Sanitizer does not remove javascript reference from href tag #570
Description
// See https://aka.ms/new-console-template for more information
using Ganss.Xss;
using System.Collections.Immutable;
public partial class Program
{
static void Main()
{
string input = @"<a href='javascript:alert(11)'>click here</a> <img src=x onerror='alert(11)'> ";
string[] safeHtmlAttributes = new string[] {
"href","src"
};
HashSet<string> safeHtmlTags = new HashSet<string> {"img", "a"};
var _htmlSanitizer = new ThreadLocal<Ganss.Xss.HtmlSanitizer>(() => new Ganss.Xss.HtmlSanitizer(new HtmlSanitizerOptions() { AllowedTags = safeHtmlTags.ToImmutableHashSet(), AllowedAttributes = safeHtmlAttributes.ToImmutableHashSet() })
{
OutputFormatter = Ganss.Xss.HtmlSanitizer.DefaultOutputFormatter
});
var sanitizer = new HtmlSanitizer();
// Ensure script-related attributes are removed
sanitizer.AllowedAttributes.Remove("onerror");
string sanitizedOutput = _htmlSanitizer.Value.Sanitize(input);
Console.WriteLine("Original Input: " + input);
Console.WriteLine("Sanitized Output: " + sanitizedOutput);
}
}
Hi team, I am using following code to sanitize HTML as I have some custom attributes and tags which I want to specify not to be removed/sanitized.
When I am sanitizing HTML that time it is not removing href attribute with javascript alert.
Can you please help us to sanitize it.