GetSafeHtml & GetSafeHtmlFragment

Sep 17, 2009 at 12:40 PM

What the difference between the 2 methods? In wich case should I use one or the other?

I haven't seen any detailed explanation for now, and the only info was here:

but a little "short".. :)




Sep 21, 2009 at 5:34 PM


GetSafeHtml and GetSafeHtmlFragments both serve the same purpose of stripping of malicious scripts from HTML. GetSafeHtml must be used on entire documents, if a simple fragment such as <a>test</a> is passed, then <html> and <body> tags are automatically added. GetSafeHtmlFragment must be used to sanitize fragments of HTML, such as <a>test</a>.

Hope this helps.


Sep 26, 2010 at 3:20 PM


I am currently testing the library 3.1, and I noticed the following difference, apart of adding the <html><body> tags for GetSafeHtml.


If I have the following html:


this is a test

<br />

<div class="dunno">


The output using GetSafeHtmlFragment is as follows:


this is a test
<div>dasdaasd </div>
dasdasdasd dasdasd <br>
<div class="x_dunno">aomething </div>


See the extra "x_" coming? Is this correct? If so, Could you please expand this for other cases?


Cheers, Martin

Sep 26, 2010 at 10:27 PM

Yes - this is correct. Because we can't vouch what what styles are safe, and which could, for example, hide text, or move a flash object over a link causing a click jack attack all class names get prefixed.

Sep 27, 2010 at 12:06 AM


Thanks for your prompt reply.

So you suggest to use the GetSafeHtml in order to have the same class name, without alterations, right?

If there are other solutions you can think of, will be much appreciated.


Regards, Martin

Sep 29, 2010 at 4:50 PM

I'm a bit shocked GetSafeHtml doesn't prefix to be honest; but if it works for you that way then that's the only way to do it, until I get some time to actually examine the sanitizer in greater detail and see what I can do to make it more flexible.