I stucked on decision how I should proceed with Markdown processing and Html sanitize. I have this user requirements for comments/articles:
I even submitted fix to markdig
library to support yandex.music in media extensions. But now I'm stuck. There is my explored options:
I configured Markdig
to convert youtube/yandex.music to iframes, than sanitize with HtmlRuleSanitizer
. HtmlRuleSanitizer
doesn't have option to allow iframe only for whitelisted domains — so it either will strip out youtube.com
, or will allow evilsite.com
. I submitted suggestion but doesn't receive any answer.
As far as I can understand, that will allow all kinds of XSS attacks — because Markdown-to-Html transform is inherently unsafe.
According to same article, that's not safe also.
This sanitizer has appropriate hooks (post-process node), but I'm worried about support of this library, and especially of main dependency - AngleSharp support (it has active reproducibles crashes, and seems to be in active development w/o providing stable API, so HtmlSanitizer seems to have hard time to keep on).
So, any suggestions how I could achieve this goal? I refuse to believe that I'm only one with this issue, and I do hope is should be solvable with existing libraries in .net. I'm ready to contribute some feature upstream, if required, but I am not ready to for forking anything. :-)
This is solved by additions to HtmlRuleSanitizer, specifically by addition of IHtmlAttributeSanitizer
interface and SanitizeAttributes
method.
See example here https://github.com/leotsarev/joinrpg-net/blob/88df35fedc5cee73067e9fec9e850cb02826c576/src/JoinRpg.Markdown/HtmlSanitizers.cs#L45