HtmlToHtmlFilterHtml Property

Note: This API is now obsolete.

Get or set whether undesirable tags should be stripped from the output.

Namespace: MimeKit.Text
Assembly: MimeKit (in MimeKit.dll) Version: 4.17.0

Syntax

[ObsoleteAttribute("This is an incomplete solution for protecting against Cross-Site Scripting (XSS) attacks and should not be relied upon as a comprehensive security measure. For robust XSS protection, it is strongly recommended that applications pass the HTML output through a dedicated HTML sanitizer library that is actively maintained and updated to address emerging security threats.")]
public bool FilterHtml { get; set; }

Property Value

Boolean
if undesirable tags should be filtered; otherwise, .

Remarks

Gets or sets whether undesirable tags should be stripped from the output.

Caution
This is an incomplete solution for protecting against Cross-Site Scripting (XSS) attacks and should not be relied upon as a comprehensive security measure. This filter only removes certain known dangerous or undesirable HTML tags (such as <applet>, <audio>, <base>, <dialog>, <embed>, <form>, <frame>, <frameset>, <iframe>, <input>, <link>, <object>, <script>, <select>, <source>, <style>, <textarea>, <video>, and any tags without an enum mapping) but does not: Validate or sanitize attribute values (e.g., javascript:, data:, or vbscript: URI schemes in href, src, or other URL attributes) Filter event handler attributes (e.g., onclick, onerror, onload, etc.) Sanitize inline CSS that may contain expressions or imports Protect against newly discovered XSS attack vectors or techniques For robust XSS protection, it is strongly recommended that applications pass the HTML output through a dedicated HTML sanitizer library (such as HtmlSanitizer, Ganss.XSS, or similar) that is actively maintained and updated to address emerging security threats.

Caution

This is an incomplete solution for protecting against Cross-Site Scripting (XSS) attacks and should not be relied upon as a comprehensive security measure. This filter only removes certain known dangerous or undesirable HTML tags (such as <applet>, <audio>, <base>, <dialog>, <embed>, <form>, <frame>, <frameset>, <iframe>, <input>, <link>, <object>, <script>, <select>, <source>, <style>, <textarea>, <video>, and any tags without an enum mapping) but does not:

Validate or sanitize attribute values (e.g., javascript:, data:, or vbscript: URI schemes in href, src, or other URL attributes)
Filter event handler attributes (e.g., onclick, onerror, onload, etc.)
Sanitize inline CSS that may contain expressions or imports
Protect against newly discovered XSS attack vectors or techniques

For robust XSS protection, it is strongly recommended that applications pass the HTML output through a dedicated HTML sanitizer library (such as HtmlSanitizer, Ganss.XSS, or similar) that is actively maintained and updated to address emerging security threats.

Reference

HtmlToHtml Class

MimeKit.Text Namespace