How / Can I configure this to get rid of empty attributes from a string

[DEnas815]

Basically everything is allowed and sending in a string of json which has a mix of json nodes and html because its coming in on a request.
{ "pages": [ { "name": "page1", "elements": [ { "name": "a3cb112b-5346-4d08-8cec-ea7fa24316ec", "type": "paragraph", "isRequired": false, "fromQuestionBank": false, "title": "<p><img/src/onerror=prompt(document.domain)></p>", "titleLocation": "hidden" } ] } ] }
returns

{ "pages": [ { "name": "page1", "elements": [ { "name": "d6769398-78ab-4376-b0c2-4a9887b7046c", "type": "paragraph", "isRequired": false, "fromQuestionBank": false, "title": "<p><img src=""></p>", "titleLocation": "hidden" } ] } ] }

The title coming from a rich text editor, however the empty src="" attribute that was passed in is getting ="" appended rather than just removing the attribute. Is there a way to configure the sanitizer to get rid of empty attributes?

[mganss]

First of all, my recommendation is to only pass the value of the property with the key title to the sanitizer, i.e. only the raw HTML, not the whole JSON. The library was designed to sanitize HTML only. If you pass in other formats, you're likely to run into unintended side effects.

There is no out-of-the-box way to remove empty attributes, but you can leverage the PostProcessNode event to enable your use case:

sanitizer.PostProcessNode += (s, e) =>
{
    if (e.Node is IHtmlElement el)
    {
        foreach (var a in el.Attributes.ToList())
        {
            if (string.IsNullOrWhiteSpace(a.Value))
                el.RemoveAttribute(a.Name);
        }
    }
};