Rgba value to hex color while sanitizing

mganss / HtmlSanitizer

Cleans HTML to avoid XSS attacks

MIT License

1.55k stars 200 forks source link

Rgba value to hex color while sanitizing #330

Closed pragatibaheti closed 2 years ago

pragatibaheti commented 2 years ago

Came across this modification in AngleSharp.css https://github.com/AngleSharp/AngleSharp.Css/issues/96 where they have modified to support hex color codes. Will this have any subsequent change in sanitization code. Basically how to use this while sanitizing. Any guide/snippet would help.

Thanks!

mganss commented 2 years ago

Yes, this can be used. Unfortunately, the Color struct is still private so until it is made public you'll need to set the UseHex property through reflection:

var colorType = typeof(AngleSharp.Css.CssKeywords).Assembly.GetType("AngleSharp.Css.Values.Color");
var useHex = colorType.GetProperty("UseHex", BindingFlags.Public | BindingFlags.Static);
useHex.SetValue(null, true);

Execute this prior to any calls to HtmlSanitizer methods.

pragatibaheti commented 2 years ago

Okay. Thanks

mganss commented 2 years ago

Color is now public since AngleSharp.Css 0.16.4 so UseHex can be used directly:

https://github.com/mganss/HtmlSanitizer/blob/e467ebe7bbd3d081a7e3101d338c0b117b704a4b/test/HtmlSanitizer.Tests/Tests.cs#L3334-L3354

Watch out for potential threading issues if you intend to use both UseHex = true and UseHex = false from different threads.