发表新帖
发表新帖

How to sanitize input from MCE in ASP.NET?

前端 未结
关注
2 1942
灰色年华
灰色年华 2020-12-11 06:41

Is there a utility/function in C# to sanitize the source code of tinyMCE rich text. I would like to remove dangerous tags but like to whitelist safe html tags.

相关标签:
2条回答
  • 小蘑菇
    2020-12-11 07:31

    I don't think there is a built-in sanitizer for C# that you can use but here is what i did when i had the same issue. I used the HtmlAgilityPackSanitizerProvider which comes with AjaxControlToolkit. Code looks like this:

    private static AjaxControlToolkit.Sanitizer.HtmlAgilityPackSanitizerProvider sanitizer = new AjaxControlToolkit.Sanitizer.HtmlAgilityPackSanitizerProvider();

private static Dictionary<string, string[]> elementWhitelist = new Dictionary<string, string[]>
{
    {"b"            , new string[] { "style" }},
    {"strong"       , new string[] { "style" }},
    {"i"            , new string[] { "style" }},
    {"em"           , new string[] { "style" }},
    {"u"            , new string[] { "style" }},
    {"strike"       , new string[] { "style" }},
    {"sub"          , new string[] { "style" }},
    {"sup"          , new string[] { "style" }},
    {"p"            , new string[] { "align" }},
    {"div"          , new string[] { "style", "align" }},
    {"ol"           , new string[] { }},
    {"li"           , new string[] { }},
    {"ul"           , new string[] { }},
    {"a"            , new string[] { "href" }},
    {"font"         , new string[] { "style", "face", "size", "color" }},
    {"span"         , new string[] { "style" }},
    {"blockquote"   , new string[] { "style", "dir" }},
    {"hr"           , new string[] { "size", "width", "id" }},
    {"img"          , new string[] { "src" }},
    {"h1"           , new string[] { "style" }},
    {"h2"           , new string[] { "style" }},
    {"h3"           , new string[] { "style" }},
    {"h4"           , new string[] { "style" }},
    {"h5"           , new string[] { "style" }},
    {"h6"           , new string[] { "style" }}
};

private static Dictionary<string, string[]> attributeWhitelist = new Dictionary<string, string[]>
{
    {"style"    , new string[] {}},
    {"align"    , new string[] {}},
    {"href"     , new string[] {}},
    {"face"     , new string[] {}},
    {"size"     , new string[] {}},
    {"color"    , new string[] {}},
    {"dir"      , new string[] {}},
    {"width"    , new string[] {}},
    {"id"       , new string[] {}},
    {"src"      , new string[] {}}
};

public string SanitizeHtmlInput(string unsafeStr)
{
    return sanitizer.GetSafeHtmlFragment(unsafeStr, elementWhitelist, attributeWhitelist);
}

    Hope this helps.

    0 讨论(0)
  • 情歌与酒
    2020-12-11 07:37

    Sanitizing an Html document involves a lot of tricky things. This package maybe of help: https://github.com/mganss/HtmlSanitizer I use it for a project of my own.

    0 讨论(0)
 看不清?
提交回复
热议问题