Skip to content

[dev-v5] Add MarkupStringSanitized to enhances security and clarifies usage. #4424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
dvoituron merged 17 commits into from
Dec 24, 2025
Merged

[dev-v5] Add MarkupStringSanitized to enhances security and clarifies usage. #4424

dvoituron merged 17 commits into from
Dec 24, 2025

Conversation

@dvoituron
Copy link
Collaborator

@dvoituron dvoituron commented Dec 23, 2025
edited
Loading

[dev-v5] Add MarkupStringSanitized

Add a MarkupStringSanitized object, similar to MarkupString, to enhances security and clarifies usage.

The dev can configure the usage via LibraryConfiguration.MarkupSanitized => SanitizeInlineStyle and DefaultSanitizeHtml

  1. The Default inline style sanitizer function.

    • Allows only letters (a-zA-Z), numbers: 0-9, whitespace, punctuation characters ,.:;_%-()#{}'"
    • Allows only CSS units: px, em, rem, vh, vw (as letter combinations)
    • Allows only CSS keywords: ms, s, deg, rad, turn (for animations/transforms)
    • Blocks Dangerous Content: behavior, expression(), -moz-binding:, javascript:, url(javascript:)

  2. The Default HTML code sanitizer function.

    • Allows only safe tags: p, div, span, strong, em, b, i, u, ul, ol, li, h1-h6, br, hr
    • Allows only safe attributes: class, id, title, data-*

This enhances security and clarifies usage.

How to use?

To verify the Style content

new MarkupStringSanitized($"<style>#{Id}::part(dialog) {{ xxx }}</style>", LibraryConfiguration);

To verify the HTML content

@(new MarkupStringSanitized(Title, MarkupStringSanitized.Formats.Html, LibraryConfiguration))

Only be used when you are certain that the provided value is already sanitized.

internal static MarkupStringSanitized ArrowUp = new("<svg ...</svg>", MarkupStringSanitized.Formats.AlreadySanitized);

Unit Tests

image

@dvoituron
Make Title in FluentMessageBar plain text only
df9a43c 
The Title property now accepts only plain strings and no HTML markup.
For custom or formatted titles, use the ChildContent property.
Updated code and docs to clarify usage and provide examples.
@dvoituron
Sanitize inline CSS to prevent XSS in custom styles
e5e64b9 
Introduce MarkupSanitizedOptions and MarkupStringSanitized to sanitize inline CSS styles
@dvoituron
Update MarkupStringSanitized
ad81791
@dvoituron
Update MarkupStringSanitized
fefb69a
@dvoituron
Refactoring MarkupStringSanitized
f7253b1
@dvoituron
Refactoring
f860bf9
@dvoituron
Refactor
5dba7a2
@dvoituron
Add Unit Tests
aca732c
@dvoituron
Update components to use MarkupStringSanitized
e93d7c7
@dvoituron
Update Dialog and Add unit tests
e1bd978
@dvoituron
Refactor
a029469
@dvoituron
Fix errors
1ffc70c
@dvoituron
Update doc
db9d0ac
@dvoituron dvoituron requested a review from vnbaaij as a code owner December 23, 2025 17:07
@github-actions
Copy link

github-actions bot commented Dec 24, 2025
edited
Loading

✅ All tests passed successfully

Details on your Workflow / Core Tests page.

@github-actions
Copy link

github-actions bot commented Dec 24, 2025
edited
Loading

Summary - Unit Tests Code Coverage

Summary
Generated on: 12/24/2025 - 12:56:44
Coverage date: 12/24/2025 - 12:56:31
Parser: Cobertura
Assemblies: 1
Classes: 199
Files: 271
Line coverage: 98.7% (6553 of 6635)
Covered lines: 6553
Uncovered lines: 82
Coverable lines: 6635
Total lines: 26037
Branch coverage: 92.2% (3703 of 4013)
Covered branches: 3703
Total branches: 4013
Method coverage: Feature is only available for sponsors
Tag: 4837_20486622981

Coverage

Microsoft.FluentUI.AspNetCore.Components - 98.7%
Name Line Branch
Microsoft.FluentUI.AspNetCore.Components 98.7% 92.2%
Microsoft.FluentUI.AspNetCore.Components.AccordionItemEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.AdditionalAttributesExtensions 100% 100%
Microsoft.FluentUI.AspNetCore.Components.CachedServices 100% 100%
Microsoft.FluentUI.AspNetCore.Components.Calendar.CalendarExtended 100% 100%
Microsoft.FluentUI.AspNetCore.Components.Calendar.CalendarTitles`1 100% 100%
Microsoft.FluentUI.AspNetCore.Components.Calendar.CalendarTValue 100% 100%
Microsoft.FluentUI.AspNetCore.Components.ColumnBase`1 97.2% 90.2%
Microsoft.FluentUI.AspNetCore.Components.ColumnKeyGridSort`1 94.4% 75%
Microsoft.FluentUI.AspNetCore.Components.ColumnOptionsUISettings 100%
Microsoft.FluentUI.AspNetCore.Components.ColumnResizeOptions`1 100% 100%
Microsoft.FluentUI.AspNetCore.Components.ColumnResizeUISettings 100%
Microsoft.FluentUI.AspNetCore.Components.ColumnSortUISettings 100%
Microsoft.FluentUI.AspNetCore.Components.CustomEmoji 100% 100%
Microsoft.FluentUI.AspNetCore.Components.CustomIcon 100%
Microsoft.FluentUI.AspNetCore.Components.DataGrid.Infrastructure.Defer 100%
Microsoft.FluentUI.AspNetCore.Components.DataGrid.Infrastructure.InternalGr
idContext`1		 100% 100%
Microsoft.FluentUI.AspNetCore.Components.DateTimeProvider 100% 100%
Microsoft.FluentUI.AspNetCore.Components.DateTimeProviderContext 100% 92.8%
Microsoft.FluentUI.AspNetCore.Components.DefaultStyles 100%
Microsoft.FluentUI.AspNetCore.Components.Dialog.MessageBox.FluentMessageBox 100% 75%
Microsoft.FluentUI.AspNetCore.Components.DialogEventArgs 100% 92.8%
Microsoft.FluentUI.AspNetCore.Components.DialogInstance 100% 100%
Microsoft.FluentUI.AspNetCore.Components.DialogOptions 100%
Microsoft.FluentUI.AspNetCore.Components.DialogOptionsFooter 100% 100%
Microsoft.FluentUI.AspNetCore.Components.DialogOptionsFooterAction 100% 100%
Microsoft.FluentUI.AspNetCore.Components.DialogOptionsHeader 100%
Microsoft.FluentUI.AspNetCore.Components.DialogResult 100% 100%
Microsoft.FluentUI.AspNetCore.Components.DialogResult`1 100%
Microsoft.FluentUI.AspNetCore.Components.DialogService 100% 82.3%
Microsoft.FluentUI.AspNetCore.Components.DialogToggleEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.DropdownEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.Emoji 100% 100%
Microsoft.FluentUI.AspNetCore.Components.EmojiCompress 100% 100%
Microsoft.FluentUI.AspNetCore.Components.EmojiExtensions 100% 50%
Microsoft.FluentUI.AspNetCore.Components.EmojiInfo 100%
Microsoft.FluentUI.AspNetCore.Components.Extensions.DateTimeExtensions 100% 92%
Microsoft.FluentUI.AspNetCore.Components.Extensions.DisplayAttributeExtensi
ons		 100% 100%
Microsoft.FluentUI.AspNetCore.Components.Extensions.EnumExtensions 100% 100%
Microsoft.FluentUI.AspNetCore.Components.Extensions.FieldSizeExtensions 100% 100%
Microsoft.FluentUI.AspNetCore.Components.Extensions.FluentInputExtensions 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FileSizeConverter 100%
Microsoft.FluentUI.AspNetCore.Components.FluentAccordion 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentAccordionItem 100% 95.8%
Microsoft.FluentUI.AspNetCore.Components.FluentAnchorButton 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentAvatar 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentBadge 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentButton 98.4% 90.6%
Microsoft.FluentUI.AspNetCore.Components.FluentCalendar`1 98.1% 88.3%
Microsoft.FluentUI.AspNetCore.Components.FluentCalendarBase`1 100% 94.4%
Microsoft.FluentUI.AspNetCore.Components.FluentCalendarDay`1 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentCalendarMonth`1 100% 92.8%
Microsoft.FluentUI.AspNetCore.Components.FluentCalendarYear`1 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentCard 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentCheckbox 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentCombobox`1 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentComponentBase 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentCompoundButton 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentCounterBadge 100% 96.1%
Microsoft.FluentUI.AspNetCore.Components.FluentDataGrid`1 90.5% 88.5%
Microsoft.FluentUI.AspNetCore.Components.FluentDataGridCell`1 100% 95.2%
Microsoft.FluentUI.AspNetCore.Components.FluentDataGridRow`1 98.5% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentDatePicker`1 97.4% 85.2%
Microsoft.FluentUI.AspNetCore.Components.FluentDialog 97.5% 89.3%
Microsoft.FluentUI.AspNetCore.Components.FluentDialogBody 100% 91.6%
Microsoft.FluentUI.AspNetCore.Components.FluentDialogInstance 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentDialogProvider 100% 73.9%
Microsoft.FluentUI.AspNetCore.Components.FluentDivider 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentDragContainer`1 100%
Microsoft.FluentUI.AspNetCore.Components.FluentDragEventArgs`1 100%
Microsoft.FluentUI.AspNetCore.Components.FluentDropZone`1 100% 76%
Microsoft.FluentUI.AspNetCore.Components.FluentEmoji`1 100% 95%
Microsoft.FluentUI.AspNetCore.Components.FluentErrorBoundary 97.6% 93.7%
Microsoft.FluentUI.AspNetCore.Components.FluentField 100% 96.5%
Microsoft.FluentUI.AspNetCore.Components.FluentFieldCondition 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentFieldConditionItem 100%
Microsoft.FluentUI.AspNetCore.Components.FluentFieldConditionOptions 100%
Microsoft.FluentUI.AspNetCore.Components.FluentFieldExtensions 100%
Microsoft.FluentUI.AspNetCore.Components.FluentFieldParameterSelector 100% 98.7%
Microsoft.FluentUI.AspNetCore.Components.FluentGrid 100% 90%
Microsoft.FluentUI.AspNetCore.Components.FluentGridItem 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentHighlighter 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentIcon`1 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentImage 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentInputBase`1 93.8% 50%
Microsoft.FluentUI.AspNetCore.Components.FluentInputFile 100% 93.3%
Microsoft.FluentUI.AspNetCore.Components.FluentInputFileBuffer 100%
Microsoft.FluentUI.AspNetCore.Components.FluentInputFileErrorEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.FluentInputFileEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.FluentInputImmediateBase`1 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentJSModule 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentKeyCode 100% 92.8%
Microsoft.FluentUI.AspNetCore.Components.FluentKeyCodeEventArgs 100% 75%
Microsoft.FluentUI.AspNetCore.Components.FluentKeyCodeProvider 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentKeyPressEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.FluentLabel 100%
Microsoft.FluentUI.AspNetCore.Components.FluentLayout 100% 88.8%
Microsoft.FluentUI.AspNetCore.Components.FluentLayoutHamburger 100% 96.6%
Microsoft.FluentUI.AspNetCore.Components.FluentLayoutItem 100% 91%
Microsoft.FluentUI.AspNetCore.Components.FluentLink 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentListBase`1 97.3% 92.1%
Microsoft.FluentUI.AspNetCore.Components.FluentLocalizerExtensions 100%
Microsoft.FluentUI.AspNetCore.Components.FluentLocalizerInternal 100%
Microsoft.FluentUI.AspNetCore.Components.FluentMenu 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentMenuButton 100% 71.4%
Microsoft.FluentUI.AspNetCore.Components.FluentMenuItem 100% 90.4%
Microsoft.FluentUI.AspNetCore.Components.FluentMenuList 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentMessageBar 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentMultiSplitter 94.4% 89.4%
Microsoft.FluentUI.AspNetCore.Components.FluentMultiSplitterEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.FluentMultiSplitterPane 98.5% 85%
Microsoft.FluentUI.AspNetCore.Components.FluentMultiSplitterResizeEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.FluentOption 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentPaginator 100% 94.4%
Microsoft.FluentUI.AspNetCore.Components.FluentPopover 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentProgress 100%
Microsoft.FluentUI.AspNetCore.Components.FluentProgressBar 100% 87.5%
Microsoft.FluentUI.AspNetCore.Components.FluentProgressRing 100%
Microsoft.FluentUI.AspNetCore.Components.FluentProviders 100%
Microsoft.FluentUI.AspNetCore.Components.FluentRadio`1 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentRadioGroup`1 100% 88.8%
Microsoft.FluentUI.AspNetCore.Components.FluentRatingDisplay 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentSelect`1 96.1% 83.3%
Microsoft.FluentUI.AspNetCore.Components.FluentServiceBase`1 100%
Microsoft.FluentUI.AspNetCore.Components.FluentServiceProviderException`1 100%
Microsoft.FluentUI.AspNetCore.Components.FluentSkeleton 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentSlider`1 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentSpacer 100%
Microsoft.FluentUI.AspNetCore.Components.FluentSpinner 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentSplitButton 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentStack 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentStatus 100%
Microsoft.FluentUI.AspNetCore.Components.FluentSwitch 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentTab 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentTabs 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentText 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentTextArea 100% 70%
Microsoft.FluentUI.AspNetCore.Components.FluentTextInput 100% 85%
Microsoft.FluentUI.AspNetCore.Components.FluentTimePicker`1 100% 81.1%
Microsoft.FluentUI.AspNetCore.Components.FluentToggleButton 100% 91.6%
Microsoft.FluentUI.AspNetCore.Components.FluentTooltip 100% 95%
Microsoft.FluentUI.AspNetCore.Components.FluentTooltipProvider 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FluentTreeItem 100% 95.3%
Microsoft.FluentUI.AspNetCore.Components.FluentTreeView 100% 100%
Microsoft.FluentUI.AspNetCore.Components.FreeOptionOutput 100%
Microsoft.FluentUI.AspNetCore.Components.GridItemsProviderRequest`1 100% 100%
Microsoft.FluentUI.AspNetCore.Components.GridItemsProviderResult 100%
Microsoft.FluentUI.AspNetCore.Components.GridItemsProviderResult`1 100%
Microsoft.FluentUI.AspNetCore.Components.GridSort`1 100% 100%
Microsoft.FluentUI.AspNetCore.Components.HighlighterSplitter 100% 100%
Microsoft.FluentUI.AspNetCore.Components.Icon 100% 95%
Microsoft.FluentUI.AspNetCore.Components.IconFromImage 100%
Microsoft.FluentUI.AspNetCore.Components.IconInfo 100%
Microsoft.FluentUI.AspNetCore.Components.IconsExtensions 100% 50%
Microsoft.FluentUI.AspNetCore.Components.IFluentComponentChangeAfterKeyPres
s		 100% 100%
Microsoft.FluentUI.AspNetCore.Components.IFluentLocalizer 100% 100%
Microsoft.FluentUI.AspNetCore.Components.Infrastructure.EventCallbackSubscr
ibable`1		 100% 100%
Microsoft.FluentUI.AspNetCore.Components.Infrastructure.EventCallbackSubscr
iber`1		 100% 87.5%
Microsoft.FluentUI.AspNetCore.Components.InputFileInstance 100% 100%
Microsoft.FluentUI.AspNetCore.Components.InputFileOptions 100%
Microsoft.FluentUI.AspNetCore.Components.InternalListContext`1 100%
Microsoft.FluentUI.AspNetCore.Components.KeyCodeService 100% 85.7%
Microsoft.FluentUI.AspNetCore.Components.KeyPress 100%
Microsoft.FluentUI.AspNetCore.Components.LayoutHamburgerEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.LibraryTooltipOptions 100%
Microsoft.FluentUI.AspNetCore.Components.Localization.LanguageResource 100% 100%
Microsoft.FluentUI.AspNetCore.Components.MarkupSanitizedOptions 100%
Microsoft.FluentUI.AspNetCore.Components.MenuItemEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.MessageBoxOptions 100%
Microsoft.FluentUI.AspNetCore.Components.Migration.AppearanceExtensions 100% 100%
Microsoft.FluentUI.AspNetCore.Components.Migration.FluentInputAppearanceExt
ensions		 100% 100%
Microsoft.FluentUI.AspNetCore.Components.Migration.TooltipPositionExtension 100% 100%
Microsoft.FluentUI.AspNetCore.Components.PaginationState 100% 81.2%
Microsoft.FluentUI.AspNetCore.Components.ProgressFileDetails 100%
Microsoft.FluentUI.AspNetCore.Components.PropertyColumn`2 100% 81.8%
Microsoft.FluentUI.AspNetCore.Components.RadioEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.RangeOfDates 100% 100%
Microsoft.FluentUI.AspNetCore.Components.SelectAllTemplateArgs 100%
Microsoft.FluentUI.AspNetCore.Components.SelectColumn`1 97.3% 95.1%
Microsoft.FluentUI.AspNetCore.Components.ServiceProviderExtensions 100%
Microsoft.FluentUI.AspNetCore.Components.SortedProperty 100%
Microsoft.FluentUI.AspNetCore.Components.SpacingExtensions 100% 97.2%
Microsoft.FluentUI.AspNetCore.Components.TabChangeEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.TemplateColumn`1 100% 25%
Microsoft.FluentUI.AspNetCore.Components.TooltipEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.TotalItemCountChangedEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.TreeItemChangedEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.TreeViewItem 100% 100%
Microsoft.FluentUI.AspNetCore.Components.TreeViewItemExpandedEventArgs 100%
Microsoft.FluentUI.AspNetCore.Components.UploadedFileDetails 100%
Microsoft.FluentUI.AspNetCore.Components.Utilities.AddTag 100% 100%
Microsoft.FluentUI.AspNetCore.Components.Utilities.CssBuilder 100% 100%
Microsoft.FluentUI.AspNetCore.Components.Utilities.Debounce 100% 100%
Microsoft.FluentUI.AspNetCore.Components.Utilities.Identifier 100% 100%
Microsoft.FluentUI.AspNetCore.Components.Utilities.IdentifierContext 100% 75%
Microsoft.FluentUI.AspNetCore.Components.Utilities.InlineStyleBuilder 100% 91.6%
Microsoft.FluentUI.AspNetCore.Components.Utilities.MarkupStringSanitized 100% 92.5%
Microsoft.FluentUI.AspNetCore.Components.Utilities.RangeOf`1 96.7% 97.2%
Microsoft.FluentUI.AspNetCore.Components.Utilities.StyleBuilder 100% 100%
Microsoft.FluentUI.AspNetCore.Components.ZIndex 100%

@dvoituron dvoituron enabled auto-merge (squash) December 24, 2025 12:56
@dvoituron dvoituron merged commit d4a004f into dev-v5 Dec 24, 2025
4 checks passed
@dvoituron dvoituron deleted the users/dvoituron/dev-v5/messagebar-markupstring branch December 24, 2025 14:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vnbaaij vnbaaij vnbaaij approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@dvoituron @vnbaaij