How do I configure the default options, and remove some tags globally?

[aathar]

Hello
I can not get this to work. I am trying to inject the default options and only remove certain tags and attributes. For example, I am OK with all the default attributes except "href" how do I remove it globally through startup.cs?

`     public void ConfigureServices(IServiceCollection services)
        {
           services.Configure<HtmlSanitizerOptions>(options =>
            {
                options.AllowedTags.Remove("a");
                options.AllowedAttributes.Remove("href");
            });
            // Services
            services.AddSingleton<IHtmlSanitizer, HtmlSanitizer>(); `

This is not removing the "a" and "href" from the list of attributes and tags.

I simply want to configure it in startup.cs and use the same options globally across my application.

Can someone please help

[tiesont]

Assuming you're using the most current released version (7.1.542), something like this works:

services.AddSingleton<Ganss.XSS.IHtmlSanitizer, Ganss.XSS.HtmlSanitizer>(m =>
{
    var options = new Ganss.XSS.HtmlSanitizerOptions
    {
        AllowedTags = Ganss.XSS.HtmlSanitizer.DefaultAllowedTags,
        AllowedAttributes = Gans.XSS.HtmlSanitizer.DefaultAllowedAttributes
    };

    options.AllowedTags.Remove("a");
    options.AllowedAttributes.Remove("href");

    var sanitizer = new Ganss.XSS.HtmlSanitizer(options);
    return sanitizer;
});

Note that the options instance created above would only have the AllowedTags and AllowedAttributes populated - everything else will be empty, as the HtmlSanitizerOptions type does not initialize any values to their defaults. This is also a bit more verbose than it needs to be, to make it a bit easy to inspect with the debugger.

[mganss]

The PR has been merged and will be in 8.0. Currently, to remove a set of tags from the default set you can also do:

var options = new HtmlSanitizerOptions
{
    AllowedTags = HtmlSanitizer.DefaultAllowedTags.Except(new[] { "a", "u", "i" }).ToHashSet(),
};

[tiesont]

I always forget about Except 😆

[tiesont]

Just as a follow-up, the above options code would look like this in v8:

var options = new HtmlSanitizerOptions
{
    AllowedTags = HtmlSanitizerDefaults.AllowedTags.Except(new[] { "a", "u", "i" }).ToHashSet(),
};

@mganss Would it be worth revisiting the wiki? Think I was the last updater on most of those entries, and they're from 2018.

[mganss]

@tiesont Sure. Would you like to tackle this? IIRC we had talked about generating the API docs automatically. Perhaps we could just link to FuGet instead?

[tiesont]

Fuget works as an API explorer, sure. I like that idea. Not sure how it'd work for the other entries.