Style attribute triggers a RemovingAttribute Event with an empty value about htmlsanitizer HOT 8 OPEN

@tiesont You're right. This scenario used to work before AngleSharp 0.10, see AngleSharp/AngleSharp.Css#151 (comment)

@florianculie My hope is that the next release of AngleSharp.Css will be 1.0 which would mean you would no longer need a prerelease version of HtmlSanitizer. But in general, yes, you would need to wait for a new release of AngleSharp.Css.

I'm not aware of any issues with the newest versions of AngleSharp and AngleSharp.Css. This issue is the only regression I'm aware of.

from htmlsanitizer.

I can't reproduce the issue. Can you try and add a code snippet here that shows the issue?

This is what I tried:

var html = @"<p style=""text-align: start;"">this is the content of the p tag</p>";
var sanitizer = new HtmlSanitizer();
sanitizer.AllowedCssProperties.Remove("text-align");
sanitizer.AllowedAttributes.Remove("style");
sanitizer.RemovingAttribute += (s, e) =>
{
    Assert.Equal("text-align: start;", e.Tag.Attributes[0].Value);
};
var output = sanitizer.Sanitize(html);

from htmlsanitizer.

Here's the Program.cs content from a new .NET 6 Console App :

using Ganss.Xss;

namespace ConsoleApp1
{
    internal class Program
    {
        static void Main(string[] args)
        {
            Console.WriteLine("Hello, World!");

            var html = @"<p style=""text-align: start;"">this is the content of the p tag</p>";
            var sanitizer = new HtmlSanitizer();

//If you comment the two following lines, you will reproduce
            sanitizer.AllowedCssProperties.Remove("text-align");
            sanitizer.AllowedAttributes.Remove("style");
//
            sanitizer.RemovingAttribute += (s, e) =>
            {
                string test = e.Tag.Attributes[0].Value;
            };
            var output = sanitizer.Sanitize(html);

        }
    }
}

If I use your code, with the two .Remove calls, I have no issue. However, if I comment those two lines (since I don't want to disallow them), you can see that the

e.Tag.Attributes[0].Value;

is an empty string, and the e.Tag.OuterHtml does not have the style value :

from htmlsanitizer.

OK thanks, I can repro now. This occurs because the parsed style is empty in AngleSharp's CSSOM. Strangely, it does not occur if the style's value is text-align: left for example. On MDN it says for the initial value of text-align

start, or a nameless value that acts as left if direction is ltr, right if direction is rtl if start is not supported by the browser.

Perhaps start is not supported by AngleSharp and that's why it's not reflected in the OM? I'll open an issue in the AngleSharp.Css repo to find out what's going on.

from htmlsanitizer.

I have reported as AngleSharp/AngleSharp.Css#151

from htmlsanitizer.

The start value for text-align is not yet supported by AngleSharp.Css.

from htmlsanitizer.

For what it's worth, version 4.0.1830 uses AngleSharp 0.9.9.1. AngleSharp split the CSS processing to a separate library in 0.10.0, so I assume any version of HtmlSanitizer from v5 onwards (which uses AngleSharp 0.13.0) probably behaves differently with respect to CSS parsing.

from htmlsanitizer.

Sorry for the delay in response.
Thanks for your analysis.
As it seems it's an invalid value, I think we will remove the style attribute from the problematic data for the project.

If I am correct with my understanding, we need to wait for Anglesharp to fix the issue your declared earlier, then migrate to the latest pre-release of HtmlSanitizer that uses this AngleSharp release. Is that it ?
If so, do you happen to have a "know issues" with the newest version of AngleSharp ?

Thanks for your time on this subject.

from htmlsanitizer.