From 0163c88ddeaca39815d7e6e5ea1c8391085cc136 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Ros?= Date: Thu, 19 May 2022 10:51:33 -0700 Subject: [PATCH] Remove form tag from allowed tags during sanitization (#11729) --- .../Html/OrchardCoreBuilderExtensions.cs | 1 + src/docs/reference/core/Sanitizer/README.md | 12 ++++++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/src/OrchardCore/OrchardCore.Infrastructure/Html/OrchardCoreBuilderExtensions.cs b/src/OrchardCore/OrchardCore.Infrastructure/Html/OrchardCoreBuilderExtensions.cs index 010975f9f1a..35ef302e2c5 100644 --- a/src/OrchardCore/OrchardCore.Infrastructure/Html/OrchardCoreBuilderExtensions.cs +++ b/src/OrchardCore/OrchardCore.Infrastructure/Html/OrchardCoreBuilderExtensions.cs @@ -17,6 +17,7 @@ public static OrchardCoreBuilder AddHtmlSanitizer(this OrchardCoreBuilder builde services.ConfigureHtmlSanitizer((sanitizer) => { sanitizer.AllowedAttributes.Add("class"); + sanitizer.AllowedTags.Remove("form"); }); services.AddSingleton(); diff --git a/src/docs/reference/core/Sanitizer/README.md b/src/docs/reference/core/Sanitizer/README.md index 6b18d5a0d42..f334ac17352 100644 --- a/src/docs/reference/core/Sanitizer/README.md +++ b/src/docs/reference/core/Sanitizer/README.md @@ -18,13 +18,21 @@ It is used by default for the following parts and fields: `@Orchard.SanitizeHtml((string)Model.ContentItem.HtmlBodyPart.Html);` + +## Defaults configuration + +The elements sanitized by default are listed on this page: https://github.com/mganss/HtmlSanitizer#tags-allowed-by-default + +Orchard Core changes these defaults by: + +- allowing the attribute `class` +- removing the tag `form` + ## Configuring the Sanitizer The sanitizer is configurable using `IOptions` during service registration with a configuration extension method `ConfigureHtmlSanitizer`. -By default it allows css classes, but can be configured to accept other attributes. - You may call this extension method multiple times during the startup pipeline to alter configurations. ```csharp