Orchard Core CMS Security Tutorials. The HTML Sanitizer and Sanitize Html Content Part and Field Settings.

HTML Sanitizer and Sanitize Html Field Settings in Orchard Core CMS

An HTML Sanitizer is part of the Orchard Core Framework and used to protect the Orchard Core CMS website from accidental or malicious input from users that could lead to XSS attacks. It's automatically enabled by default for certain Content Parts and Content Fields in Orchard Core:

  • HTML Body Part
  • HTML Field
  • Markdown Body Part
  • Markdown Field

The Orchard Core Developer can enable and disable HTML sanitizing by modify the Content Part and Content Field settings. It's as simple as toggling the Sanitize Html checkbox.

Sanitize HTML in Orchard Core CMS

Unless you're having an issue, it's best to keep the Sanitize Html setting enabled. And even if you are having an issue, you may want to keep the Sanitize HTML setting enabled, and just modifying the configuration of the HTML Sanitizer to allow for the specific HTML tags or attributes that you wish to not be blocked by the sanitizer.

A perfect real-world scenario where we modified the configuration of the HTML Sanitizer in Orchard Core CMS was when developing an Orchard Core CMS website that used HTML data attributes to store extra information on standard, semantic HTML elements. As of right now, the default configuration of the HTML Sanitizer in Orchard Core CMS will remove the HTML data attributes. In our case, it was simply a data-id attribute on section tags. Below is an example for illustration purposes. Attempting to publish this HTML in an HTML Field in Orchard Core CMS with Sanitize HTML enabled will cause the data-id attribute to be removed from the section tag.

<section data-id="home">
    <div class="container">
        <div class="row">
            <div class="col">
                <p class="text-center">...</p>
            </div>
            <div class="col">
                <p class="text-center">...</p>
            </div>
        </div>
    </div>
</section>

We could disable sanitizing the HTML, but this seemed unnecessary for such a small need. Instead, we re-configured the HTML Sanitizer in Orchard Core to allow HTML data attributes.

public void ConfigureServices(IServiceCollection services) {
    services
        .AddOrchardCms()
        .ConfigureServices(tenantServices =>
            tenantServices.ConfigureHtmlSanitizer((sanitizer) =>
            {
                sanitizer.AllowDataAttributes = true;
            })
        );
}

With this small change we still have the protection against XSS attacks in the Content Parts and Content Fields in the Orchard Core CMS website, while allowing the use of HTML data attributes.