-
Notifications
You must be signed in to change notification settings - Fork 201
Home
HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. It uses AngleSharp to parse, manipulate, and render HTML and CSS.
Because HtmlSanitizer is based on a robust HTML parser it can also shield you from deliberate or accidental "tag poisoning," where invalid HTML in one fragment can corrupt the whole document leading to broken layout or style.
In order to facilitate different use cases, HtmlSanitizer can be customized at several levels:
- Configure allowed HTML tags through the property
AllowedTags
. All other tags will be stripped. - Configure allowed HTML attributes through the property
AllowedAttributes
. All other attributes will be stripped. - Configure allowed CSS property names through the property
AllowedCssProperties
. All other styles will be stripped. - Configure allowed CSS at-rules through the property
AllowedAtRules
. All other at-rules will be stripped. - Configure allowed URI schemes through the property
AllowedSchemes
. All other URIs will be stripped. - Configure HTML attributes that contain URIs (such as
src
,href
, etc.) through the propertyUriAttributes
. - Provide a base URI that will be used to resolve relative URIs against.
- Cancelable events are raised before a tag, attribute, or style is removed. See the Hooks topic for a breakdown of available events.
The simplest method to start using HtmlSanitizer is to add the NuGet package noted below. The Getting Started page has a more detailed breakdown, including alternative methods for adding HtmlSanitizer to your project.
Available as a NuGet package:
Install-Package HtmlSanitizer
See the Options topic for a breakdown of available options, including the tags, attributes, and styles allowed by default.
The Examples topic contains examples based on the most frequently asked questions in the Issues list. You can also find examples of how HtmlSanitizer works in the test suite.