RemovingStyle event handler not triggering

mganss / HtmlSanitizer

Cleans HTML to avoid XSS attacks

MIT License

1.55k stars 200 forks source link

RemovingStyle event handler not triggering #260

Closed livershi closed 3 years ago

livershi commented 3 years ago

var result = sanitizer.Sanitize("<section style='width: 854px; height: 5px; background: rgb(0, 145, 58) none repeat scroll 0 % 0 %; margin - top: -4px; '></section>");

result is "<section style='width: 854px; height: 5px; margin - top: -4px; '></section>"

RemovingStyle event handler no trigger

mganss commented 3 years ago

The issue is two-fold: First, margin - top: -4px; is malformed CSS, that is why it already gets discarded during parsing and never reaches the sanitizer. Same for 0 % 0 %.

The other issue is that background: none seems not to get parsed correctly by AngleSharp.Css, see https://github.com/AngleSharp/AngleSharp.Css/issues/65 causing the whole background property to be discarded by the parser so it also does not reach the sanitizer.

livershi commented 3 years ago

thanks