refactor: Removed MarkupConverter and using Anglesharp-based HtmlSani…

…tizer package instead. Some broken tests from this, and downgraded Anglesharp.
roadkillwiki · Sep 22, 2016 · c719b48 · c719b48
1 parent 297f4a2
commit c719b48
Show file tree

Hide file tree

Showing 10 changed files with 120 additions and 2,681 deletions.
diff --git a/src/Roadkill.Core/Roadkill.Core.csproj b/src/Roadkill.Core/Roadkill.Core.csproj
@@ -125,8 +125,8 @@
     <Prefer32Bit>false</Prefer32Bit>
   </PropertyGroup>
   <ItemGroup>
-    <Reference Include="AngleSharp, Version=0.9.8.1, Culture=neutral, PublicKeyToken=e83494dcdc6d31ea, processorArchitecture=MSIL">
-      <HintPath>..\..\packages\AngleSharp.0.9.8.1\lib\net45\AngleSharp.dll</HintPath>
+    <Reference Include="AngleSharp, Version=0.9.7.21214, Culture=neutral, PublicKeyToken=e83494dcdc6d31ea, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\AngleSharp.0.9.7\lib\net45\AngleSharp.dll</HintPath>
       <Private>True</Private>
     </Reference>
     <Reference Include="Antlr3.Runtime, Version=3.5.0.2, Culture=neutral, PublicKeyToken=eb42632606e9261f, processorArchitecture=MSIL">
@@ -145,6 +145,10 @@
       <HintPath>..\..\packages\HtmlAgilityPack.1.4.9\lib\Net45\HtmlAgilityPack.dll</HintPath>
       <Private>True</Private>
     </Reference>
+    <Reference Include="HtmlSanitizer, Version=3.0.0.0, Culture=neutral, PublicKeyToken=61c49a1a9e79cc28, processorArchitecture=MSIL">
+      <HintPath>..\..\packages\HtmlSanitizer.3.3.132-beta\lib\net45\HtmlSanitizer.dll</HintPath>
+      <Private>True</Private>
+    </Reference>
     <Reference Include="ICSharpCode.SharpZipLib">
       <HintPath>..\..\packages\SharpZipLib.0.86.0\lib\20\ICSharpCode.SharpZipLib.dll</HintPath>
     </Reference>
@@ -533,7 +537,6 @@
     <Compile Include="Text\Sanitizer\HtmlWhiteList.cs" />
     <Compile Include="Text\Sanitizer\HtmlAttribute.cs" />
     <Compile Include="Text\Sanitizer\HtmlElement.cs" />
-    <Compile Include="Text\Sanitizer\MarkupSanitizer.cs" />
     <Compile Include="Text\ImageEventArgs.cs" />
     <Compile Include="Text\IMarkupParser.cs" />
     <Compile Include="Text\LinkEventArgs.cs" />

diff --git a/src/Roadkill.Core/Text/MarkupConverter.cs b/src/Roadkill.Core/Text/MarkupConverter.cs
@@ -1,8 +1,10 @@
 using System;
 using System.Collections.Generic;
 using System.Linq;
+using System.Runtime.Caching;
 using System.Web;
 using System.Text.RegularExpressions;
+using Ganss.XSS;
 using Roadkill.Core.Configuration;
 using Roadkill.Core.Text.Sanitizer;
 using Roadkill.Core.Database;
@@ -293,13 +295,64 @@ private string RemoveHarmfulTags(string html)
 		{
 			if (_applicationSettings.UseHtmlWhiteList)
 			{
-				MarkupSanitizer sanitizer = new MarkupSanitizer(_applicationSettings, true, false, true);
-				return sanitizer.SanitizeHtml(html);
+				HtmlWhiteList htmlWhiteList = GetCachedWhiteList();
+				string[] allowedTags = htmlWhiteList.ElementWhiteList.Select(x => x.Name).ToArray();
+				string[] allowedAttributes = htmlWhiteList.ElementWhiteList.SelectMany(x => x.AllowedAttributes.Select(y => y.Name)).ToArray();
+
+				if (allowedTags.Length == 0)
+					allowedTags = null;
+
+				if (allowedAttributes.Length == 0)
+					allowedAttributes = null;
+
+				var sanitizer = new HtmlSanitizer(allowedTags, null, allowedAttributes);
+				sanitizer.AllowDataAttributes = false;
+				sanitizer.AllowedAttributes.Add("class");
+				sanitizer.AllowedAttributes.Add("id");
+				sanitizer.AllowedSchemes.Add("mailto");
+				sanitizer.RemovingAttribute += Sanitizer_RemovingAttribute;
+
+				return sanitizer.Sanitize(html);
 			}
 			else
 			{
 				return html;
 			}
 		}
+
+		private void Sanitizer_RemovingAttribute(object sender, RemovingAttributeEventArgs e)
+		{
+			// Don't clean /wiki/Special:Tag urls in href="" attributes
+			if (e.Attribute.Name.ToLower() == "href" && e.Attribute.Value.Contains("Special:"))
+			{
+				e.Cancel = true;
+			}
+		}
+
+		private string _cacheKey = "whitelist";
+		internal static MemoryCache _memoryCache = new MemoryCache("MarkupSanitizer");
+
+		/// <summary>
+		/// Changes the key name used for the cache'd version of the HtmlWhiteList object.
+		/// </summary>
+		/// <param name="key"></param>
+		public void SetWhiteListCacheKey(string key)
+		{
+			_memoryCache.Remove(_cacheKey);
+			_cacheKey = key;
+		}
+
+		private HtmlWhiteList GetCachedWhiteList()
+		{
+			HtmlWhiteList whiteList = _memoryCache.Get(_cacheKey) as HtmlWhiteList;
+
+			if (whiteList == null)
+			{
+				whiteList = HtmlWhiteList.Deserialize(_applicationSettings);
+				_memoryCache.Add(_cacheKey, whiteList, new CacheItemPolicy());
+			}
+
+			return whiteList;
+		}
 	}
 }
diff --git a/src/Roadkill.Core/Text/Sanitizer/MarkupSanitizer.cs b/src/Roadkill.Core/Text/Sanitizer/MarkupSanitizer.cs