Options

Sanitizing Options

HtmlSanitizer has a few flags that can be set to affect how the input string is parsed:

Name	Description	Default
KeepChildNodes	If true, child nodes of elements that are removed will be kept.	false
AllowDataAttributes	If true, all HTML5 data attributes (attributes prefixed with data-) are allowed.	false

Default values allowed by HtmlSanitizer:

HtmlSanitizer works by whitelisting the content it allows, rather than looking for specific exploits.

Allowed Tags

The following HTML elements are allowed by default:

a	abbr	acronym	address	area	article
aside	b	bdi	big	blockquote	br
button	caption	center	cite	code	col
colgroup	data	datalist	dd	del	details
dfn	dir	div	dl	dt	em
fieldset	figcaption	figure	font	footer	form
h1	h2	h3	h4	h5	h6
header	hr	i	img	input	ins
kbd	keygen	label	legend	li	main
map	mark	menu	menuitem	meter	nav
ol	optgroup	option	output	p	pre
progress	q	rp	rt	ruby	s
samp	section	select	small	span	strike
strong	sub	summary	sup	table	tbody
td	textarea	tfoot	th	thead	time
tr	tt	u	ul	var	wbr

Allowed Attributes

The following attributes are allowed by default:

abbr	accept	accept-charset	accesskey	action
align	alt	autocomplete	autosave	axis
bgcolor	border	cellpadding	cellspacing	challenge
char	charoff	charset	checked	cite
clear	color	cols	colspan	compact
contenteditable	coords	datetime	dir	disabled
draggable	dropzone	enctype	for	frame
headers	height	high	href	hreflang
hspace	ismap	keytype	label	lang
list	longdesc	low	max	maxlength
media	method	min	multiple	name
nohref	noshade	novalidate	nowrap	open
optimum	pattern	placeholder	prompt	pubdate
radiogroup	readonly	rel	required	rev
reversed	rows	rowspan	rules	scope
selected	shape	size	span	spellcheck
src	start

Note: to prevent classjacking and interference with classes where the sanitized fragment is to be integrated, the class attribute is not in the whitelist by default. It can be added as follows:

var sanitizer = new HtmlSanitizer();
sanitizer.AllowedAttributes.Add("class");
var sanitized = sanitizer.Sanitize(html);

Allowed CSS properties

The following properties are allowed when using a style attribute:

background	background-attachment	background-color	background-image
background-position	background-repeat	border	border-bottom
border-bottom-color	border-bottom-style	border-bottom-width	border-collapse
border-color	border-left	border-left-color	border-left-style
border-left-width	border-right	border-right-color	border-right-style
border-right-width	border-spacing	border-style	border-top
border-top-color	border-top-style	border-top-width	border-width
bottom	caption-side	clear	clip
color	content	counter-increment	counter-reset
cursor	direction	display	empty-cells
float	font	font-family	font-size
font-style	font-variant	font-weight	height
left	letter-spacing	line-height	list-style
list-style-image	list-style-position	list-style-type	margin
margin-bottom	margin-left	margin-right	margin-top
max-height	max-width	min-height	min-width
opacity	orphans	outline	outline-color
outline-style	outline-width	overflow	padding
padding-bottom	padding-left	padding-right	padding-top
page-break-after	page-break-before	page-break-inside	quotes
right	table-layout	text-align	text-decoration
text-indent	text-transform	top	unicode-bidi
vertical-align	visibility	white-space	widows
width	word-spacing	z-index

Allowed CSS at-rules

namespace, style

style refers to style declarations within other at-rules such as @media. Disallowing @namespace while allowing other types of at-rules can lead to errors. Property declarations in @font-face and @viewport are not sanitized.

Note: the style tag is disallowed by default.

Allowed URI schemes

http, https

Note: Protocol-relative URLs (e.g. //github.com) are allowed by default (as are other relative URLs).

to allow mailto: links:

sanitizer.AllowedSchemes.Add("mailto");

Allowed attributes that contain URIs

action, background, dynsrc, href, lowsrc, src