Added options to control the sanitizer

Sicos1977 · Aug 25, 2020 · 8a384e1 · 8a384e1
1 parent fcc2a60
commit 8a384e1
Show file tree

Hide file tree

Showing 2 changed files with 22 additions and 10 deletions.
diff --git a/ChromeHtmlToPdfLib/Converter.cs b/ChromeHtmlToPdfLib/Converter.cs
@@ -40,6 +40,8 @@
 using ChromeHtmlToPdfLib.Exceptions;
 using ChromeHtmlToPdfLib.Helpers;
 using System.Text;
+using Ganss.XSS;
+
 // ReSharper disable UnusedAutoPropertyAccessor.Global
 // ReSharper disable MemberCanBePrivate.Global
 // ReSharper disable UnusedMember.Global
@@ -215,11 +217,24 @@ public List<string> PreWrapExtensions
         public bool ImageRotate { get; set; }
 
         /// <summary>
-        ///     When set to <c>true</c> then the HTML is sanitized. All not allowed attributes
+        ///     When set to <c>true</c>  the HTML is sanitized. All not allowed attributes
         ///     will be removed
         /// </summary>
+        /// <remarks>
+        ///     See https://github.com/mganss/HtmlSanitizer for all the default settings,<br/>
+        ///     Use <see cref="Sanitizer"/> if you want to control the sanitizer yourself
+        /// </remarks>
         public bool SanitizeHtml { get; set; }
 
+        /// <summary>
+        ///     When set then these settings will be used when <see cref="SanitizeHtml"/> is
+        ///     set to <c>true</c>
+        /// </summary>
+        /// <remarks>
+        ///     See https://github.com/mganss/HtmlSanitizer for all the default settings
+        /// </remarks>
+        public HtmlSanitizer Sanitizer { get; set; }
+
         /// <summary>
         ///     The timeout in milliseconds before this application aborts the downloading
         ///     of images when the option <see cref="ImageResize"/> and/or <see cref="ImageRotate"/>
@@ -1017,7 +1032,7 @@ public void ConvertToPdf(ConvertUri inputUri,
                 if (ImageResize || ImageRotate || SanitizeHtml)
                 {
                     var documentHelper = new DocumentHelper(GetTempDirectory, WebProxy, ImageDownloadTimeout, _logStream) { InstanceId = InstanceId };
-                    if (!documentHelper.Validate(inputUri, ImageResize, ImageRotate, SanitizeHtml, pageSettings,
+                    if (!documentHelper.Validate(inputUri, ImageResize, ImageRotate, SanitizeHtml, Sanitizer, pageSettings,
                         out var outputUri))
                         inputUri = outputUri;
                 }

diff --git a/ChromeHtmlToPdfLib/Helpers/DocumentHelper.cs b/ChromeHtmlToPdfLib/Helpers/DocumentHelper.cs
@@ -150,6 +150,7 @@ private int ParseValue(string value)
         /// <param name="rotate">When set to <c>true</c> then the EXIF information of an
         ///     image is read and when needed the image is automatic rotated</param>
         /// <param name="sanitizeHtml">When set to <c>true</c> then the HTML with get sanitized</param>
+        /// <param name="sanitizer"><see cref="HtmlSanitizer"/></param>
         /// <param name="pageSettings"><see cref="PageSettings"/></param>
         /// <param name="outputUri">The outputUri when this method returns <c>false</c> otherwise
         ///     <c>null</c> is returned</param>
@@ -159,6 +160,7 @@ public bool Validate(ConvertUri inputUri,
             bool resize,
             bool rotate,
             bool sanitizeHtml,
+            HtmlSanitizer sanitizer,
             PageSettings pageSettings,
             out ConvertUri outputUri)
         {
@@ -186,10 +188,7 @@ public bool Validate(ConvertUri inputUri,
                 {
                     // ReSharper disable AccessToDisposedClosure
                     document = inputUri.Encoding != null
-                        ? context.OpenAsync(m =>
-                                m.Content(webpage).Header("Content-Type",
-                                    $"text/html; charset={inputUri.Encoding.WebName}"))
-                            .Result
+                        ? context.OpenAsync(m => m.Content(webpage).Header("Content-Type", $"text/html; charset={inputUri.Encoding.WebName}")).Result
                         : context.OpenAsync(m => m.Content(webpage)).Result;
                     // ReSharper restore AccessToDisposedClosure
                 }
@@ -203,12 +202,10 @@ public bool Validate(ConvertUri inputUri,
                 {
                     WriteToLog("Sanitizing HTML");
 
-                    var sanitizer = new HtmlSanitizer();
-                    //sanitizer.AllowedClasses
+                    if (sanitizer == null)
+                        sanitizer = new HtmlSanitizer();
 
-                    sanitizer.AllowedSchemes.Add("mailto");
                     sanitizer.AllowedSchemes.Add("cid");
-                    sanitizer.AllowedAttributes.Add("class");
 
                     sanitizer.FilterUrl += delegate(object sender, FilterUrlEventArgs args)
                     {