HtmlSanitizer icon indicating copy to clipboard operation
HtmlSanitizer copied to clipboard
verified publisher icon mganss

RemovingTag event handler not triggering when stripping Body tags

Open ClintRemedios opened this issue 8 years ago • 2 comments

  1. Create a Sanitizer with events handler hooked up.
  2. Create html that contains body tags
  3. Pass the html into Sanitize()

Expected: Body tags to be stripped, and RemovingTag being triggered

Actual: Body tags to be stripped, and RemovingTag not trigger.

ClintRemedios avatar Feb 09 '17 19:02 ClintRemedios

When you call Sanitize() the HTML you pass in is treated as a fragment, that's why <body> and <head> are already stripped by the HTML parser, i.e. before HtmlSanitizer gets a chance to strip elements based on its whitelist (and possibly trigger events). If you want to sanitize an HTML document call SanitizeDocument().

mganss avatar Feb 10 '17 13:02 mganss

Thanks the input. Unfortunately, I don't wan't the html tags that gets appended with SantizeDocument,

The intended usage is only input html fragments. But there is a case where an attacker might use the body tag for an xss attack. I am using the event handler to detect if anything gets stripped. In this case, stripping is occurring, just doesn't trigger the event.

I'll see if i can workaround this.

ClintRemedios avatar Feb 10 '17 17:02 ClintRemedios