Table of Contents

Class Sanitizer

Namespace
CSharpToJavaScript.APIs.JS
Assembly
CSharpToJavaScript.dll
NOTE
Experimental
The Sanitizer interface of the HTML Sanitizer API defines a configuration object that specifies what elements, attributes and comments are allowed or should be removed when inserting strings of HTML into an Element or ShadowRoot, or when parsing an HTML string into a Document. 
[Value("Sanitizer")]
public class Sanitizer
Inheritance
Sanitizer
Inherited Members

Remarks

A Sanitizer instance is effectively a wrapper around a SanitizerConfig, and can be passed as a configuration alternative in the same sanitization methods:

Note that Sanitizer is expected to be more efficient to reuse and modify when needed.

See also on MDN

Constructors

Sanitizer() 

public Sanitizer()

Sanitizer(Union128)

NOTE
Experimental
The Sanitizer() constructor creates a new Sanitizer object, which can be used to filter unwanted elements and attributes from HTML or documents before they are inserted/parsed into the DOM. 
public Sanitizer(Union128 configuration = default)

Parameters

configuration Union128

Remarks

The default Sanitizer() configuration allows only XSS-safe input by default, omitting elements such as script, frame, iframe, object, <use>, and event handler attributes from their respective allow lists, and disallowing data attributes, and comments.

The constructor configuration option can be used to customize the sanitizer behavior.

See also on MDN

Methods

AllowAttribute(Union131)

NOTE
Experimental
The allowAttribute() method of the Sanitizer interface sets an attribute to be allowed on all elements. 
[Value("allowAttribute")]
public GlobalObject.Undefined AllowAttribute(Union131 attribute)

Parameters

attribute Union131

Returns

GlobalObject.Undefined

None (undefined).

Remarks

The specified attribute is added to the list of attributes in this sanitizer's configuration.
The attribute is removed from the removeAttributes list if present.

Note that to allow/disallow attributes only on specific elements use 'Sanitizer.AllowElement'.

See also on MDN

AllowElement(Union130)

NOTE
Experimental
The allowElement() method of the Sanitizer interface sets that the specified element is allowed in the output when the sanitizer is used.
The element can be specified with lists of attributes that are allowed or disallowed on elements of that type. 
[Value("allowElement")]
public GlobalObject.Undefined AllowElement(Union130 element)

Parameters

element Union130

Returns

GlobalObject.Undefined

None (undefined).

Remarks

The specified element is added to the elements list in this sanitizer's configuration.
If the element is already present in the list, then the existing entry is first removed and the new definition is appended to the end of the list.
Note that if you need both per-element add-attribute and remove-attribute lists, they must be added in a single call to this method (since if done in two calls, the second call will replace the element definition added in the first call).

The specified element is removed from the sanitizer configuration removeElements or replaceWithChildrenElements lists if present.

See also on MDN

Get()

NOTE
Experimental
The get() method of the Sanitizer interface returns a 'SanitizerConfig' dictionary instance that represents the current Sanitizer configuration. 
[Value("get")]
public SanitizerConfig Get()

Returns

SanitizerConfig

A SanitizerConfig.

Remarks

This may be used to create a sanitizer that is slightly modified from the default; by first getting and then modifying the default sanitizer configuration, and then using it to construct a new sanitizer.

The returned configuration can also be used to inspect the configuration, and can be passed directly the HTML parsing functions.
Note however that it will be more efficient to pass a Sanitizer rather than a configuration dictionary, particularly where the Sanitizer is to be used multiple times.

See also on MDN

RemoveAttribute(Union131)

NOTE
Experimental
The removeAttribute() method of the Sanitizer interface sets an attribute to be disallowed on all elements. 
[Value("removeAttribute")]
public GlobalObject.Undefined RemoveAttribute(Union131 attribute)

Parameters

attribute Union131

Returns

GlobalObject.Undefined

None (undefined).

Remarks

The specified attribute is added to the list of removeAttributes in this sanitizer's configuration.
The attribute is removed from the attributes list if present.

Note that to allow/disallow attributes only on specific elements use 'Sanitizer.AllowElement'.

See also on MDN

RemoveElement(Union129)

NOTE
Experimental
The removeElement() method of the Sanitizer interface sets an element to be disallowed — removed from input when the sanitizer is used. 
[Value("removeElement")]
public GlobalObject.Undefined RemoveElement(Union129 element)

Parameters

element Union129

Returns

GlobalObject.Undefined

None (undefined).

Remarks

The specified element is added to the list of removeElements in this sanitizer's configuration.
The element is removed from the elements or replaceWithChildrenElements lists if present.

See also on MDN

RemoveUnsafe()

NOTE
Experimental
The removeUnsafe() method of the Sanitizer interface configures the sanitizer configuration so that it will remove all elements, attributes, and event handler content attributes that are considered XSS-unsafe by the browser. 
[Value("removeUnsafe")]
public GlobalObject.Undefined RemoveUnsafe()

Returns

GlobalObject.Undefined

None (undefined).

Remarks

The unsafe elements and attributes are added to the configuration by calling 'Sanitizer.RemoveElement' and 'Sanitizer.RemoveAttribute' for each, respectively.
This adds them to the sanitizer configuration disallow lists: removeElements and removeAttributes, and removes them (if present) from the configuration allow lists: elements, replaceWithChildrenElements and attributes.

The method can be called to make any custom configuration XSS-safe.
If used with a configuration that uses the allow lists, it will remove the XSS-unsafe entities from those lists.
If used with a configuration that uses only the disallow ("remove") lists, then it ensures the configuration includes the unsafe elements in those lists.

Note that if you're using the sanitizer with one of the "safe" HTML setters, such as Element.SetHTML and ShadowRoot.SetHTML, you do not need to call this method to make the sanitizer safe.
When used in these setters the method is called implicitly, without modifying the Sanitizer instance that is passed.

See also on MDN

ReplaceElementWithChildren(Union129)

NOTE
Experimental
The replaceElementWithChildren() method of the Sanitizer interface sets an element to be replaced by its child HTML elements when the sanitizer is used.
The is primarily used for stripping styles from text. 
[Value("replaceElementWithChildren")]
public GlobalObject.Undefined ReplaceElementWithChildren(Union129 element)

Parameters

element Union129

Returns

GlobalObject.Undefined

None (undefined).

Remarks

The specified element, along with its namespace, is added to the list of replaceWithChildrenElements in this sanitizer's configuration.
The element is removed from the elements or removeElements lists if present.

See also on MDN

SetComments(bool)

NOTE
Experimental
The setComments() method of the Sanitizer interface sets whether comments will be allowed or removed by the sanitizer. 
[Value("setComments")]
public GlobalObject.Undefined SetComments(bool allow)

Parameters

allow bool

Returns

GlobalObject.Undefined

None (undefined).

Remarks

The method sets the comments property in this sanitizer's configuration.

See also on MDN

SetDataAttributes(bool)

NOTE
Experimental
The setDataAttributes() method of the Sanitizer interface sets whether data attributes will be allowed or removed by the sanitizer. 
[Value("setDataAttributes")]
public GlobalObject.Undefined SetDataAttributes(bool allow)

Parameters

allow bool

Returns

GlobalObject.Undefined

None (undefined).

Remarks

The method sets the dataAttributes property in this sanitizer's configuration.

See also on MDN

Edit this page