Merge pull request #516 from jerriep/allow-overriding-literal-text-element-encoding

mganss · web-flow · commit ca23c697a9b0 · 2023-12-20T13:33:37.000+01:00
Allows the user to override literal text element content encoding
diff --git a/src/HtmlSanitizer/HtmlSanitizer.cs b/src/HtmlSanitizer/HtmlSanitizer.cs
@@ -99,6 +99,11 @@ public HtmlSanitizer(HtmlSanitizerOptions options)
             AllowedAtRules = new HashSet<CssRuleType>(options.AllowedAtRules);
         }
 
+        /// <summary>
+        /// Gets or sets the default <see cref="Action{IElement}"/> method that encodes literal text content.
+        /// </summary>
+        public Action<IElement> EncodeLiteralTextElementContent { get; set; } = DefaultEncodeLiteralTextElementContent;
+
         /// <summary>
         /// Gets or sets the default value indicating whether to keep child nodes of elements that are removed. Default is false.
         /// </summary>
@@ -465,6 +470,15 @@ private void RemoveComments(INode context)
             }
         }
 
+        private static void DefaultEncodeLiteralTextElementContent(IElement tag)
+        {
+            var escapedHtml = tag.InnerHtml.Replace("<", "&lt;").Replace(">", "&gt;");
+            if (escapedHtml != tag.InnerHtml)
+                tag.InnerHtml = escapedHtml;
+            if (tag.InnerHtml != escapedHtml) // setting InnerHtml does not work for noscript
+                tag.SetInnerText(escapedHtml);
+        }
+
         private void DoSanitize(IHtmlDocument dom, IParentNode context, string baseUrl = "")
         {
             // remove disallowed tags
@@ -479,11 +493,7 @@ private void DoSanitize(IHtmlDocument dom, IParentNode context, string baseUrl =
                     && t.Flags.HasFlag(NodeFlags.LiteralText)
                     && !string.IsNullOrWhiteSpace(t.InnerHtml)))
             {
-                var escapedHtml = tag.InnerHtml.Replace("<", "&lt;").Replace(">", "&gt;");
-                if (escapedHtml != tag.InnerHtml)
-                    tag.InnerHtml = escapedHtml;
-                if (tag.InnerHtml != escapedHtml) // setting InnerHtml does not work for noscript
-                    tag.SetInnerText(escapedHtml);
+                EncodeLiteralTextElementContent(tag);
             }
 
             SanitizeStyleSheets(dom, baseUrl);
diff --git a/test/HtmlSanitizer.Tests/Tests.cs b/test/HtmlSanitizer.Tests/Tests.cs
@@ -3553,6 +3553,21 @@ public void Bypass4Test()
         Assert.Equal(expected, sanitized);
     }
 
+    [Fact]
+    public void OverrideLiteralTextElementContentEncoderTest()
+    {
+        var sanitizer = new HtmlSanitizer();
+        sanitizer.AllowedTags.Add("script");
+        sanitizer.EncodeLiteralTextElementContent = (e) =>
+        {
+            // Do nothing - we do not want to encode the custom element inside the <script> element
+        };
+        var bypass = @"<script><custom-element>abc</custom-element></script>";
+        var sanitized = sanitizer.Sanitize(bypass);
+        var expected = @"<script><custom-element>abc</custom-element></script>";
+        Assert.Equal(expected, sanitized);
+    }
+
     [Fact]
     public void InlineCssTest()
     {
