OnRemovingTag not called for malformed or obfuscated tags (due to AngleSharp skipping them)

[arunsurfer]

Hi, Thanks for the awesome library. It been extremely helpful for keeping our input safe. I wanted to raise a concern about how malformed or obfuscated html tags (e.g <sc++ipt>, <ob+ect>,<object+data> or special charters like <script&#x3E) are being silently skipped by Anglesharp during parsing

When content contains malformed tags, Anglesharp often discards them as text, because of this

1. HtmlSanitizer.Sanitize() removes nothing
2. OnRemovingTag or OnRemovingAttribute are never triggered

example : "TEST"<obj+ect data="javascript:alert&#40'1')">

This content is:

• Decoded as: "TEST"<obj+ect data="javascript:alert('1')">
• Sanitizer output: "TEST"
• But no events like OnRemovingTag fire

Would it be possible to:

Expose malformed or skipped tags as part of the sanitization pipeline?

I understand this may be a limitation of AngleSharp’s compliant parsing — but even a utility hook or helper in HtmlSanitizer to pre-scan for malformed tags would be hugely helpful.

Thanks again for your amazing work. Happy to help test or contribute if this direction is supported.

[mganss]

I can't repro. RemovingTag is getting called. Can you provide a short code snippet that illustrates the issue?

[arunsurfer]

public  class HtmlSanitizerWrapper
{
    private HtmlSanitizer _htmlSanitizer;
    private bool _inputHtmlModified = false;

    public HtmlSanitizerWrapper()
    {
        _htmlSanitizer = new HtmlSanitizer();
        _htmlSanitizer.RemovingTag += OnRemovingTag;
        _htmlSanitizer.RemovingAttribute += OnRemovingAttribute;
        _htmlSanitizer.RemovingStyle += OnRemovingStyle;
    }
    public (string sanitizedHtml, bool _inputHtmlModified) SanitizeHtml(string html)
    {
        var sanitizedHtml = _htmlSanitizer.Sanitize(html);
        return (sanitizedHtml, _inputHtmlModified) ;
    }


    private void OnRemovingTag(object sender, RemovingTagEventArgs eventArgs)
    {
        _inputHtmlModified = true;
    }

    private void OnRemovingAttribute(object sender, RemovingAttributeEventArgs eventArgs)
    {
        _inputHtmlModified = true;
    }

    private void OnRemovingStyle(object sender, RemovingStyleEventArgs eventArgs)
    {
        _inputHtmlModified = true;
    }

}

public class HtmlSanitizerWrapperTests
{
    [TestMethod]
    [DataRow("%22INJECT+HERE%22TEST<object+d\r\nata=\"javascript:alert%26%230000000040%271%27%29\"", true)]
    [DataRow("Test<object+data=\"javascript:alert%26%230000000040%271%27%29\"", true)]
    public void SanitizeHtml_ShouldReturnExpectedResults(string inputHtml, bool expectedModification)
    {
        // Arrange
        var sanitizer = new HtmlSanitizerWrapper();

        // Act
        var (sanitizedHtml, inputHtmlModified) = sanitizer.SanitizeHtml(inputHtml);

        // Assert
        Assert.AreEqual(expectedModification, inputHtmlModified);
    }
}

[mganss]

The input strings are different here than in the first comment. In particular, the closing > is missing, causing AngleSharp to not parse an element. If you want to catch parser errors, you can leverage the HtmlParserFactory property to customize parser creation and subscribe to the HtmlParser.Error event.