GetSafeHtmlFragment replacing all html tags


When we updated our AntiXss library to 4.2.1 we noticed that our GetSafeHtmlFragment was no longer working. Is it required that we now whitelist any html attributes that we need with the newest release ?
GetSafeHtmlFragment("<b>text</b>") returns only "text".
The version we were running prior to release was 4.0.0 which did not seem to require any such white listing of needed html attributes.
Thank you in advance for reviewing this issue.
Closed Jun 3, 2014 at 12:42 AM by bdorrans


bdorrans wrote Jan 12, 2012 at 5:54 PM

It shouldn't be doing that. It doesn't here. Taking a look.

timwilson wrote Jan 12, 2012 at 5:58 PM

Thank you

timwilson wrote Jan 12, 2012 at 6:14 PM

If it helps, we did get it through NuGet.

timwilson wrote Jan 13, 2012 at 6:31 PM

What were the results of your findings?

chandrac wrote Jan 16, 2012 at 10:56 PM

I am seeing the same behavior -

Sanitizer.GetSafeHtmlFragment("<b>hello antixss</b><script>") return just "hello antixss". without any safe tags/attributes etc.

Used the nuget version from jan 10th.

NathonF wrote Jan 18, 2012 at 7:57 AM

I'm seeing similar behaviour using v4.2. The following input:
<h1>Heading</h1><p>Testing</p><img src="http://localhost/images/test.png" /> is converted to:


NathonF wrote Jan 18, 2012 at 8:00 AM

Forgot to add I'm using the version found at http://www.microsoft.com/download/en/details.aspx?id=28589

timwilson wrote Jan 18, 2012 at 9:30 PM

bdorrans, do you know when a fix will be pushed out for this?

leniency wrote Jan 19, 2012 at 10:00 PM

Same issue here. In Nuget and download version both, sanitation appears to clean all but <p> and <a> tags. All attributes however are stripped out, making <a> useless.

Hypnovirus wrote Jan 21, 2012 at 5:48 PM

I just downloaded and ran the msi from http://www.microsoft.com/download/en/details.aspx?id=28589 today. I am also getting way too much stripped out:
<a href="http://google.com/"> is converted to <a>
<img> tags are deleted entirely
This makes Sanitizer.GetSafeHtmlFragment unusable for my purposes.

BenAAdams wrote Jan 21, 2012 at 7:33 PM

Yes we are experiencing everything being stripped except <p> and <span>.

Using ckeditor to allow users to enter rich text, but this strips everything now

bdorrans wrote Jan 23, 2012 at 3:32 PM

This is being worked on now. I will update once I know more.

brentonw wrote Jan 27, 2012 at 10:40 PM

I'm experiencing the same problem - <strong> tags are being removed, <img> tags are being removed etc... Any ETA on a fix for this? I'm using the 4.2.1 package from Nuget (Assembly versions are 4.2)

simosentissi wrote Jan 31, 2012 at 3:22 PM

I am experiencing the same behaviors after the update: <p> and <span> are the only ones I see.
my team is resorting to a before and after filter where we replace tags that get stripped down and put them back up. how do yall do it?

simosentissi wrote Feb 1, 2012 at 8:34 PM

Contemplating using the latest version on the more exposed side of the app (and less reliant on rich text) and the old one in the less exposed with the heaving reliance on rich text... just contemplating...
What y'all doing ? looking for other people's ways of going around the tag stripping.

would be nice to have some type of white list on the getsafehtmlfragment

timwilson wrote Feb 1, 2012 at 8:58 PM

@simosentissi we are reverting back to the older version that doesn't strip out any valid html tags. Since the downloads get cleared out with each release you will need to look for a copy locally. If you installed the package through nuget you can drop the old version into your packages directory and then use nuget to manage the older package. This can be done only after uninstalling the old package. This way your packages.config file can be configured correctly and you can also update to the newer version of the package when it has been fixed. That is what my team is planning on doing anyways...

leniency wrote Feb 1, 2012 at 9:20 PM

@simosentissi - At the moment I'm just dealing with it - don't have any of the previous nuget versions backed up and I was only using it in a few non-critical places from admin generated input.

dzehner wrote Feb 9, 2012 at 6:15 PM

I just hit this as well. HTML is being stripped when using GetHtmlFragment(). This isn't leaving me many options at the moment other than to roll back to pre-4.2. Hoping this gets fixed quickly.

Rifk wrote Feb 10, 2012 at 4:40 PM

Having the same issue where valid safe html is getting removed when using GetSafeHtmlFragment. Does anyone have a link to an older version of the library?

brentonw wrote Feb 11, 2012 at 7:57 PM

This thing is clearly broken - do any of the contributors have a comment as to when we will see a new build that fixes these problems?

matthooper wrote Mar 19, 2012 at 10:05 PM

Microsoft, do you have any updates on when this may be fixed? Or could you point us to an older version? I'd love to use this library if this method would work properly.

briane wrote Apr 4, 2012 at 7:01 PM

What is so dangerous about <h1>text</h1> that would cause it to be sanitized?

janrex wrote Apr 16, 2012 at 6:45 AM

The method name should be renamed to StripHtml as that's what it's doing right now!

ltoshev wrote Apr 30, 2012 at 11:30 AM

The issue is really serious, we use the library at a huge site with thousands of users and we can't upgrade the library because it will destroy millions of html fragments saved allready into the database.

The impact of this issue is tremmendous! When this will be fixed?

alexcheveau wrote May 14, 2012 at 10:50 AM

Where are the validation before the release of the ToolKit? Very disappointing...

i8beef wrote Jun 6, 2012 at 9:53 PM

Can we change "Impact" on this item to high? This pretty much makes this part of the library completely unusable...

robstrange wrote Aug 2, 2012 at 12:04 AM

This is unacceptable. The prior version has security vulnerabilities and the new version strips out all of the HTML. This thread is going on 8 months and there still isn't a resolution or updated patch.

version 3 and 4 vulnerabilities:

brentonw wrote Aug 7, 2012 at 8:00 AM

I've reached out the the project coordinator several times with no response. I also reached out to ScottGu at Microsoft who put me in touch with some folks on his team. I exchanged a few emails with them, however, they did not have an update as to when this would be fixed. Perhaps if more people voice their concern directly to Microsoft someone will address this.

Tyrven wrote Jan 30, 2013 at 5:59 PM

This issue has been open for over a year without acknowledgement from the contributors. I'm assuming it won't be addressed. Given this, I'm curious what approach folks are using to accomplish similar behavior? Has anyone implemented alternate libraries or approaches with much success?

(Still blows my mind that this hasn't been addressed - AntiXss, RIP?)

timwilson wrote Jan 30, 2013 at 7:48 PM

Tyrven, we had to go back to an older version... if you do have a different solution please post here. Thanks.

dvdrom000 wrote May 8, 2013 at 9:57 PM

The problem is still there, crazy

sdeibrloe wrote May 31, 2013 at 9:17 PM


jjorczak wrote Jun 26, 2013 at 1:25 PM

I just installed version 4.2.1 from Nuget and it has the same issue. <strong> tags are stripped.

yougotiger wrote Nov 17, 2014 at 9:40 PM

Just tested with the version now offered and the same problem exists, it strips nearly all HTML out of the string. This is undesirable in the extreme, I will be rolling back to our previous version.