c# how to allow embedded image HtmlSanitizer

Question

In the below code is there any way to keep the embedded image src like data:image/gif;base64, data:image/png;base64 anddata:image/jpeg;base64. I don't want to keep data:text/html;base64 in src

static void Main(string[] args)
        {
            var htmlContent =
                @"
                    <div class='Editor-editor' contenteditable='true' style='overflow: auto;'>xss.&nbsp; &nbsp;
                        <div>
                            <script>$(document ).ready(function() {alert('xss...')});</script>
                            <object data='data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGV sbG8iKTs8L3NjcmlwdD4='></object>
                            <img onmouseover='alert(99)' src='data:text/html;base64,PHNjcmlwdD5hbGVydCgiSGV sbG8iKTs8L3NjcmlwdD4='>
                            <img src='data:image/gif;base64,R0lGODlhPQBEAPeoAJosM//AwO/AwHVYZ/z595kzAP/s7P+goOXMv8+fhw/v739/f+8PD98fH/8mJl+fn/9ZWb8/PzWlwv///6wWGbImAPgTEMImIN9gUFCEm/gDALULDN8PAD6atYdCTX9gUNKlj8wZAKUsAOzZz+UMAOsJAP/Z2ccMDA8PD/95eX5NWvsJCOVNQPtfX/8zM8+QePLl38MGBr8JCP+zs9myn/8GBqwpAP/GxgwJCPny78lzYLgjAJ8vAP9fX/+MjMUcAN8zM/9wcM8ZGcATEL+QePdZWf/29uc/P9cmJu9MTDImIN+/r7+/vz8/P8VNQGNugV8AAF9fX8swMNgTAFlDOICAgPNSUnNWSMQ5MBAQEJE3QPIGAM9AQMqGcG9vb6MhJsEdGM8vLx8fH98AANIWAMuQeL8fABkTEPPQ0OM5OSYdGFl5jo+Pj/+pqcsTE78wMFNGQLYmID4dGPvd3UBAQJmTkP+8vH9QUK+vr8ZWSHpzcJMmILdwcLOGcHRQUHxwcK9PT9DQ0O/v70w5MLypoG8wKOuwsP/g4P/Q0IcwKEswKMl8aJ9fX2xjdOtGRs/Pz+Dg4GImIP8gIH0sKEAwKKmTiKZ8aB/f39Wsl+LFt8dgUE9PT5x5aHBwcP+AgP+WltdgYMyZfyywz78AAAAAAAD///8AAP9mZv///wAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACH5BAEAAKgALAAAAAA9AEQAAAj/AFEJHEiwoMGDCBMqXMiwocAbBww4nEhxoYkUpzJGrMixogkfGUNqlNixJEIDB0SqHGmyJSojM1bKZOmyop0gM3Oe2liTISKMOoPy7GnwY9CjIYcSRYm0aVKSLmE6nfq05QycVLPuhDrxBlCtYJUqNAq2bNWEBj6ZXRuyxZyDRtqwnXvkhACDV+euTeJm1Ki7A73qNWtFiF+/gA95Gly2CJLDhwEHMOUAAuOpLYDEgBxZ4GRTlC1fDnpkM+fOqD6DDj1aZpITp0dtGCDhr+fVuCu3zlg49ijaokTZTo27uG7Gjn2P+hI8+PDPERoUB318bWbfAJ5sUNFcuGRTYUqV/3ogfXp1rWlMc6awJjiAAd2fm4ogXjz56aypOoIde4OE5u/F9x199dlXnnGiHZWEYbGpsAEA3QXYnHwEFliKAgswgJ8LPeiUXGwedCAKABACCN+EA1pYIIYaFlcDhytd51sGAJbo3onOpajiihlO92KHGaUXGwWjUBChjSPiWJuOO/LYIm4v1tXfE6J4gCSJEZ7YgRYUNrkji9P55sF/ogxw5ZkSqIDaZBV6aSGYq/lGZplndkckZ98xoICbTcIJGQAZcNmdmUc210hs35nCyJ58fgmIKX5RQGOZowxaZwYA+JaoKQwswGijBV4C6SiTUmpphMspJx9unX4KaimjDv9aaXOEBteBqmuuxgEHoLX6Kqx+yXqqBANsgCtit4FWQAEkrNbpq7HSOmtwag5w57GrmlJBASEU18ADjUYb3ADTinIttsgSB1oJFfA63bduimuqKB1keqwUhoCSK374wbujvOSu4QG6UvxBRydcpKsav++Ca6G8A6Pr1x2kVMyHwsVxUALDq/krnrhPSOzXG1lUTIoffqGR7Goi2MAxbv6O2kEG56I7CSlRsEFKFVyovDJoIRTg7sugNRDGqCJzJgcKE0ywc0ELm6KBCCJo8DIPFeCWNGcyqNFE06ToAfV0HBRgxsvLThHn1oddQMrXj5DyAQgjEHSAJMWZwS3HPxT/QMbabI/iBCliMLEJKX2EEkomBAUCxRi42VDADxyTYDVogV+wSChqmKxEKCDAYFDFj4OmwbY7bDGdBhtrnTQYOigeChUmc1K3QTnAUfEgGFgAWt88hKA6aCRIXhxnQ1yg3BCayK44EWdkUQcBByEQChFXfCB776aQsG0BIlQgQgE8qO26X1h8cEUep8ngRBnOy74E9QgRgEAC8SvOfQkh7FDBDmS43PmGoIiKUUEGkMEC/PJHgxw0xH74yx/3XnaYRJgMB8obxQW6kL9QYEJ0FIFgByfIL7/IQAlvQwEpnAC7DtLNJCKUoO/w45c44GwCXiAFB/OXAATQryUxdN4LfFiwgjCNYg+kYMIEFkCKDs6PKAIJouyGWMS1FSKJOMRB/BoIxYJIUXFUxNwoIkEKPAgCBZSQHQ1A2EWDfDEUVLyADj5AChSIQW6gu10bE/JG2VnCZGfo4R4d0sdQoBAHhPjhIB94v/wRoRKQWGRHgrhGSQJxCS+0pCZbEhAAOw=='>
                        </div>
                    </div>
                ";


            ValidateHtmlContent(htmlContent);
            Console.ReadLine();
        }

        public static void ValidateHtmlContent(string htmlContent)
        {
            var sanitizer = new HtmlSanitizer();
            sanitizer.AllowedSchemes.Add("data"); // showing all data src, i want to show only data:image/gif in image src
            var sanitized = sanitizer.Sanitize(htmlContent);

            Console.WriteLine(sanitized);
        }

Answer 1

Many thanks to Jitinder, I adapted his code (link) but found a problem with assigning to e.Reason (which is read only - perhaps the library has been updated since his answer. I appreciate that this post would be better as a comment to his answer but I don't have the reputation necessary, but thought this would be useful to future readers.

I came up with this code, slightly edited and simplified but based on Jitinder's (link), and seems to work for me:

var sanitizer = new HtmlSanitizer();
sanitizer.AllowedAttributes.Remove("src");
var _dataImage = new List<string> { "data:image/gif", "data:image/jpeg", "data:image/png", "data:image/jpg", "https://" };
sanitizer.RemovingAttribute += (s, e) =>
{
  if (e.Tag.TagName == "IMG")
  {
    if (_dataImage.Any(x => e.Attribute.Value.StartsWith(x)))
    {
      e.Cancel = true;
    }
  }
};
var output = sanitizer.Sanitize(viewmodel.Notes);

Answer 2

After many tries, I have found the solution. And it is working perfectly for me. maybe this solution will help others

public static void SanitizeHtmlContent(string htmlContent)
        {
            var sanitizer = new HtmlSanitizer();
            sanitizer.AllowedAttributes.Remove("src");
            sanitizer.RemovingAttribute += (s, e) =>
            {
                var _dataImage = new List<string> { "data:image/gif", "data:image/jpeg", "data:image/png", "data:image/jpg", "http://", "https://" };

                switch (e.Tag.TagName)
                {
                    case "IMG":
                        {
                            if (_dataImage.Any(x => e.Attribute.Value.StartsWith(x)))
                            {
                                e.Reason = RemoveReason.NotAllowedAttribute;
                                e.Cancel = true;
                            }

                            break;
                        }
                }
            };
            var sanitized = sanitizer.Sanitize(htmlContent);
            Console.WriteLine(sanitized);
        }