In the original ASP.NET Zero, the HTML sanitizer config:
Configuration.Modules.AbpHtmlSanitizer() .KeepChildNodes() .AddSelector<IAccountAppService>(x => nameof(x.IsTenantAvailable)) .AddSelector<IAccountAppService>(x => nameof(x.Register));
We have extended to include all the API methods except a couple. It seems OK. It seems there are no issues without KeepChildNodes(),
Does Abp.HtmlSanitizer cover all required for sanitizing XSS? Do we need to do additional input filtering?
ShouldSanitizeContext is not exposed. How is it configured?
Any risks to filter all the API methods?
We have implemented a global input filter SanitizeInputFilter using the same Abp.HtmlSanitizer.
Our test results:
SanitizeInputFilter: Input: "20240705 <a href=></a>", output: "20240705". It filters out HTML code.
options.Filters.AddService(typeof(AbpHtmlSanitizerActionFilter)): Input: "20240705 <a href=></a>", Output: "20240705 <a href=></a>". It doesn't filter out HTML code.
Why SanitizeInputFilter and AbpHtmlSanitizerActionFilter have different filtering behavior? Should "<a href=></a>" be filtered out by AbpHtmlSanitizerActionFilter or just be sanitized? Is the discrepancy caused by the flag ShouldSanitizeContext with AbpHtmlSanitizerActionFilter?
3 Answer(s)
AbpHtmlSanitizer is the wrapper for this project. We sanitize at aspnetboilerplate using these methods. You can the
here you share
with us? We can understand more easily what the problem is. -
namespace umsplus.Web.Xss
using Microsoft.AspNetCore.Mvc.Filters;
using Microsoft.Extensions.DependencyInjection;
using System.Collections.Generic;
using System.Reflection;public class SanitizeInputFilter : IActionFilter { public void OnActionExecuting(ActionExecutingContext context) { var htmlSanitizer = context.HttpContext.RequestServices.GetService<IHtmlSanitizer>(); foreach (var argument in context.ActionArguments.Values) { SanitizeObjectProperties(argument, htmlSanitizer); } } public void OnActionExecuted(ActionExecutedContext context) { // No need to do anything here } private void SanitizeObjectProperties(object obj, IHtmlSanitizer sanitizer, HashSet<object> processedObjects = null) { if (obj == null) return; // Initialize the HashSet if it's the first call if (processedObjects == null) { processedObjects = new HashSet<object>(); } // Check if the object has already been processed to avoid infinite recursion if (processedObjects.Contains(obj)) { return; } // Add the current object to the set of processed objects processedObjects.Add(obj); var properties = obj.GetType().GetProperties(BindingFlags.Instance | BindingFlags.Public); foreach (var property in properties) { // Skip properties that require index parameters (like indexers) if (property.GetIndexParameters().Length > 0) { continue; } if (property.PropertyType == typeof(string) && property.CanWrite) { var value = (string)property.GetValue(obj); if (value != null) { var sanitizedValue = sanitizer.Sanitize(value); property.SetValue(obj, sanitizedValue); } } else if (!property.PropertyType.IsPrimitive && !property.PropertyType.IsEnum && property.PropertyType != typeof(string)) { var propertyValue = property.GetValue(obj); if (propertyValue != null) { SanitizeObjectProperties(propertyValue, sanitizer, processedObjects); } } } } }
Thank you for sharing with us. I will check it as soon as possible.