Comments on: An html sanitizer for C# http://roberto.open-lab.com/2010/03/04/a-html-sanitizer-for-c/ think upstream Thu, 26 Jan 2012 17:19:31 +0000 hourly 1 http://wordpress.com/ By: Roberto Bicchierai http://roberto.open-lab.com/2010/03/04/a-html-sanitizer-for-c/#comment-429 Thu, 10 Nov 2011 09:27:02 +0000 http://rbicchierai.wordpress.com/?p=442#comment-429 Done.
thanks for remind me it!

]]> By: kibria http://roberto.open-lab.com/2010/03/04/a-html-sanitizer-for-c/#comment-428 Thu, 10 Nov 2011 08:27:35 +0000 http://rbicchierai.wordpress.com/?p=442#comment-428 Thanks a lot for sharing your code.
Please update the C# source file as fixed by Isaiah.

]]> By: Eric Lebetsamer http://roberto.open-lab.com/2010/03/04/a-html-sanitizer-for-c/#comment-364 Sun, 05 Dec 2010 12:04:36 +0000 http://rbicchierai.wordpress.com/?p=442#comment-364 Thanks for the fixes Isaiah.

]]> By: Isaiah http://roberto.open-lab.com/2010/03/04/a-html-sanitizer-for-c/#comment-336 Thu, 23 Sep 2010 17:13:04 +0000 http://rbicchierai.wordpress.com/?p=442#comment-336 Another correction (sorry):
buffer.Append(source.Substring(oldPos, search.Length)); is wrong, it should read

buffer.Append(source.Substring(oldPos, pos – oldPos));

]]> By: Isaiah http://roberto.open-lab.com/2010/03/04/a-html-sanitizer-for-c/#comment-335 Thu, 23 Sep 2010 17:08:53 +0000 http://rbicchierai.wordpress.com/?p=442#comment-335 Correction: Bug #2 is ONLY in the C# code. The substring function in C# takes params start position, length, versus the one in java, which takes start position, end position.

]]> By: Isaiah http://roberto.open-lab.com/2010/03/04/a-html-sanitizer-for-c/#comment-334 Thu, 23 Sep 2010 16:22:37 +0000 http://rbicchierai.wordpress.com/?p=442#comment-334 I found a couple bugs, present in both the java and C# versions:

1. Self-closed tags were being converted to a pair of tags;
test case: <param/><param/> becomes <param><param></param></param>

2. Incorrect index in the replaceAllNoRegex function;
buffer.Append(source.Substring(oldPos, pos));
should be
buffer.Append(source.Substring(oldPos, search.Length));

Here is a patch for the C#:

--- HtmlSanitizer.orig.cs	Thu Sep 23 12:17:54 2010
+++ HtmlSanitizer.new.cs	Thu Sep 23 12:18:03 2010
@@ -302,7 +302,10 @@

                             cleanToken = cleanToken + " " + attr + "=\"" + val + "\"";
                         }
-                        cleanToken = cleanToken + ">";
+                        if (selfClosed.Match(token).Success)
+                            cleanToken = cleanToken + "/>";
+                        else
+                            cleanToken = cleanToken + ">";

                         isAcceptedToken = true;

@@ -316,7 +319,7 @@
                         token = cleanToken;

                         // push the tag if require closure and it is accepted (otherwise is encoded)
-                        if (isAcceptedToken && !(standAloneTags.Match(tag).Success || selfClosed.Match(tag).Success))
+                        if (isAcceptedToken && !(standAloneTags.Match(tag).Success || selfClosed.Match(token).Success))
                             openTags.Push(tag);

                         // --------------------------------------------------------------------------------  UNKNOWN TAG
@@ -601,7 +604,7 @@
                 int oldPos, pos;
                 for (oldPos = 0, pos = source.IndexOf(search, oldPos); pos != -1; oldPos = pos + search.Length, pos = source.IndexOf(search, oldPos))
                 {
-                    buffer.Append(source.Substring(oldPos, pos));
+                    buffer.Append(source.Substring(oldPos, search.Length));
                     buffer.Append(replace);
                 }
                 if (oldPos < source.Length)
]]> By: Sal http://roberto.open-lab.com/2010/03/04/a-html-sanitizer-for-c/#comment-308 Thu, 12 Aug 2010 08:28:09 +0000 http://rbicchierai.wordpress.com/?p=442#comment-308 Ciao Roberto, complimenti per il codice, volevo segnalarti una cosa … ho provato a copiare un testo proveniente da word (altro annoso problema) e ho notato che il codice lasciava un tag di chiusura del tipo o:p.

Saluti

]]>