Search code examples
c#anglesharp

Inserting Custom Element with AngleSharp

I'm trying to update a site that uses an sanitizer based on AngleSharp to process user-generated HTML content. The site users need to be able to embed iframes, and I am trying to use a whitelist to control what domains the frame can load. I'd like to rewrite the 'blocked' iframes to a new custom element "blocked-iframe" that will then be stripped out by the sanitizer, so we can review if other domains need to be added to the whitelist.

I'm trying to use a solution based on this answer: https://stackoverflow.com/a/55276825/794

It looks like so:

    string BlockIFrames(string content)
    {
        var parser = new HtmlParser(new HtmlParserOptions { });

        var doc = parser.Parse(content);

        foreach (var element in doc.QuerySelectorAll("iframe"))
        {
            var src = element.GetAttribute("src");

            if (string.IsNullOrEmpty(src) || !Settings.Sanitization.IFrameWhitelist.Any(wls => src.StartsWith(wls)))
            {
                var newElement = doc.CreateElement("blocked-iframe");
                foreach (var attr in element.Attributes)
                {
                    newElement.SetAttribute(attr.Name, attr.Value);
                }

                element.Insert(AdjacentPosition.BeforeBegin, newElement.OuterHtml);

                element.Remove();
            }
        }

        return doc.FirstElementChild.OuterHtml;
    }

It ostensibly works but I notice that the angle brackets in the new element's tag are being escaped on insertion, so the result just gets written into the page as text. I think I could build a map of replacements and just execute them against the string before sending back but I'm wondering if theres a way to do it using AngleSharp's API. The site is using 0.9.9 currently and I'm not sure how far ahead we'll be able to update considering some of the other dependencies in play.

Solution

  • Digging around in the source I found the ReplaceChild method in INode, which works if called from the parent of element

        string BlockIFrames(string content)
    {
        var parser = new HtmlParser(new HtmlParserOptions { });

        var doc = parser.Parse(content);

        foreach (var element in doc.QuerySelectorAll("iframe"))
        {
            var src = element.GetAttribute("src");

            if (string.IsNullOrEmpty(src) ||
                !Settings.Sanitization.IFrameWhitelist.Any(wls => src.StartsWith(wls)))
            {
                var newElement = doc.CreateElement("blocked-iframe");
                foreach (var attr in element.Attributes)
                {
                    newElement.SetAttribute(attr.Name, attr.Value);
                }

                element.Parent.ReplaceChild(newElement, element);
            }
        }

        return doc.FirstElementChild.OuterHtml;
    }

    I will keep testing but this seems decent enough to me, if there is a better way I'd love to hear it.