btcpayserver/BTCPayServer.Abstractions/Services/Safe.cs

using System.Web;
using Ganss.Xss;
using Microsoft.AspNetCore.Html;
using Microsoft.AspNetCore.Mvc.Rendering;

namespace BTCPayServer.Abstractions.Services
{
    public class Safe
    {
        private readonly IHtmlHelper _htmlHelper;
        private readonly IJsonHelper _jsonHelper;
        private readonly HtmlSanitizer _htmlSanitizer;

        public Safe(IHtmlHelper htmlHelper, IJsonHelper jsonHelper, HtmlSanitizer htmlSanitizer)
        {
            _htmlHelper = htmlHelper;
            _jsonHelper = jsonHelper;
            _htmlSanitizer = htmlSanitizer;


        }

        public IHtmlContent Raw(string value)
        {
            return _htmlHelper.Raw(_htmlSanitizer.Sanitize(value));
        }
        
        public IHtmlContent RawEncode(string value)
        {
            return _htmlHelper.Raw(HttpUtility.HtmlEncode(_htmlSanitizer.Sanitize(value)));
        }

        public IHtmlContent Json(object model)
        {
            return _htmlHelper.Raw(_jsonHelper.Serialize(model));
        }

        public string RawMeta(string inputHtml, out bool isHtmlModified)
        {
             bool bHtmlModified;
             HtmlSanitizer _metaSanitizer = new HtmlSanitizer();

            _metaSanitizer.AllowedTags.Clear();
            _metaSanitizer.AllowedTags.Add("meta");

            _metaSanitizer.AllowedAttributes.Clear();
            _metaSanitizer.AllowedAttributes.Add("name");
            _metaSanitizer.AllowedAttributes.Add("http-equiv");
            _metaSanitizer.AllowedAttributes.Add("content");
            _metaSanitizer.AllowedAttributes.Add("value");
            _metaSanitizer.AllowedAttributes.Add("property");

            _metaSanitizer.AllowDataAttributes = false;

            _metaSanitizer.RemovingTag += (sender, e) => bHtmlModified = true;
            _metaSanitizer.RemovingAtRule += (sender, e) => bHtmlModified = true;
            _metaSanitizer.RemovingAttribute += (sender, e) => bHtmlModified = true;
            _metaSanitizer.RemovingComment += (sender, e) => bHtmlModified = true;
            _metaSanitizer.RemovingCssClass += (sender, e) => bHtmlModified = true;
            _metaSanitizer.RemovingStyle += (sender, e) => bHtmlModified = true;
            
            bHtmlModified = false;

            var sRet = _metaSanitizer.Sanitize(inputHtml);
            isHtmlModified = bHtmlModified;

            return sRet;
        }
    }
}