when run below code
new HtmlSanitizer().Sanitize("<body onload=alert(1)>")
Sanitizer will not trigger RemovingAttribute event
but when run ` new HtmlSanitizer().Sanitize("
")`
Sanitizer will trigger RemovingAttribute event
is this a bug or by design?
The Sanitize() method treats the supplied string as a fragment, i.e. it assumes it to be inside the body already. If you want to sanitize an HTML document containing head and body, use the SanitizeDocument() method instead.
when run below code
new HtmlSanitizer().Sanitize("<body onload=alert(1)>")
Sanitizer will not trigger RemovingAttribute event but when run`
new HtmlSanitizer().Sanitize("The
Sanitize()
method treats the supplied string as a fragment, i.e. it assumes it to be inside the body already. If you want to sanitize an HTML document containinghead
andbody
, use theSanitizeDocument()
method instead.