: 10px""></div>";
var sanitized = sanitizer.Sanitize(html, "https://www.example.com");
var expected = @"<div style=""background-color: rgba(0, 0, 0, 1)"">"
    + @"Test<img src=""https://www.example.com/test.png"" style=""margin: 10px""></div>";
Assert.Equal(expected, sanitized);

There's an online demo, plus there's also a .NET Fiddle you can play with.

More example code and a description of possible options can be found in the Wiki.

Tags allowed by default

a, abbr, acronym, address, area, article, aside, b, bdi, big, blockquote, body br, button, caption, center, cite, code, col, colgroup, data, datalist, dd, del, details, dfn, dir, div, dl, dt, em, fieldset, figcaption, figure, font, footer, form, h1, h2, h3, h4, h5, h6, head, header, hr, html, i, img, input, ins, kbd, keygen, label, legend, li, main, map, mark, menu, menuitem, meter, nav, ol, optgroup, option, output, p, pre, progress, q, rp, rt, ruby, s, samp, section, select, small, span, strike, strong, sub, summary, sup, table, tbody, td, textarea, tfoot, th, thead, time, tr, tt, u, ul, var, wbr

Attributes allowed by default

abbr, accept-charset, accept, accesskey, action, align, alt, autocomplete, autosave, axis, bgcolor, border, cellpadding, cellspacing, challenge, char, charoff, charset, checked, cite, clear, color, cols, colspan, compact, contenteditable, coords, datetime, dir, disabled, draggable, dropzone, enctype, for, frame, headers, height, high, href, hreflang, hspace, ismap, keytype, label, lang, list, longdesc, low, max, maxlength, media, method, min, multiple, name, nohref, noshade, novalidate, nowrap, open, optimum, pattern, placeholder, prompt, pubdate, radiogroup, readonly, rel, required, rev, reversed, rows, rowspan, rules, scope, selected, shape, size, span, spellcheck, src, start, step, style, summary, tabindex, target, title, type, usemap, valign, value, vspace, width, wrap

Note: to prevent classjacking and interference with classes where the sanitized fragment is to be integrated, the class attribute is disallowed by default. It can be added as follows:

var sanitizer = new HtmlSanitizer();
sanitizer.AllowedAttributes.Add("class");
var sanitized = sanitizer.Sanitize(html);

CSS properties allowed by default

align-content, align-items, align-self, all, animation, animation-delay, animation-direction, animation-duration, animation-fill-mode, animation-iteration-count, animation-name, animation-play-state, animation-timing-function, backface-visibility, background, background-attachment, background-blend-mode, background-clip, background-color, background-image, background-origin, background-position, background-position-x, background-position-y, background-repeat, background-repeat-x, background-repeat-y, background-size, border, border-bottom, border-bottom-color, border-bottom-left-radius, border-bottom-right-radius, border-bottom-style, border-bottom-width, border-collapse, border-color, border-image, border-image-outset, border-image-repeat, border-image-slice, border-image-source, border-image-width, border-left, border-left-color, border-left-style, border-left-width, border-radius, border-right, border-right-color, border-right-style, border-right-width, border-spacing, border-style, border-top, border-top-color, border-top-left-radius, border-top-right-radius, border-top-style, border-top-width, border-width, bottom, box-decoration-break, box-shadow, box-sizing, break-after, break-before, break-inside, caption-side, caret-color, clear, clip, color, column-count, column-fill, column-gap, column-rule, column-rule-color, column-rule-style, column-rule-width, column-span, column-width, columns, content, counter-increment, counter-reset, cursor, direction, display, empty-cells, filter, flex, flex-basis, flex-direction, flex-flow, flex-grow, flex-shrink, flex-wrap, float, font, font-family, font-feature-settings, font-kerning, font-language-override, font-size, font-size-adjust, font-stretch, font-style, font-synthesis, font-variant, font-variant-alternates, font-variant-caps, font-variant-east-asian, font-variant-ligatures, font-variant-numeric, font-variant-position, font-weight, gap, grid, grid-area, grid-auto-columns, grid-auto-flow, grid-auto-rows, grid-column, grid-column-end, grid-column-gap, grid-column-start, grid-gap, grid-row, grid-row-end, grid-row-gap, grid-row-start, grid-template, grid-template-areas, grid-template-columns, grid-template-rows, hanging-punctuation, height, hyphens, image-rendering, isolation, justify-content, left, letter-spacing, line-break, line-height, list-style, list-style-image, list-style-position, list-style-type, margin, margin-bottom, margin-left, margin-right, margin-top, mask, mask-clip, mask-composite, mask-image, mask-mode, mask-origin, mask-position, mask-repeat, mask-size, mask-type, max-height, max-width, min-height, min-width, mix-blend-mode, object-fit, object-position, opacity, order, orphans, outline, outline-color, outline-offset, outline-style, outline-width, overflow, overflow-wrap, overflow-x, overflow-y, padding, padding-bottom, padding-left, padding-right, padding-top, page-break-after, page-break-before, page-break-inside, perspective, perspective-origin, pointer-events, position, quotes, resize, right, row-gap, scroll-behavior, tab-size, table-layout, text-align, text-align-last, text-combine-upright, text-decoration, text-decoration-color, text-decoration-line, text-decoration-skip, text-decoration-style, text-indent, text-justify, text-orientation, text-overflow, text-shadow, text-transform, text-underline-position, top, transform, transform-origin, transform-style, transition, transition-delay, transition-duration, transition-property, transition-timing-function, unicode-bidi, user-select, vertical-align, visibility, white-space, widows, width, word-break, word-spacing, word-wrap, writing-mode, z-index

CSS at-rules allowed by default

namespace, style

style refers to style declarations within other at-rules such as @media. Disallowing @namespace while allowing other types of at-rules can lead to errors. Property declarations in @font-face and @viewport are not sanitized.

Note: the style tag is disallowed by default.

URI schemes allowed by default

http, https

Note: Protocol-relative URLs (e.g. <a href="//github.com">//github.com</a>) are allowed by default (as are other relative URLs).

to allow mailto: links:

sanitizer.AllowedSchemes.Add("mailto");

Default attributes that contain URIs

action, background, dynsrc, href, lowsrc, src

Thread safety

The Sanitize() and SanitizeDocument() methods are thread-safe, i.e. you can use these methods on a single shared instance from different threads provided you do not simultaneously set instance or static properties. A typical use case is that you prepare an HtmlSanitizer instance once (i.e. set desired properties such as AllowedTags etc.) from a single thread, then call Sanitize()/SanitizeDocument() from multiple threads.

Text content not necessarily preserved as-is

Please note that as the input is parsed by AngleSharp's HTML parser and then rendered back out, you cannot expect the text content to be preserved exactly as it was input, even if no elements or attributes were removed. Examples:

  • 4 < 5 becomes 4 &lt; 5
  • <SPAN>test</p> becomes <span>test<p></p></span>
  • <span title='test'>test</span> becomes <span title="test">test</span>

On the other hand, although some broken HTML is fixed by the parser, the output might still contain invalid HTML. Examples:

  • <div><li>test</li></div>
  • <ul><br><li>test</li></ul>
  • <h3><p>test</p></h3>

License

MIT License

Product Compatible and additional computed target framework versions.
.NET net5.0 was computed.  net5.0-windows was computed.  net6.0 was computed.  net6.0-android was computed.  net6.0-ios was computed.  net6.0-maccatalyst was computed.  net6.0-macos was computed.  net6.0-tvos was computed.  net6.0-windows was computed.  net7.0 was computed.  net7.0-android was computed.  net7.0-ios was computed.  net7.0-maccatalyst was computed.  net7.0-macos was computed.  net7.0-tvos was computed.  net7.0-windows was computed.  net8.0 was computed.  net8.0-android was computed.  net8.0-browser was computed.  net8.0-ios was computed.  net8.0-maccatalyst was computed.  net8.0-macos was computed.  net8.0-tvos was computed.  net8.0-windows was computed. 
.NET Core netcoreapp2.0 was computed.  netcoreapp2.1 was computed.  netcoreapp2.2 was computed.  netcoreapp3.0 was computed.  netcoreapp3.1 was computed. 
.NET Standard netstandard2.0 is compatible.  netstandard2.1 was computed. 
.NET Framework net461 is compatible.  net462 was computed.  net463 was computed.  net47 was computed.  net471 was computed.  net472 was computed.  net48 was computed.  net481 was computed. 
MonoAndroid monoandroid was computed. 
MonoMac monomac was computed. 
MonoTouch monotouch was computed. 
Tizen tizen40 was computed.  tizen60 was computed. 
Xamarin.iOS xamarinios was computed. 
Xamarin.Mac xamarinmac was computed. 
Xamarin.TVOS xamarintvos was computed. 
Xamarin.WatchOS xamarinwatchos was computed. 
Compatible target framework(s)
Included target framework(s) (in package)
Learn more about Target Frameworks and .NET Standard.

NuGet packages (135)

Showing the top 5 NuGet packages that depend on HtmlSanitizer:

Package Downloads
FenixAlliance.ACL.Dependencies

Application Component for the Alliance Business Suite.

OrchardCore.Infrastructure

Orchard Core CMS is a Web Content Management System (CMS) built on top of the Orchard Core Framework. Implementation for OrchardCoreCMS Infrastructure

Kentico.Xperience.AspNetCore.WebApp

Contains assemblies and content items required to integrate Kentico Xperience into ASP.NET Core applications.

OrchardCore.Application.Cms.Core.Targets

Orchard Core CMS is a Web Content Management System (CMS) built on top of the Orchard Core Framework. Converts the application into a modular OrchardCore CMS application with TheAdmin theme but without any front-end Themes.

TheTheme

Orchard Core CMS is a Web Content Management System (CMS) built on top of the Orchard Core Framework. The default Theme - Can be used as base theme for new themes.

GitHub repositories (27)

Showing the top 5 popular GitHub repositories that depend on HtmlSanitizer:

Repository Stars
abpframework/abp
Open-source web application framework for ASP.NET Core! Offers an opinionated architecture to build enterprise software solutions with best practices on top of the .NET. Provides the fundamental infrastructure, cross-cutting-concern implementations, startup templates, application modules, UI themes, tooling and documentation.
aspnetboilerplate/aspnetboilerplate
ASP.NET Boilerplate - Web Application Framework
dodyg/practical-aspnetcore
Practical samples of ASP.NET Core 9, 8.0, 7.0, 6.0, 5.0, 3.1, 2.2, and 2.1,projects you can use. Readme contains explanations on all projects.
OrchardCMS/OrchardCore
Orchard Core is an open-source modular and multi-tenant application framework built with ASP.NET Core, and a content management system (CMS) built on top of that framework.
btcpayserver/btcpayserver
Accept Bitcoin payments. Free, open-source & self-hosted, Bitcoin payment processor.
Version Downloads Last updated
8.2.871-beta 45,138 7/26/2024
8.1.870 1,439,445 7/26/2024
8.1.866-beta 55,138 4/16/2024
8.1.860-beta 25,670 3/18/2024
8.1.844-beta 94,887 2/12/2024
8.1.839-beta 4,517 2/1/2024
8.1.812-beta 109,954 12/20/2023
8.1.796-beta 105,669 11/24/2023
8.1.748-beta 41,546 10/27/2023
8.1.747-beta 4,758 10/24/2023
8.1.745-beta 557 10/23/2023
8.1.722-beta 9,522 10/4/2023
8.1.719-beta 1,021 9/25/2023 8.1.719-beta has at least one vulnerability with moderate severity.
8.1.717-beta 936 9/25/2023 8.1.717-beta has at least one vulnerability with moderate severity.
8.0.865 2,176,155 4/16/2024
8.0.843 1,565,392 2/12/2024
8.0.838 358,176 2/1/2024
8.0.811 1,076,028 12/20/2023
8.0.795 1,175,520 11/24/2023
8.0.746 3,321,564 10/24/2023
8.0.744 96,938 10/23/2023
8.0.723 2,050,490 10/4/2023
8.0.718 86,710 9/25/2023 8.0.718 has at least one vulnerability with moderate severity.
8.0.692 751,579 8/3/2023 8.0.692 has at least one vulnerability with moderate severity.
8.0.691-beta 1,865 8/3/2023 8.0.691-beta has at least one vulnerability with moderate severity.
8.0.690-beta 695 8/3/2023 8.0.690-beta has at least one vulnerability with moderate severity.
8.0.645 3,823,978 1/17/2023 8.0.645 has at least one vulnerability with moderate severity.
8.0.601 2,007,306 10/12/2022 8.0.601 has at least one vulnerability with moderate severity.
7.1.542 2,390,097 7/12/2022 7.1.542 has at least one vulnerability with moderate severity.
7.1.512 1,205,671 6/3/2022 7.1.512 has at least one vulnerability with moderate severity.
7.1.509 55,182 6/1/2022 7.1.509 has at least one vulnerability with moderate severity.
7.1.488 2,391,335 2/24/2022 7.1.488 has at least one vulnerability with moderate severity.
7.1.475 637,866 1/25/2022 7.1.475 has at least one vulnerability with moderate severity.
7.0.473 526,466 1/6/2022 7.0.473 has at least one vulnerability with moderate severity.
7.0.470-beta 65,646 12/1/2021 7.0.470-beta has at least one vulnerability with moderate severity.
6.0.453 2,050,246 11/3/2021 6.0.453 has at least one vulnerability with moderate severity.
6.0.441 2,406,430 8/11/2021 6.0.441 has at least one vulnerability with moderate severity.
6.0.437 315,103 8/6/2021 6.0.437 has at least one vulnerability with moderate severity.
6.0.430-beta 74,018 6/14/2021 6.0.430-beta has at least one vulnerability with moderate severity.
6.0.423-beta 956 6/12/2021 6.0.423-beta has at least one vulnerability with moderate severity.
6.0.409-beta 3,714 4/23/2021 6.0.409-beta has at least one vulnerability with moderate severity.
5.0.404 2,248,060 4/23/2021 5.0.404 has at least one vulnerability with moderate severity.
5.0.376 3,114,540 1/15/2021 5.0.376 has at least one vulnerability with moderate severity.
5.0.372 1,451,728 12/23/2020 5.0.372 has at least one vulnerability with moderate severity.