GetSafeHtmlFragment CSS class renaming

Sep 16, 2010 at 3:42 PM


I am WPL and invoking the GetSafeHtmlFragment, I noticed that the names of CSS classes references in HTML code are beeing prefixed by a "x_" string.


Input string
<span class='highlightTerm'>bla bla bla</span>

Output string after calling GetSafeHtmlFragment
<span class="x_highlightTerm">bla bla bla</span> 

Does anyone know if this behavior is the expected? If true, there's any around to disable this renaming?



Sep 16, 2010 at 3:47 PM

Yes it's expected. No there's currently no way to disable it, without compiling your own version.

Oct 3, 2010 at 3:45 AM


I was following the same topic on this thread:

My question is, are there other section (I mean with this, attributes, html tags, so forth) that are affected by this change?

I have not tested the sanitization much, but I am wondering if there is some information where I can see changes like this to existing HTML?

In my case, we have customers who creates their own HTML with class names, so our job here is sanitize the HTML whenever a possibly XSS is found. But We may encounter some problems if for example someone enter class="test", then It will be class="x_test".



Oct 4, 2010 at 6:28 PM

Like I said known tags and attributes should not be prefixed, but there's no way to configure the behaviour yet.

Mar 30, 2011 at 12:14 PM

Is there any documentation as to why those attributes are prefixed?

I've found prefixes appearing on 'class', 'name' and 'id' attribute values and for 'href="#name"'. And when you encode it again (re-edit a stored, sanitized, version) then an extra "x_" is added. This is killing for a site where the visitor can edit texts through a WYSIWYG editor.