I tried to sanitize the below mentioned xml string using AntiXss library:
<?xml version="1.0"?>
<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN"
"http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
<svg xmlns="http://www.w3.org/2000/svg"
width="467" height="462" onload="alert(document.domain)">
<rect x="80" y="60" width="250" height="250" rx="20"
style="fill:#00ff21; stroke:#000000;stroke-width:2px;" />
<rect x="140" y="120" width="250" height="250" rx="40"
style="fill:#00f2ff; stroke:#000000; stroke-width:2px;
fill-opacity:0.7;" />
</svg>
Code:
byte[] document = new byte[file.ContentLength];
var xml = Encoding.UTF8.GetString(document);
var results = Sanitizer.GetSafeHtml(xml);
On debugging the above I see an empty string is returned as part of the results.
I also tried few other nugget packages :BracketPipe with the following piece of code :
using (var reader = new HtmlReader(xml))
{
var result = (string)reader.Sanitize().Minify().ToHtml();
}
But the above also returns the same result.
Nugget Package: HtmlSanitizer:
var sanitizer = new HtmlSanitizer();
var sanitized = sanitizer.Sanitize(xml);
Can anyone help me to know how to resolve this issue?
