Skip to content

Commit

Permalink
Remove form tag from allowed tags during sanitization (OrchardCMS#11729)
Browse files Browse the repository at this point in the history
  • Loading branch information
sebastienros authored May 19, 2022
1 parent 4b4a06e commit 0163c88
Show file tree
Hide file tree
Showing 2 changed files with 11 additions and 2 deletions.
Original file line number Diff line number Diff line change
Expand Up @@ -17,6 +17,7 @@ public static OrchardCoreBuilder AddHtmlSanitizer(this OrchardCoreBuilder builde
services.ConfigureHtmlSanitizer((sanitizer) =>
{
sanitizer.AllowedAttributes.Add("class");
sanitizer.AllowedTags.Remove("form");
});

services.AddSingleton<IHtmlSanitizerService, HtmlSanitizerService>();
Expand Down
12 changes: 10 additions & 2 deletions src/docs/reference/core/Sanitizer/README.md
Original file line number Diff line number Diff line change
Expand Up @@ -18,13 +18,21 @@ It is used by default for the following parts and fields:

`@Orchard.SanitizeHtml((string)Model.ContentItem.HtmlBodyPart.Html);`


## Defaults configuration

The elements sanitized by default are listed on this page: https://github.com/mganss/HtmlSanitizer#tags-allowed-by-default

Orchard Core changes these defaults by:

- allowing the attribute `class`
- removing the tag `form`

## Configuring the Sanitizer

The sanitizer is configurable using `IOptions<HtmlSanitizerOptions>` during service registration with a configuration
extension method `ConfigureHtmlSanitizer`.

By default it allows css classes, but can be configured to accept other attributes.

You may call this extension method multiple times during the startup pipeline to alter configurations.

```csharp
Expand Down

0 comments on commit 0163c88

Please sign in to comment.