Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Blazor, NET5] Tags are sanitized differently from .NET Framework #298

Closed
vankampenp opened this issue Aug 9, 2021 · 5 comments
Closed

[Blazor, NET5] Tags are sanitized differently from .NET Framework #298

vankampenp opened this issue Aug 9, 2021 · 5 comments

Comments

@vankampenp
Copy link

When running the following code in the default .NET fiddle with .NET 4.7.2

using System;
using Ganss.XSS;


					
public class Program
{
	public static void Main()
	{
		var sanitizer = new HtmlSanitizer();
var html = @"<script>alert('xss')</script><div onload=""alert('xss')"""
    + @"style=""background-color: test"">Test<img src=""test.gif"""
    + @"style=""background-image: url(javascript:alert('xss')); margin: 10px""></div>";
var sanitized = sanitizer.Sanitize(html, "http://www.example.com");
	Console.WriteLine(sanitized);	
	}
}

The output is as expected:
<div style="background-color: test">Test<img src="http://www.example.com/test.gif" style="margin: 10px"></div>

However, when changing to .NET 5 and HtmlSanitizer 6.0.437 the output is stripped of the style attributes:

<div>Test<img src="http://www.example.com/test.gif" style="margin: 10px"></div>

The same happens in my own code in Blazor with .NET 5
@mganss
Copy link
Owner

mganss commented Aug 10, 2021

The .NET fiddle seems to be using an older version (I can't tell which one exactly). The output you're seeing with the latest version of HtmlSanitizer is what's expected (see also AngleSharp/AngleSharp#101). I'll update the fiddle.

mganss added a commit that referenced this issue Aug 10, 2021
@mganss
Update ,NET Fiddle
9c73146 
See #298
@vankampenp
Copy link
Author

Thx, that clarifies.
What I was trying to do is this:

using System;
using Ganss.XSS;

public class Program
{
	public static void Main()
	{
		var sanitizer = new HtmlSanitizer();
var html = @"<span style=""font-size: xxx-large;"">Flexibiliteits Index Test (FIT-60)</span>";
var sanitized = sanitizer.Sanitize(html);
	Console.WriteLine(sanitized);	
	}
}

Here the font-size is removed. When I change the font-size to xx-large it works. It seems xxx-large is seen as an illegal property

@mganss
Copy link
Owner

mganss commented Aug 10, 2021

It seems this is unsupported by AngleSharp.Css because it's fairly new (e.g. currently unsupported by Safari and others, too). I've opened an issue here: AngleSharp/AngleSharp.Css#77

@vankampenp
Copy link
Author

Thx, it comes from a component I am using.

For now, I will do a search and replace:

return sanitizer.Sanitize(html.Replace("xxx-large","48px",StringComparison.CurrentCultureIgnoreCase));

@mganss
Copy link
Owner

mganss commented Aug 11, 2021

Fixed in 6.0.441 via AngleSharp 0.16.1

@mganss mganss closed this as completed Aug 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mganss @vankampenp