{"id":13431585,"url":"https://github.com/mganss/HtmlSanitizer","last_synced_at":"2025-03-16T12:30:40.369Z","repository":{"id":9148677,"uuid":"10942116","full_name":"mganss/HtmlSanitizer","owner":"mganss","description":"Cleans HTML to avoid XSS attacks","archived":false,"fork":false,"pushed_at":"2025-01-29T17:18:21.000Z","size":2694,"stargazers_count":1597,"open_issues_count":18,"forks_count":205,"subscribers_count":55,"default_branch":"master","last_synced_at":"2025-03-13T02:03:09.498Z","etag":null,"topics":["html","sanitizer","xss"],"latest_commit_sha":null,"homepage":null,"language":"C#","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mganss.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2013-06-25T15:20:43.000Z","updated_at":"2025-03-09T19:44:18.000Z","dependencies_parsed_at":"2023-10-17T12:23:18.525Z","dependency_job_id":"ec94be36-2945-4820-9e40-cab93e476edc","html_url":"https://github.com/mganss/HtmlSanitizer","commit_stats":{"total_commits":537,"total_committers":27,"mean_commits":19.88888888888889,"dds":"0.46368715083798884","last_synced_commit":"1c05d6ccf98cd69ef08f2b4942f03fd680f78a80"},"previous_names":[],"tags_count":210,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mganss%2FHtmlSanitizer","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mganss%2FHtmlSanitizer/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mganss%2FHtmlSanitizer/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mganss%2FHtmlSanitizer/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mganss","download_url":"https://codeload.github.com/mganss/HtmlSanitizer/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":243869178,"owners_count":20360967,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["html","sanitizer","xss"],"created_at":"2024-07-31T02:01:04.296Z","updated_at":"2025-03-16T12:30:39.987Z","avatar_url":"https://github.com/mganss.png","language":"C#","funding_links":[],"categories":["Frameworks, Libraries and Tools","html","Security","C\\#","框架, 库和工具","C# #","Libraries"],"sub_categories":["Security","安全"],"readme":"HtmlSanitizer\n=============\n\n[![NuGet version](https://badge.fury.io/nu/HtmlSanitizer.svg)](https://badge.fury.io/nu/HtmlSanitizer)\n[![Build status](https://ci.appveyor.com/api/projects/status/418bmfx643iae00c/branch/master?svg=true)](https://ci.appveyor.com/project/mganss/htmlsanitizer/branch/master)\n[![codecov.io](https://codecov.io/github/mganss/HtmlSanitizer/coverage.svg?branch=master)](https://codecov.io/github/mganss/HtmlSanitizer?branch=master)\n[![Sonarcloud Quality Gate](https://sonarcloud.io/api/project_badges/measure?project=mganss_HtmlSanitizer\u0026metric=alert_status)](https://sonarcloud.io/dashboard?id=mganss_HtmlSanitizer)\n\n[![netstandard2.0](https://img.shields.io/badge/netstandard-2.0-brightgreen.svg)](https://img.shields.io/badge/netstandard-2.0-brightgreen.svg)\n[![net46](https://img.shields.io/badge/net-461-brightgreen.svg)](https://img.shields.io/badge/net-461-brightgreen.svg)\n\nHtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to [XSS attacks](https://en.wikipedia.org/wiki/Cross-site_scripting).\nIt uses [AngleSharp](https://github.com/AngleSharp/AngleSharp) to parse, manipulate, and render HTML and CSS.\n\nBecause HtmlSanitizer is based on a robust HTML parser it can also shield you from deliberate or accidental\n\"tag poisoning\" where invalid HTML in one fragment can corrupt the whole document leading to broken layout or style.\n\nIn order to facilitate different use cases, HtmlSanitizer can be customized at several levels:\n   \n- Configure allowed HTML tags through the property `AllowedTags`. All other tags will be stripped.\n- Configure allowed HTML attributes through the property `AllowedAttributes`. All other attributes will be stripped.\n- Configure allowed CSS property names through the property `AllowedCssProperties`. All other styles will be stripped.\n- Configure allowed CSS [at-rules](https://developer.mozilla.org/en-US/docs/Web/CSS/At-rule) through the property `AllowedAtRules`. All other at-rules will be stripped.\n- Configure allowed URI schemes through the property `AllowedSchemes`. All other URIs will be stripped.\n- Configure HTML attributes that contain URIs (such as \"src\", \"href\" etc.) through the property `UriAttributes`.\n- Provide a base URI that will be used to resolve relative URIs against.\n- Cancelable events are raised before a tag, attribute, or style is removed.\n\nUsage\n-----\n\nInstall the [HtmlSanitizer NuGet package](https://www.nuget.org/packages/HtmlSanitizer/). Then:\n\n```C#\nusing Ganss.Xss;\nvar sanitizer = new HtmlSanitizer();\nvar html = @\"\u003cscript\u003ealert('xss')\u003c/script\u003e\u003cdiv onload=\"\"alert('xss')\"\"\"\n    + @\"style=\"\"background-color: rgba(0, 0, 0, 1)\"\"\u003eTest\u003cimg src=\"\"test.png\"\"\"\n    + @\"style=\"\"background-image: url(javascript:alert('xss')); margin: 10px\"\"\u003e\u003c/div\u003e\";\nvar sanitized = sanitizer.Sanitize(html, \"https://www.example.com\");\nvar expected = @\"\u003cdiv style=\"\"background-color: rgba(0, 0, 0, 1)\"\"\u003e\"\n    + @\"Test\u003cimg src=\"\"https://www.example.com/test.png\"\" style=\"\"margin: 10px\"\"\u003e\u003c/div\u003e\";\nAssert.Equal(expected, sanitized);\n```\n\nThere's an [online demo](https://xss.ganss.org/), plus there's also a [.NET Fiddle](https://dotnetfiddle.net/892nOk) you can play with.\n\nMore example code and a description of possible options can be found in the [Wiki](https://github.com/mganss/HtmlSanitizer/wiki).\n\n### Tags allowed by default\n`a`,\n`abbr`,\n`acronym`,\n`address`,\n`area`,\n`article`,\n`aside`,\n`b`,\n`bdi`,\n`big`,\n`blockquote`,\n`body`,\n`br`,\n`button`,\n`caption`,\n`center`,\n`cite`,\n`code`,\n`col`,\n`colgroup`,\n`data`,\n`datalist`,\n`dd`,\n`del`,\n`details`,\n`dfn`,\n`dir`,\n`div`,\n`dl`,\n`dt`,\n`em`,\n`fieldset`,\n`figcaption`,\n`figure`,\n`font`,\n`footer`,\n`form`,\n`h1`,\n`h2`,\n`h3`,\n`h4`,\n`h5`,\n`h6`,\n`head`,\n`header`,\n`hr`,\n`html`,\n`i`,\n`img`,\n`input`,\n`ins`,\n`kbd`,\n`keygen`,\n`label`,\n`legend`,\n`li`,\n`main`,\n`map`,\n`mark`,\n`menu`,\n`menuitem`,\n`meter`,\n`nav`,\n`ol`,\n`optgroup`,\n`option`,\n`output`,\n`p`,\n`pre`,\n`progress`,\n`q`,\n`rp`,\n`rt`,\n`ruby`,\n`s`,\n`samp`,\n`section`,\n`select`,\n`small`,\n`span`,\n`strike`,\n`strong`,\n`sub`,\n`summary`,\n`sup`,\n`table`,\n`tbody`,\n`td`,\n`textarea`,\n`tfoot`,\n`th`,\n`thead`,\n`time`,\n`tr`,\n`tt`,\n`u`,\n`ul`,\n`var`,\n`wbr`\n\n### Attributes allowed by default\n`abbr`,\n`accept-charset`,\n`accept`,\n`accesskey`,\n`action`,\n`align`,\n`alt`,\n`autocomplete`,\n`autosave`,\n`axis`,\n`bgcolor`,\n`border`,\n`cellpadding`,\n`cellspacing`,\n`challenge`,\n`char`,\n`charoff`,\n`charset`,\n`checked`,\n`cite`,\n`clear`,\n`color`,\n`cols`,\n`colspan`,\n`compact`,\n`contenteditable`,\n`coords`,\n`datetime`,\n`dir`,\n`disabled`,\n`draggable`,\n`dropzone`,\n`enctype`,\n`for`,\n`frame`,\n`headers`,\n`height`,\n`high`,\n`href`,\n`hreflang`,\n`hspace`,\n`ismap`,\n`keytype`,\n`label`,\n`lang`,\n`list`,\n`longdesc`,\n`low`,\n`max`,\n`maxlength`,\n`media`,\n`method`,\n`min`,\n`multiple`,\n`name`,\n`nohref`,\n`noshade`,\n`novalidate`,\n`nowrap`,\n`open`,\n`optimum`,\n`pattern`,\n`placeholder`,\n`prompt`,\n`pubdate`,\n`radiogroup`,\n`readonly`,\n`rel`,\n`required`,\n`rev`,\n`reversed`,\n`rows`,\n`rowspan`,\n`rules`,\n`scope`,\n`selected`,\n`shape`,\n`size`,\n`span`,\n`spellcheck`,\n`src`,\n`start`,\n`step`,\n`style`,\n`summary`,\n`tabindex`,\n`target`,\n`title`,\n`type`,\n`usemap`,\n`valign`,\n`value`,\n`vspace`,\n`width`,\n`wrap`\n\n_Note:_ to prevent [classjacking](https://html5sec.org/#123) and interference with classes where the sanitized fragment is to be integrated, the `class` attribute is disallowed by default. \nIt can be added as follows:\n```C#\nvar sanitizer = new HtmlSanitizer();\nsanitizer.AllowedAttributes.Add(\"class\");\nvar sanitized = sanitizer.Sanitize(html);\n```\n\n### CSS properties allowed by default\n`align-content`,\n`align-items`,\n`align-self`,\n`all`,\n`animation`,\n`animation-delay`,\n`animation-direction`,\n`animation-duration`,\n`animation-fill-mode`,\n`animation-iteration-count`,\n`animation-name`,\n`animation-play-state`,\n`animation-timing-function`,\n`backface-visibility`,\n`background`,\n`background-attachment`,\n`background-blend-mode`,\n`background-clip`,\n`background-color`,\n`background-image`,\n`background-origin`,\n`background-position`,\n`background-position-x`,\n`background-position-y`,\n`background-repeat`,\n`background-repeat-x`,\n`background-repeat-y`,\n`background-size`,\n`border`,\n`border-bottom`,\n`border-bottom-color`,\n`border-bottom-left-radius`,\n`border-bottom-right-radius`,\n`border-bottom-style`,\n`border-bottom-width`,\n`border-collapse`,\n`border-color`,\n`border-image`,\n`border-image-outset`,\n`border-image-repeat`,\n`border-image-slice`,\n`border-image-source`,\n`border-image-width`,\n`border-left`,\n`border-left-color`,\n`border-left-style`,\n`border-left-width`,\n`border-radius`,\n`border-right`,\n`border-right-color`,\n`border-right-style`,\n`border-right-width`,\n`border-spacing`,\n`border-style`,\n`border-top`,\n`border-top-color`,\n`border-top-left-radius`,\n`border-top-right-radius`,\n`border-top-style`,\n`border-top-width`,\n`border-width`,\n`bottom`,\n`box-decoration-break`,\n`box-shadow`,\n`box-sizing`,\n`break-after`,\n`break-before`,\n`break-inside`,\n`caption-side`,\n`caret-color`,\n`clear`,\n`clip`,\n`color`,\n`column-count`,\n`column-fill`,\n`column-gap`,\n`column-rule`,\n`column-rule-color`,\n`column-rule-style`,\n`column-rule-width`,\n`column-span`,\n`column-width`,\n`columns`,\n`content`,\n`counter-increment`,\n`counter-reset`,\n`cursor`,\n`direction`,\n`display`,\n`empty-cells`,\n`filter`,\n`flex`,\n`flex-basis`,\n`flex-direction`,\n`flex-flow`,\n`flex-grow`,\n`flex-shrink`,\n`flex-wrap`,\n`float`,\n`font`,\n`font-family`,\n`font-feature-settings`,\n`font-kerning`,\n`font-language-override`,\n`font-size`,\n`font-size-adjust`,\n`font-stretch`,\n`font-style`,\n`font-synthesis`,\n`font-variant`,\n`font-variant-alternates`,\n`font-variant-caps`,\n`font-variant-east-asian`,\n`font-variant-ligatures`,\n`font-variant-numeric`,\n`font-variant-position`,\n`font-weight`,\n`gap`,\n`grid`,\n`grid-area`,\n`grid-auto-columns`,\n`grid-auto-flow`,\n`grid-auto-rows`,\n`grid-column`,\n`grid-column-end`,\n`grid-column-gap`,\n`grid-column-start`,\n`grid-gap`,\n`grid-row`,\n`grid-row-end`,\n`grid-row-gap`,\n`grid-row-start`,\n`grid-template`,\n`grid-template-areas`,\n`grid-template-columns`,\n`grid-template-rows`,\n`hanging-punctuation`,\n`height`,\n`hyphens`,\n`image-rendering`,\n`isolation`,\n`justify-content`,\n`left`,\n`letter-spacing`,\n`line-break`,\n`line-height`,\n`list-style`,\n`list-style-image`,\n`list-style-position`,\n`list-style-type`,\n`margin`,\n`margin-bottom`,\n`margin-left`,\n`margin-right`,\n`margin-top`,\n`mask`,\n`mask-clip`,\n`mask-composite`,\n`mask-image`,\n`mask-mode`,\n`mask-origin`,\n`mask-position`,\n`mask-repeat`,\n`mask-size`,\n`mask-type`,\n`max-height`,\n`max-width`,\n`min-height`,\n`min-width`,\n`mix-blend-mode`,\n`object-fit`,\n`object-position`,\n`opacity`,\n`order`,\n`orphans`,\n`outline`,\n`outline-color`,\n`outline-offset`,\n`outline-style`,\n`outline-width`,\n`overflow`,\n`overflow-wrap`,\n`overflow-x`,\n`overflow-y`,\n`padding`,\n`padding-bottom`,\n`padding-left`,\n`padding-right`,\n`padding-top`,\n`page-break-after`,\n`page-break-before`,\n`page-break-inside`,\n`perspective`,\n`perspective-origin`,\n`pointer-events`,\n`position`,\n`quotes`,\n`resize`,\n`right`,\n`row-gap`,\n`scroll-behavior`,\n`tab-size`,\n`table-layout`,\n`text-align`,\n`text-align-last`,\n`text-combine-upright`,\n`text-decoration`,\n`text-decoration-color`,\n`text-decoration-line`,\n`text-decoration-skip`,\n`text-decoration-style`,\n`text-indent`,\n`text-justify`,\n`text-orientation`,\n`text-overflow`,\n`text-shadow`,\n`text-transform`,\n`text-underline-position`,\n`top`,\n`transform`,\n`transform-origin`,\n`transform-style`,\n`transition`,\n`transition-delay`,\n`transition-duration`,\n`transition-property`,\n`transition-timing-function`,\n`unicode-bidi`,\n`user-select`,\n`vertical-align`,\n`visibility`,\n`white-space`,\n`widows`,\n`width`,\n`word-break`,\n`word-spacing`,\n`word-wrap`,\n`writing-mode`,\n`z-index`\n\n### CSS at-rules allowed by default\n`namespace`, `style`\n\n`style` refers to style declarations within other at-rules such as `@media`. Disallowing `@namespace` while allowing other types of at-rules can lead to errors.\nProperty declarations in `@font-face` and `@viewport` are not sanitized.\n\n_Note:_ the `style` tag is disallowed by default.\n\n### URI schemes allowed by default\n`http`, `https`\n\n_Note:_ [Protocol-relative URLs](https://en.wikipedia.org/wiki/Wikipedia:Protocol-relative_URL)  (e.g. \u003ca href=\"//github.com\"\u003e//github.com\u003c/a\u003e) are allowed by default (as are other relative URLs).\n\nto allow `mailto:` links: \n\n```C#\nsanitizer.AllowedSchemes.Add(\"mailto\");\n```\n\n### Default attributes that contain URIs\n`action`, `background`, `dynsrc`, `href`, `lowsrc`, `src`\n\n### Thread safety\n\nThe `Sanitize()` and `SanitizeDocument()` methods are thread-safe, i.e. you can use these methods on a single shared instance from different threads provided you do not simultaneously set instance or static properties. A typical use case is that you prepare an `HtmlSanitizer` instance once (i.e. set desired properties such as `AllowedTags` etc.) from a single thread, then call `Sanitize()`/`SanitizeDocument()` from multiple threads.\n\n### Text content not necessarily preserved as-is\n\nPlease note that as the input is parsed by AngleSharp's HTML parser and then rendered back out, you cannot expect the text content to be preserved exactly as it was input, even if no elements or attributes were removed. Examples:\n\n- `4 \u003c 5` becomes `4 \u0026lt; 5`\n- `\u003cSPAN\u003etest\u003c/p\u003e` becomes `\u003cspan\u003etest\u003cp\u003e\u003c/p\u003e\u003c/span\u003e`\n- `\u003cspan title='test'\u003etest\u003c/span\u003e` becomes `\u003cspan title=\"test\"\u003etest\u003c/span\u003e`\n\nOn the other hand, although some broken HTML is fixed by the parser, the output might still contain invalid HTML. Examples:\n\n- `\u003cdiv\u003e\u003cli\u003etest\u003c/li\u003e\u003c/div\u003e`\n- `\u003cul\u003e\u003cbr\u003e\u003cli\u003etest\u003c/li\u003e\u003c/ul\u003e`\n- `\u003ch3\u003e\u003cp\u003etest\u003c/p\u003e\u003c/h3\u003e`\n\nLicense\n-------\n\n[MIT License](https://en.wikipedia.org/wiki/MIT_License)\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmganss%2FHtmlSanitizer","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmganss%2FHtmlSanitizer","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmganss%2FHtmlSanitizer/lists"}