How to sanitize input from MCE in ASP.NET?

2019-01-19 22:42发布

站内问答 / C#
1316 2 5

Is there a utility/function in C# to sanitize the source code of tinyMCE rich text. I would like to remove dangerous tags but like to whitelist safe html tags.

2条回答
聊天终结者
2楼-- · 2019-01-19 22:59

I don't think there is a built-in sanitizer for C# that you can use but here is what i did when i had the same issue. I used the HtmlAgilityPackSanitizerProvider which comes with AjaxControlToolkit. Code looks like this:

private static AjaxControlToolkit.Sanitizer.HtmlAgilityPackSanitizerProvider sanitizer = new AjaxControlToolkit.Sanitizer.HtmlAgilityPackSanitizerProvider();

private static Dictionary<string, string[]> elementWhitelist = new Dictionary<string, string[]>
{
    {"b"            , new string[] { "style" }},
    {"strong"       , new string[] { "style" }},
    {"i"            , new string[] { "style" }},
    {"em"           , new string[] { "style" }},
    {"u"            , new string[] { "style" }},
    {"strike"       , new string[] { "style" }},
    {"sub"          , new string[] { "style" }},
    {"sup"          , new string[] { "style" }},
    {"p"            , new string[] { "align" }},
    {"div"          , new string[] { "style", "align" }},
    {"ol"           , new string[] { }},
    {"li"           , new string[] { }},
    {"ul"           , new string[] { }},
    {"a"            , new string[] { "href" }},
    {"font"         , new string[] { "style", "face", "size", "color" }},
    {"span"         , new string[] { "style" }},
    {"blockquote"   , new string[] { "style", "dir" }},
    {"hr"           , new string[] { "size", "width", "id" }},
    {"img"          , new string[] { "src" }},
    {"h1"           , new string[] { "style" }},
    {"h2"           , new string[] { "style" }},
    {"h3"           , new string[] { "style" }},
    {"h4"           , new string[] { "style" }},
    {"h5"           , new string[] { "style" }},
    {"h6"           , new string[] { "style" }}
};

private static Dictionary<string, string[]> attributeWhitelist = new Dictionary<string, string[]>
{
    {"style"    , new string[] {}},
    {"align"    , new string[] {}},
    {"href"     , new string[] {}},
    {"face"     , new string[] {}},
    {"size"     , new string[] {}},
    {"color"    , new string[] {}},
    {"dir"      , new string[] {}},
    {"width"    , new string[] {}},
    {"id"       , new string[] {}},
    {"src"      , new string[] {}}
};

public string SanitizeHtmlInput(string unsafeStr)
{
    return sanitizer.GetSafeHtmlFragment(unsafeStr, elementWhitelist, attributeWhitelist);
}

Hope this helps.

查看更多
0人赞 添加讨论(0) 举报
闹够了就滚
3楼-- · 2019-01-19 23:04

Sanitizing an Html document involves a lot of tricky things. This package maybe of help: https://github.com/mganss/HtmlSanitizer I use it for a project of my own.

查看更多
0人赞 添加讨论(0) 举报
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(5)