1011008: Added New UG content for Input sanitization#7846
1011008: Added New UG content for Input sanitization#7846ponselvajeganathan wants to merge 10 commits intodevelopmentfrom
Conversation
|
Build Status: INPROGRESS 🔃 |
|
CI Status: FAILURE ❌ |
|
Build Status: INPROGRESS 🔃 |
|
CI Status: SUCCESS ✅ |
| First, install the package: | ||
|
|
||
| ``` | ||
| dotnet add package HtmlSanitizer |
There was a problem hiding this comment.
suggest Microsoft package, do not suggest third parties.
|
|
||
| ## TextBox / TextArea | ||
|
|
||
| Syncfusion **TextBox** and **TextArea** components bind plain text. Sanitize the value only if you render it as HTML. |
There was a problem hiding this comment.
modify content like, syncfusion components support sanitization
| {% endhighlight %} | ||
| {% endtabs %} | ||
|
|
||
| ## Validation vs. Sanitization |
There was a problem hiding this comment.
is this validation topic required
kmkrish001
left a comment
kmkrish001
left a comment
There was a problem hiding this comment.
Address this comments.
|
Build Status: INPROGRESS 🔃 |
|
The running CI Job is terminated due to changes committed on the source branch for this Merge Request and CI triggered for latest commit. |
|
CI Status: ABORTED ❌ |
|
Build Status: INPROGRESS 🔃 |
|
CI Status: SUCCESS ✅ |
|
|
||
| # Input Sanitization with Syncfusion Blazor Components | ||
|
|
||
| Input sanitization ensures that any user-provided content whether typed, pasted, uploaded, or received from external sources is safe to process or display in a Syncfusion Blazor application. Because user input can contain unsafe HTML or script content, sanitization prevents malicious code execution and ensures application integrity. |
There was a problem hiding this comment.
In the introduction mention which syncfusion API using for sanitization, what are the components below covered.
|
|
||
| ## Built-In Sanitization Features | ||
|
|
||
| Several Syncfusion Blazor components include HTML sanitization capabilities to prevent harmful script or markup from being processed. Components that accept or render HTML content such as the Rich Text Editor have built-in mechanisms to remove unsafe elements before rendering. |
There was a problem hiding this comment.
Not mentioning the built-in option API name
| When enabled, automatically removes unsafe tags and attributes such as `<script>` tags, event attributes (such as onload, onclick), and other unsafe content before rendering it. This ensures only clean and safe HTML is allowed in the editor. | ||
|
|
||
| ## How to Sanitize Input in Blazor | ||
|
|
There was a problem hiding this comment.
explain this shortly with sample code.
| The encoded value ensures the Grid displays safe text without interpreting any malicious input. | ||
|
|
||
| ## See Also | ||
|
|
There was a problem hiding this comment.
add csp topic in see also
| Sanitized output: x | ||
| ``` | ||
|
|
||
| ## Types of Attacks Prevented |
|
|
||
| {% endhighlight %} | ||
| {% endtabs %} | ||
|
|
There was a problem hiding this comment.
attach playground sample link for this.
| {% highlight razor %} | ||
|
|
||
| @page "/sanitize-example" | ||
|
|
There was a problem hiding this comment.
components namespace not used, which packages...
| ### Rich Text Editor (RTE) | ||
|
|
||
| The Rich Text Editor allows users to input and render HTML content. To prevent unsafe markup from being inserted or displayed, enable the built‑in sanitizer using the `EnableHtmlSanitizer` property. | ||
|
|
There was a problem hiding this comment.
how to disable the sanitization, if not needed.
|
Build Status: INPROGRESS 🔃 |
|
CI Status: FAILURE ❌ |
|
Build Status: INPROGRESS 🔃 |
|
CI Status: SUCCESS ✅ |
|
|
||
| {% previewsample "https://blazorplayground.syncfusion.com/embed/VXrxDAitJvkRyhWu?appbar=false&editor=false&result=true&errorlist=false&theme=bootstrap5" %} | ||
|
|
||
| ## Custom Sanitization |
There was a problem hiding this comment.
No content for this topic Custom Sanitization
|
Build Status: INPROGRESS 🔃 |
|
CI Status: SUCCESS ✅ |
|
Build Status: INPROGRESS 🔃 |
|
CI Status: SUCCESS ✅ |
|
|
||
| @using Syncfusion.Blazor.BlockEditor | ||
|
|
||
| <sfblockeditor enablehtmlsanitizer="true"> |
There was a problem hiding this comment.
is this proper code to render block editor component in blazor ?
|
|
||
| @using Syncfusion.Blazor.BlockEditor | ||
|
|
||
| <sfblockeditor enablehtmlsanitizer="false"> |
There was a problem hiding this comment.
is the property enablehtmlsanitizer casing is correct ?
|
|
||
| * [Paste Clean-up in Blazor Rich Text Editor](https://blazor.syncfusion.com/documentation/rich-text-editor/paste-cleanup) | ||
| * [Content Security Policy (CSP)](https://blazor.syncfusion.com/documentation/common/content-security-policy) | ||
| * [Paste Clean-up in Blazor Blcok Editor](https://sfblazor.azurewebsites.net/staging/documentation/block-editor/paste-cleanup) |
There was a problem hiding this comment.
Block Editor spelling mistakes
| { | ||
| var cleaned = System.Net.WebUtility.HtmlEncode(UserText); | ||
| Items.Add(new ItemRecord { Content = cleaned }); | ||
| Items = Items.ToList(); |
There was a problem hiding this comment.
unnecessary list reassignment: The code calls Items.Add(...) then Items = Items.ToList(); and StateHasChanged(). This is confusing.
Action: Replace with a clear pattern. Keep Items as List and call Items.Add(...) then StateHasChanged().
| ``` | ||
| @code { | ||
| string userInput = "<script>alert('XSS')</script> Hello!"; | ||
| string safeText = System.Net.WebUtility.HtmlEncode(userInput); |
There was a problem hiding this comment.
use System.Text.Encodings.Web.HtmlEncoder
|
|
||
| * [Paste Clean-up in Blazor Rich Text Editor](https://blazor.syncfusion.com/documentation/rich-text-editor/paste-cleanup) | ||
| * [Content Security Policy (CSP)](https://blazor.syncfusion.com/documentation/common/content-security-policy) | ||
| * [Paste Clean-up in Blazor Blcok Editor](https://sfblazor.azurewebsites.net/staging/documentation/block-editor/paste-cleanup) |
There was a problem hiding this comment.
do not add staging link
|
|
||
| ## Built-In Sanitization Features | ||
|
|
||
| Several Syncfusion Blazor components include HTML sanitization capabilities to prevent harmful script or markup from being processed. Components that accept or render HTML content such as the Rich Text Editor have built-in `EnableHtmlSanitizer` property to remove unsafe elements before rendering. |
There was a problem hiding this comment.
Mentioned several components but RTE and Block editor alone described, add short details about other components.
|
Build Status: INPROGRESS 🔃 |
|
CI Status: SUCCESS ✅ |
|
Build Status: INPROGRESS 🔃 |
|
CI Status: SUCCESS ✅ |
|
|
||
| ## Overview | ||
|
|
||
| Input sanitization is a critical security practice in Syncfusion Blazor applications that handle user-generated content. Syncfusion Blazor components include built-in HTML sanitization (enabled by default in most cases) to safely process and render potentially untrusted content. This guide explains how these features work, focusing especially on the **Rich Text Editor**, **Block Editor** (using `EnableHtmlSanitizer` property), and **DataGrid**. |
There was a problem hiding this comment.
instead of saying most cases add example like, Syncfusion Blazor components that accept HTML have a built‑in sanitizer (for example, the Rich Text Editor's EnableHtmlSanitizer property is enabled by default).
| {% endhighlight %} | ||
| {% endtabs %} | ||
|
|
||
| When enabled the `EnableHtmlSanitizer` property, automatically removes unsafe tags and attributes such as `<script>` tags, event attributes (such as onload, onclick), and other unsafe content before rendering it. This ensures only clean and safe HTML is allowed in the editor. |
There was a problem hiding this comment.
enabled the EnableHtmlSanitizer property - improvise the sentence.
|
|
||
| When the EnableHtmlSanitizer property is enabled, the Block Editor automatically removes unsafe tags and attributes such as `<script>` tags, event attributes (like onload, onclick), javascript: URLs, and other harmful markup before rendering content. This ensures that only clean and trusted HTML remains in the editor output. | ||
|
|
||
| To disable the built-in sanitizer (not recommended for untrusted input), set the property to false: |
There was a problem hiding this comment.
For disable example show in common section single place instead of each component.
| @using Syncfusion.Blazor.Buttons | ||
| @using Syncfusion.Blazor.Grids | ||
| @using Syncfusion.Blazor.Inputs | ||
| @using System.Text.Encodings.Web |
There was a problem hiding this comment.
File shows @using System.Text.Encodings.Web but example uses System.Net.WebUtility.HtmlEncode
|
|
||
| @code { | ||
| string userInput = "<script>alert('XSS')</script> Hello!"; | ||
| string safeText = System.Net.WebUtility.HtmlEncode(userInput); |
| <div class="input-row"> | ||
| <SfTextBox @bind-Value="UserText" Placeholder="Enter text" CssClass="w-100"></SfTextBox> | ||
|
|
||
| <SfButton CssClass="e-primary" OnClick="ProcessInputAsync" Type="Button"> |
There was a problem hiding this comment.
Button OnClick attribute uses "ProcessInputAsync" while the method is named ProcessInput (mismatch)
| </div> | ||
|
|
||
| <div class="mt-2"> | ||
| <SfGrid @ref="UserGrid" DataSource="Items" AllowPaging="true"> |
There was a problem hiding this comment.
DataSource="Items" should be DataSource="@Items" (Razor binding)
3 participants
Description
Added New UG content for Input sanitization
Code Studio usage(Mandatory)
Code Studio used in this PR/MR?
If
Yes: Primary use (choose one)Outcome
If “Cost time” explain in short (1 or 2 lines):
Type of Change
Reviewer Checklist (Mandatory)