76

Closed

GetSafeHtmlFragment replacing all html tags

description

When we updated our AntiXss library to 4.2.1 we noticed that our GetSafeHtmlFragment was no longer working. Is it required that we now whitelist any html attributes that we need with the newest release ?
 
GetSafeHtmlFragment("<b>text</b>") returns only "text".
 
The version we were running prior to release was 4.0.0 which did not seem to require any such white listing of needed html attributes.
 
Thank you in advance for reviewing this issue.
Closed Jun 3, 2014 at 12:42 AM by bdorrans

comments

bdorrans wrote Jan 12, 2012 at 5:54 PM

It shouldn't be doing that. It doesn't here. Taking a look.

timwilson wrote Jan 12, 2012 at 5:58 PM

Thank you

timwilson wrote Jan 12, 2012 at 6:14 PM

If it helps, we did get it through NuGet.

timwilson wrote Jan 13, 2012 at 6:31 PM

What were the results of your findings?

chandrac wrote Jan 16, 2012 at 10:56 PM

I am seeing the same behavior -

Sanitizer.GetSafeHtmlFragment("<b>hello antixss</b><script>") return just "hello antixss". without any safe tags/attributes etc.

Used the nuget version from jan 10th.

wrote Jan 16, 2012 at 10:57 PM

wrote Jan 17, 2012 at 6:45 AM

NathonF wrote Jan 18, 2012 at 7:57 AM

I'm seeing similar behaviour using v4.2. The following input:
<h1>Heading</h1><p>Testing</p><img src="http://localhost/images/test.png" /> is converted to:

Heading<p>Testing</p>;

NathonF wrote Jan 18, 2012 at 8:00 AM

Forgot to add I'm using the version found at http://www.microsoft.com/download/en/details.aspx?id=28589

timwilson wrote Jan 18, 2012 at 9:30 PM

bdorrans, do you know when a fix will be pushed out for this?

wrote Jan 19, 2012 at 9:23 PM

leniency wrote Jan 19, 2012 at 10:00 PM

Same issue here. In Nuget and download version both, sanitation appears to clean all but <p> and <a> tags. All attributes however are stripped out, making <a> useless.

wrote Jan 21, 2012 at 5:44 PM

Hypnovirus wrote Jan 21, 2012 at 5:48 PM

I just downloaded and ran the msi from http://www.microsoft.com/download/en/details.aspx?id=28589 today. I am also getting way too much stripped out:
<a href="http://google.com/"> is converted to <a>
<img> tags are deleted entirely
This makes Sanitizer.GetSafeHtmlFragment unusable for my purposes.

wrote Jan 21, 2012 at 7:26 PM

BenAAdams wrote Jan 21, 2012 at 7:33 PM

Yes we are experiencing everything being stripped except <p> and <span>.

Using ckeditor to allow users to enter rich text, but this strips everything now

wrote Jan 22, 2012 at 9:53 PM

bdorrans wrote Jan 23, 2012 at 3:32 PM

This is being worked on now. I will update once I know more.

wrote Jan 27, 2012 at 5:23 PM

brentonw wrote Jan 27, 2012 at 10:40 PM

I'm experiencing the same problem - <strong> tags are being removed, <img> tags are being removed etc... Any ETA on a fix for this? I'm using the 4.2.1 package from Nuget (Assembly versions are 4.2)

wrote Jan 31, 2012 at 1:43 PM

wrote Jan 31, 2012 at 1:46 PM

wrote Jan 31, 2012 at 2:39 PM

simosentissi wrote Jan 31, 2012 at 3:22 PM

I am experiencing the same behaviors after the update: <p> and <span> are the only ones I see.
my team is resorting to a before and after filter where we replace tags that get stripped down and put them back up. how do yall do it?

wrote Jan 31, 2012 at 8:13 PM

simosentissi wrote Feb 1, 2012 at 8:34 PM

Contemplating using the latest version on the more exposed side of the app (and less reliant on rich text) and the old one in the less exposed with the heaving reliance on rich text... just contemplating...
What y'all doing ? looking for other people's ways of going around the tag stripping.

would be nice to have some type of white list on the getsafehtmlfragment

timwilson wrote Feb 1, 2012 at 8:58 PM

@simosentissi we are reverting back to the older version that doesn't strip out any valid html tags. Since the downloads get cleared out with each release you will need to look for a copy locally. If you installed the package through nuget you can drop the old version into your packages directory and then use nuget to manage the older package. This can be done only after uninstalling the old package. This way your packages.config file can be configured correctly and you can also update to the newer version of the package when it has been fixed. That is what my team is planning on doing anyways...

leniency wrote Feb 1, 2012 at 9:20 PM

@simosentissi - At the moment I'm just dealing with it - don't have any of the previous nuget versions backed up and I was only using it in a few non-critical places from admin generated input.

wrote Feb 2, 2012 at 5:11 PM

wrote Feb 2, 2012 at 5:11 PM

wrote Feb 2, 2012 at 11:43 PM

dzehner wrote Feb 9, 2012 at 6:15 PM

I just hit this as well. HTML is being stripped when using GetHtmlFragment(). This isn't leaving me many options at the moment other than to roll back to pre-4.2. Hoping this gets fixed quickly.

wrote Feb 10, 2012 at 3:58 PM

Rifk wrote Feb 10, 2012 at 4:40 PM

Having the same issue where valid safe html is getting removed when using GetSafeHtmlFragment. Does anyone have a link to an older version of the library?

brentonw wrote Feb 11, 2012 at 7:57 PM

This thing is clearly broken - do any of the contributors have a comment as to when we will see a new build that fixes these problems?

wrote Feb 13, 2012 at 6:35 AM

wrote Feb 16, 2012 at 4:05 PM

wrote Feb 17, 2012 at 3:46 PM

wrote Feb 20, 2012 at 8:41 PM

wrote Feb 21, 2012 at 6:32 AM

wrote Feb 21, 2012 at 2:45 PM

wrote Feb 27, 2012 at 7:01 AM

wrote Mar 9, 2012 at 5:28 AM

wrote Mar 9, 2012 at 6:17 AM

wrote Mar 14, 2012 at 11:46 AM

wrote Mar 16, 2012 at 7:03 AM

matthooper wrote Mar 19, 2012 at 10:05 PM

Microsoft, do you have any updates on when this may be fixed? Or could you point us to an older version? I'd love to use this library if this method would work properly.

wrote Mar 20, 2012 at 5:46 PM

wrote Mar 26, 2012 at 9:22 PM

wrote Apr 3, 2012 at 9:25 PM

wrote Apr 4, 2012 at 5:34 PM

briane wrote Apr 4, 2012 at 7:01 PM

What is so dangerous about <h1>text</h1> that would cause it to be sanitized?

wrote Apr 13, 2012 at 11:59 AM

wrote Apr 16, 2012 at 6:42 AM

janrex wrote Apr 16, 2012 at 6:45 AM

The method name should be renamed to StripHtml as that's what it's doing right now!

wrote Apr 27, 2012 at 3:21 PM

wrote Apr 27, 2012 at 7:17 PM

wrote Apr 30, 2012 at 11:27 AM

ltoshev wrote Apr 30, 2012 at 11:30 AM

The issue is really serious, we use the library at a huge site with thousands of users and we can't upgrade the library because it will destroy millions of html fragments saved allready into the database.

The impact of this issue is tremmendous! When this will be fixed?

wrote Apr 30, 2012 at 1:22 PM

wrote Apr 30, 2012 at 4:53 PM

wrote May 3, 2012 at 10:50 AM

wrote May 14, 2012 at 10:49 AM

alexcheveau wrote May 14, 2012 at 10:50 AM

Where are the validation before the release of the ToolKit? Very disappointing...

wrote May 14, 2012 at 2:26 PM

wrote May 20, 2012 at 2:28 AM

wrote May 24, 2012 at 4:03 PM

wrote Jun 6, 2012 at 9:39 PM

i8beef wrote Jun 6, 2012 at 9:53 PM

Can we change "Impact" on this item to high? This pretty much makes this part of the library completely unusable...

wrote Jun 6, 2012 at 10:16 PM

wrote Jun 8, 2012 at 1:06 PM

wrote Jun 9, 2012 at 2:26 AM

wrote Jun 12, 2012 at 1:12 PM

wrote Jun 21, 2012 at 2:38 AM

wrote Jun 21, 2012 at 7:25 PM

wrote Jun 22, 2012 at 2:10 AM

wrote Jun 29, 2012 at 9:35 PM

robstrange wrote Aug 2, 2012 at 12:04 AM

This is unacceptable. The prior version has security vulnerabilities and the new version strips out all of the HTML. This thread is going on 8 months and there still isn't a resolution or updated patch.

version 3 and 4 vulnerabilities:
http://www.securityfocus.com/bid/51291/discuss

brentonw wrote Aug 7, 2012 at 8:00 AM

I've reached out the the project coordinator several times with no response. I also reached out to ScottGu at Microsoft who put me in touch with some folks on his team. I exchanged a few emails with them, however, they did not have an update as to when this would be fixed. Perhaps if more people voice their concern directly to Microsoft someone will address this.

wrote Aug 14, 2012 at 4:49 PM

wrote Aug 25, 2012 at 5:25 AM

wrote Aug 26, 2012 at 2:44 PM

wrote Aug 29, 2012 at 1:22 PM

wrote Sep 7, 2012 at 4:18 PM

wrote Oct 8, 2012 at 9:43 AM

wrote Nov 29, 2012 at 6:33 AM

wrote Jan 11, 2013 at 12:32 PM

wrote Jan 23, 2013 at 2:21 PM

wrote Jan 24, 2013 at 2:46 PM

wrote Jan 24, 2013 at 2:47 PM

wrote Jan 24, 2013 at 3:00 PM

wrote Jan 24, 2013 at 3:00 PM

wrote Jan 24, 2013 at 3:01 PM

wrote Jan 24, 2013 at 3:01 PM

wrote Jan 24, 2013 at 3:01 PM

wrote Jan 24, 2013 at 3:01 PM

wrote Jan 24, 2013 at 3:01 PM

wrote Jan 24, 2013 at 3:03 PM

wrote Jan 24, 2013 at 3:04 PM

wrote Jan 24, 2013 at 3:15 PM

wrote Jan 24, 2013 at 3:44 PM

wrote Jan 25, 2013 at 3:52 PM

wrote Jan 25, 2013 at 3:52 PM

wrote Jan 25, 2013 at 3:52 PM

wrote Jan 25, 2013 at 3:52 PM

wrote Jan 25, 2013 at 3:52 PM

wrote Jan 30, 2013 at 12:57 PM

wrote Jan 30, 2013 at 5:55 PM

wrote Jan 30, 2013 at 5:55 PM

wrote Jan 30, 2013 at 5:55 PM

wrote Jan 30, 2013 at 5:56 PM

Tyrven wrote Jan 30, 2013 at 5:59 PM

This issue has been open for over a year without acknowledgement from the contributors. I'm assuming it won't be addressed. Given this, I'm curious what approach folks are using to accomplish similar behavior? Has anyone implemented alternate libraries or approaches with much success?

(Still blows my mind that this hasn't been addressed - AntiXss, RIP?)

timwilson wrote Jan 30, 2013 at 7:48 PM

Tyrven, we had to go back to an older version... if you do have a different solution please post here. Thanks.

wrote Feb 5, 2013 at 2:53 PM

wrote Feb 5, 2013 at 2:53 PM

wrote Feb 6, 2013 at 11:57 AM

wrote Feb 22, 2013 at 12:07 AM

wrote Mar 28, 2013 at 3:00 PM

dvdrom000 wrote May 8, 2013 at 9:57 PM

The problem is still there, crazy

wrote May 8, 2013 at 9:57 PM

sdeibrloe wrote May 31, 2013 at 9:17 PM

Crazy!!!!!

wrote Jun 4, 2013 at 3:19 PM

wrote Jun 10, 2013 at 7:42 PM

wrote Jun 26, 2013 at 1:23 PM

jjorczak wrote Jun 26, 2013 at 1:25 PM

I just installed version 4.2.1 from Nuget and it has the same issue. <strong> tags are stripped.

wrote Aug 22, 2013 at 4:32 AM

wrote Oct 17, 2013 at 8:59 AM

wrote Mar 21, 2014 at 1:11 PM

wrote Jun 3, 2014 at 12:42 AM

wrote Jun 3, 2014 at 12:42 AM

yougotiger wrote Nov 17, 2014 at 9:40 PM

Just tested with the version now offered and the same problem exists, it strips nearly all HTML out of the string. This is undesirable in the extreme, I will be rolling back to our previous version.