alexcheveau wrote Mon at 10:50 AM

Where are the validation before the release of the ToolKit? Very disappointing...

ltoshev wrote Apr 30 at 11:30 AM

The issue is really serious, we use the library at a huge site with thousands of users and we can't upgrade the library because it will destroy millions of html fragments saved allready into the database.

The impact of this issue is tremmendous! When this will be fixed?

janrex wrote Apr 16 at 6:45 AM

The method name should be renamed to StripHtml as that's what it's doing right now!

briane wrote Apr 4 at 7:01 PM

What is so dangerous about <h1>text</h1> that would cause it to be sanitized?

matthooper wrote Mar 19 at 10:05 PM

Microsoft, do you have any updates on when this may be fixed? Or could you point us to an older version? I'd love to use this library if this method would work properly.

brentonw wrote Feb 11 at 7:57 PM

This thing is clearly broken - do any of the contributors have a comment as to when we will see a new build that fixes these problems?

Rifk wrote Feb 10 at 4:40 PM

Having the same issue where valid safe html is getting removed when using GetSafeHtmlFragment. Does anyone have a link to an older version of the library?

dzehner wrote Feb 9 at 6:15 PM

I just hit this as well. HTML is being stripped when using GetHtmlFragment(). This isn't leaving me many options at the moment other than to roll back to pre-4.2. Hoping this gets fixed quickly.

leniency wrote Feb 1 at 9:20 PM

@simosentissi - At the moment I'm just dealing with it - don't have any of the previous nuget versions backed up and I was only using it in a few non-critical places from admin generated input.

timwilson wrote Feb 1 at 8:58 PM

@simosentissi we are reverting back to the older version that doesn't strip out any valid html tags. Since the downloads get cleared out with each release you will need to look for a copy locally. If you installed the package through nuget you can drop the old version into your packages directory and then use nuget to manage the older package. This can be done only after uninstalling the old package. This way your packages.config file can be configured correctly and you can also update to the newer version of the package when it has been fixed. That is what my team is planning on doing anyways...

simosentissi wrote Feb 1 at 8:34 PM

Contemplating using the latest version on the more exposed side of the app (and less reliant on rich text) and the old one in the less exposed with the heaving reliance on rich text... just contemplating...
What y'all doing ? looking for other people's ways of going around the tag stripping.

would be nice to have some type of white list on the getsafehtmlfragment

simosentissi wrote Jan 31 at 3:22 PM

I am experiencing the same behaviors after the update: <p> and <span> are the only ones I see.
my team is resorting to a before and after filter where we replace tags that get stripped down and put them back up. how do yall do it?

brentonw wrote Jan 27 at 10:40 PM

I'm experiencing the same problem - <strong> tags are being removed, <img> tags are being removed etc... Any ETA on a fix for this? I'm using the 4.2.1 package from Nuget (Assembly versions are 4.2)

bdorrans wrote Jan 23 at 3:32 PM

This is being worked on now. I will update once I know more.

BenAAdams wrote Jan 21 at 7:33 PM

Yes we are experiencing everything being stripped except <p> and <span>.

Using ckeditor to allow users to enter rich text, but this strips everything now

Hypnovirus wrote Jan 21 at 5:48 PM

I just downloaded and ran the msi from http://www.microsoft.com/download/en/details.aspx?id=28589 today. I am also getting way too much stripped out:
<a href="http://google.com/"> is converted to <a>
<img> tags are deleted entirely
This makes Sanitizer.GetSafeHtmlFragment unusable for my purposes.

leniency wrote Jan 19 at 10:00 PM

Same issue here. In Nuget and download version both, sanitation appears to clean all but <p> and <a> tags. All attributes however are stripped out, making <a> useless.

timwilson wrote Jan 18 at 9:30 PM

bdorrans, do you know when a fix will be pushed out for this?

NathonF wrote Jan 18 at 8:00 AM

Forgot to add I'm using the version found at http://www.microsoft.com/download/en/details.aspx?id=28589

NathonF wrote Jan 18 at 7:57 AM

I'm seeing similar behaviour using v4.2. The following input:

<h1>Heading</h1><p>Testing</p><img src="http://localhost/images/test.png" />

is converted to:

Heading<p>Testing</p>;

chandrac wrote Jan 16 at 10:56 PM

I am seeing the same behavior -

Sanitizer.GetSafeHtmlFragment("<b>hello antixss</b><script>") return just "hello antixss". without any safe tags/attributes etc.

Used the nuget version from jan 10th.

timwilson wrote Jan 13 at 6:31 PM

What were the results of your findings?

timwilson wrote Jan 12 at 6:14 PM

If it helps, we did get it through NuGet.

timwilson wrote Jan 12 at 5:58 PM

Thank you

bdorrans wrote Jan 12 at 5:54 PM

It shouldn't be doing that. It doesn't here. Taking a look.