Blazor清理MarkupString [英] Blazor sanitize MarkupString

问题描述

我正在尝试清理MarkupString的内容.实际上我创建了这个(基于

工作示例1

以下是使用我的Markdown-> HTML游乐场的示例(经过全面测试并可以正常工作):

MarkupStringSanitized.cs

 公共结构MarkupStringSanitized{公共MarkupStringSanitized(字符串值){值=消毒(值);}公共字符串值{get;}公共静态显式运算符MarkupStringSanitized(string value)=>新的MarkupStringSanitized(value);公共静态显式运算符MarkupString(MarkupStringSanitized value)=>新的MarkupString(value.Value);公共替代字符串ToString()=>价值 ??string.Empty;私人静态字串Sanitize(字串值){var sanitizer = new HtmlSanitizer();返回sanitizer.Sanitize(value);}} 

MarkupStringSanitizedComponent.razor

  @if(内容== null){< span>正在加载...</span>}别的{@((MarkupString)(MarkupStringSanitized)Content)}@代码 {[参数] public string内容{get;放;}} 

这种额外的转换虽然是丑陋的IMO.(也许比我聪明的人可以解决这个问题?)

工作示例#2

在这里，我尝试使用扩展方法扩展 MarkupString .看起来好一点，但只有一个小.

MarkupStringExtensions.cs

 公共静态类MarkupStringExtensions{公共静态MarkupString Sanitize(此MarkupString markupString){返回新的MarkupString(SanitizeInput(markupString.Value));}私有静态字符串SanitizeInput(字符串值){var sanitizer = new HtmlSanitizer();返回sanitizer.Sanitize(value);}} 

MarkupStringSanitizedComponent.razor

  @if(内容== null){< span>正在加载...</span>}别的{@((((MarkupString)Content).Sanitize())}@代码 {[参数] public string内容{get;放;}} 

I'm trying to sanitize content of MarkupString. Actually I created this (based from https://github.com/dotnet/aspnetcore/blob/574be0d22c1678ed5f6db990aec78b4db587b267/src/Components/Components/src/MarkupString.cs)

public struct MarkupStringSanitized
{
    public MarkupStringSanitized(string value)
    {
        Value = value.Sanitize();
    }

    public string Value { get; }

    public static explicit operator MarkupStringSanitized(string value) => new MarkupStringSanitized(value);

    public override string ToString() => Value ?? string.Empty;
}

But render output isn't raw html. How should I implement MarkupStringSanitized to use

@((MarkupStringSanitized)"Sanitize this content")

解决方案

Couple of suggestions (Not necessarily for OP, but for anyone else looking to solve the problem):

• You didn't provide the code that does the actual sanitization, so I'm going to state the (hopefully) obvious best practice and if you're following it, great. Do not use Regular Expressions (Regex) to parse HTML
• Also, the Sanitize() method should follow the pattern of immutability in this case
• I would suggest the following library Gans.XSS.HtmlSanitizer which is an active library and updated regularly.

The problem

Razor View Engine can doesn't know how to render a MarkupStringSanitized. Just because you duck typed a sanitized version of the same struct doesn't mean it can render it. To get this to render, you'll need to cast it to something it does know, MarkupString

Here's what happens when I used your HtmlSanitizedMarkup directly with no modifications.

@((MarkupStringSanitized)Content)

Working Example #1

Here's an example using my Markdown -> Html playground (fully tested and working):

MarkupStringSanitized.cs

public struct MarkupStringSanitized
{
    public MarkupStringSanitized(string value)
    {
        Value = Sanitize(value);
    }

    public string Value { get; }

    public static explicit operator MarkupStringSanitized(string value) => new MarkupStringSanitized(value);

    public static explicit operator MarkupString(MarkupStringSanitized value) => new MarkupString(value.Value);

    public override string ToString() => Value ?? string.Empty;

    private static string Sanitize(string value)  {
        var sanitizer = new HtmlSanitizer();
        return sanitizer.Sanitize(value);
    }
}

MarkupStringSanitizedComponent.razor

@if (Content == null)
{
    <span>Loading...</span>
}
else
{
    @((MarkupString)(MarkupStringSanitized)Content)
}

@code {
    [Parameter] public string Content { get; set; }
}

That extra conversion though is ugly IMO. (maybe someone smarter than me can clean that up?)

Working example #2

Here I tried extending the MarkupString with an extension method. It looks a little better, but only a little.

MarkupStringExtensions.cs

public static class MarkupStringExtensions
{
    public static MarkupString Sanitize(this MarkupString markupString)
    {
        return new MarkupString(SanitizeInput(markupString.Value));
    }

    private static string SanitizeInput(string value)
    {
        var sanitizer = new HtmlSanitizer();
        return sanitizer.Sanitize(value);
    }
}

MarkupStringSanitizedComponent.razor

@if (Content == null)
{
    <span>Loading...</span>
}
else
{
    @(((MarkupString)Content).Sanitize())
}

@code {
    [Parameter] public string Content { get; set; }
}

这篇关于Blazor清理MarkupString的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！