Sanitizing HTML using Jeff Atwood's example

Question

I'm working on sanitizing my Html using Jeff Atwood's code found here

But the problem I'm running into is when I input Markdown links into the form (they get removed)

<http://www.example.com>

Here's the code I'm using.

private static Regex _tags = new Regex("<[^>]*(>|$)",
    RegexOptions.Singleline | RegexOptions.ExplicitCapture | RegexOptions.Compiled);
private static Regex _whitelist = new Regex(@"
    ^</?(b(lockquote)?|code|d(d|t|l|el)|em|h(1|2|3)|i|kbd|li|ol|p(re)?|s(ub|up|trong|trike)?|ul)>$|
    ^<(b|h)r\s?/?>$",
    RegexOptions.Singleline | RegexOptions.ExplicitCapture | RegexOptions.Compiled | RegexOptions.IgnorePatternWhitespace);
private static Regex _whitelist_a = new Regex(@"
    ^<a\s
    href=""(\#\d+|(https?|ftp)://[-a-z0-9+&@#/%?=~_|!:,.;\(\)]+)""
    (\stitle=""[^""<>]+"")?\s?>$|
    ^</a>$",
    RegexOptions.Singleline | RegexOptions.ExplicitCapture | RegexOptions.Compiled | RegexOptions.IgnorePatternWhitespace);
private static Regex _whitelist_img = new Regex(@"
    ^<img\s
    src=""https?://[-a-z0-9+&@#/%?=~_|!:,.;\(\)]+""
    (\swidth=""\d{1,3}"")?
    (\sheight=""\d{1,3}"")?
    (\salt=""[^""<>]*"")?
    (\stitle=""[^""<>]*"")?
    \s?/?>$",
    RegexOptions.Singleline | RegexOptions.ExplicitCapture | RegexOptions.Compiled | RegexOptions.IgnorePatternWhitespace);


/// <summary>
/// sanitize any potentially dangerous tags from the provided raw HTML input using 
/// a whitelist based approach, leaving the "safe" HTML tags
/// CODESNIPPET:4100A61A-1711-4366-B0B0-144D1179A937
/// </summary>
public static string Sanitize(string html)
{
    if (String.IsNullOrEmpty(html)) return html;

    string tagname;
    Match tag;

    // match every HTML tag in the input
    MatchCollection tags = _tags.Matches(html);
    for (int i = tags.Count - 1; i > -1; i--)
    {
        tag = tags[i];
        tagname = tag.Value.ToLowerInvariant();

        if(!(_whitelist.IsMatch(tagname) || _whitelist_a.IsMatch(tagname) || _whitelist_img.IsMatch(tagname)))
        {
            html = html.Remove(tag.Index, tag.Length);
            System.Diagnostics.Debug.WriteLine("tag sanitized: " + tagname);
        }
    }

    return html;
}

jeff atwood's html sanitizing code is not available from http://refactormycode.com/codes/333-sanitize-html. It shows OFFLINE now. Could you please provide jeff's html sanitizing code. I badly need that for my project. — Hasib Mahmud, May 09 '14 at 09:29
Sorry, I highly recommend NOT using Refactor My Code. Their DB was compromised and I got spammed into oblivion at my custom rfmc@mydomain email address. As for the library, this was eons ago and I don't know where I'd find it now. — Chase Florell, May 09 '14 at 14:28
You can check the site on its [Web Archive](https://web.archive.org/web/20090318053325/http://refactormycode.com/codes/333-sanitize-html). — Buhake Sindi, May 14 '15 at 12:09

score 3 · Accepted Answer · answered Jun 28 '10 at 21:12

3

Yeah, because that's not valid HTML... So the code is doing what it purports to do.

Since Markdown allows embedded HTML, but HTML does not allow (all forms of) embedded Markdown, I suggest you convert the Markdown to HTML first, and then sanitize it...

answered Jun 28 '10 at 21:12

Shog9

156,901
35
231
235

1

Well that was easy. I love it when solutions are that simple... didn't even think about it in those terms. `uwao.About = Trim(Utilities.HtmlSanitizer.Sanitize(MarkDownSharp.Transform(user.About)))` – Chase Florell Jun 28 '10 at 21:18

Sanitizing HTML using Jeff Atwood's example

1 Answers1

Linked