HtmlValidationContext class

This class handles all validation checking and HTML filtering, based on constraint properties that are set on the validation context.


Namespace:  Microsoft.SharePoint.Publishing.Fields
Assembly:  Microsoft.SharePoint.Publishing (in Microsoft.SharePoint.Publishing.dll)

[SharePointPermissionAttribute(SecurityAction.LinkDemand, ObjectModel = true)]
[SharePointPermissionAttribute(SecurityAction.InheritanceDemand, ObjectModel = true)]
public class HtmlValidationContext

The caller sets various constraints by setting the different constraint properties first. Then, the caller can invoke the ValidateHtml method to validate the input HTML and get the filtered HTML in return. Any input HTML markup that is determined to be unsafe or invalid, such as script and object tags, is also always removed from the content regardless of constraint property settings.

Use this class for validation in the RichHtmlField control to validate and provide feedback to the user about failures.

The ValidateHtmlCode sample constructs an HtmlValidationContext object with various settings and uses it to restrict and validate HTML content and return a report string. The sample function takes two optional arguments:

  • htmlContent. A string of HTML to run through validation. If this string is empty, then the application uses a default string of test HTML.

  • siteCollectionToRestrict. A SPSite object used to restrict the URLs present in the HTML. If this is set to null then the URLs are not restricted to an SPSite object.

    using SPSite = Microsoft.SharePoint.SPSite;
    using HtmlValidationContext = Microsoft.SharePoint.Publishing.Fields.HtmlValidationContext;
    namespace Microsoft.SDK.SharePointServer.Samples
        public static class HtmlValidationContextSamples
    public static string ValidateHtmlSample(
      string htmlContent,
      SPSite siteCollectionToRestrict)
      string htmlContentToValidate = htmlContent;
      if (string.IsNullOrEmpty(htmlContentToValidate))
         htmlContentToValidate = DefaultHtmlToValidate;
    string reportString = "Validating the following HTML \n[" + htmlContentToValidate + "]";
    HtmlValidationContext validationContext = new HtmlValidationContext();
    reportString += 
    "First validate with no constraints to remove unsafe content only \n[" + 
    validationContext.ValidateHtml(htmlContentToValidate) + "]";
            // You can change the following default HTML to validate
            private const string DefaultHtmlToValidate = @"
             <a href="""" title=""External link to"">
             <img src=""/SiteCollectionImages/SampleImage.jpg"" alt=""A server relative image URL"">
             External link to
          Script tags are unsafe and are silently removed: 
          <script>alert('XSS inline script');</script>
          Some <b>bold</b> and <i>italic</i> text markup and a <a href=""/Pages/SamplePage.aspx"">server relative link</a>
                <li>Testing a list of items</li>
                <li><a href=""javascript:alert('XSS click script');"">The surrounding link is unsafe and removed</a></li>
                <li onclick=""alert('XSS onclick is silently removed');"">Third list item</li>
    // You can change any of the following default data that are used to
    // validate image and link field values
            private const string DefaultImageUrl = "/SiteCollectionImages/SampleImage.jpg";
            private const string DefaultHyperlink = "";
    // ValidateHtmlSample 
    // Set the constraint properties to any desired combination of true and false
          validationContext.AllowFonts = true;
          validationContext.AllowHeadings = false;
          validationContext.AllowHyperlinks = true;
          validationContext.AllowImages = false;
          validationContext.AllowLists = false;
          validationContext.AllowTables = true;
          validationContext.AllowTextMarkup = false;
          if (null == siteCollectionToRestrict)
              // No site collection provided so do not restrict URLs
              validationContext.RestrictUrlsToSiteCollection = false;
              validationContext.GuidOfThisSiteCollection = System.Guid.Empty;
              // Restrict URLs to be from the provided site collection or to be server relative
              validationContext.RestrictUrlsToSiteCollection = true;
              validationContext.GuidOfThisSiteCollection = siteCollectionToRestrict.ID;
          bool droppedTags;
          bool droppedUrls;
          string validatedHtml =
                  out droppedTags,
                  out droppedUrls);
           reportString += 
               "Validated the HTML with the following constraints: " + validationContext.AllowedTagsSettingsMessage +
              "\n[" + validatedHtml + "]\n" +
                    "droppedTags=" + droppedTags + " droppedUrls=" + droppedUrls;
          return reportString;

This sample covers the following constructor, properties, and methods:

Any public static (Shared in Visual Basic) members of this type are thread safe. Any instance members are not guaranteed to be thread safe.