public void invalid_a_hrefs_should_be_filtered()
{
var scanner = new AntiSamy();
/*
* remove non-allowed hrefs
*/
var input = @"<div>
<a href='mysite.com/image.jpg' /> <!-- to be allowed --!>
<a href='mysite.com/some_relative_path' /> <!-- to be allowed --!>
<a href='mysite.com/some_relative_path/level2' /> <!-- to be allowed --!>
Some description
<a href='hackers.com/xss.js' />
<a href='abc.com' />
another description
</div>";
AntiySamyResult result = scanner.Scan(input, TestPolicy);
// safe - allowed url pattern in the antisamy1.xml
result.CleanHtml.Should().Contain("<div");
result.CleanHtml.Should().Contain("Some description");
result.CleanHtml.Should().Contain("another description");
result.CleanHtml.Should().Contain("mysite.com/image.jpg");
result.CleanHtml.Should().Contain("mysite.com/some_relative_path");
result.CleanHtml.Should().Contain("mysite.com/some_relative_path/level2");
// non safe
result.CleanHtml.Should().NotContain("hackers.com/xss.js");
result.CleanHtml.Should().NotContain("abc.com");
}
public void issue69()
{
/* issue #69 - char attribute should allow single char or entity ref */
string s = "<table><tr><td char='.'>test</td></tr></table>";
AntiySamyResult result = _sut.Scan(s, TestPolicy);
result.CleanHtml.Contains("char").Should().BeTrue();
s = "<table><tr><td char='..'>test</td></tr></table>";
result = _sut.Scan(s, TestPolicy);
result.CleanHtml.Contains("char").Should().BeFalse();
s = "<table><tr><td char='"'>test</td></tr></table>";
result = _sut.Scan(s, TestPolicy);
result.CleanHtml.Contains("char").Should().BeTrue();
s = "<table><tr><td char='"a'>test</td></tr></table>";
result = _sut.Scan(s, TestPolicy);
result.CleanHtml.Contains("char").Should().BeFalse();
s = "<table><tr><td char='"&'>test</td></tr></table>";
result = _sut.Scan(s, TestPolicy);
result.CleanHtml.Contains("char").Should().BeFalse();
}
public void invalid_tags_should_be_removed()
{
var scanner = new AntiSamy();
/*
* remove iframe, object, embed, frame, frameset
*/
var input = @"<div>
Some description
<iframe src='hackers.com/xss' />
<object data='hackers.com/xss' />
<embed />
<frame />
<frameset />
</div>";
AntiySamyResult result = scanner.Scan(input, TestPolicy);
//safe
result.CleanHtml.Should().Contain("<div");
result.CleanHtml.Should().Contain("Some description");
// non safe
result.CleanHtml.Should().NotContain("<iframe");
result.CleanHtml.Should().NotContain("<object");
result.CleanHtml.Should().NotContain("<embed");
result.CleanHtml.Should().NotContain("<frame");
result.CleanHtml.Should().NotContain("<frameset");
}
public void issue37()
{
string dirty = "<a onblur=\"try {parent.deselectBloggerImageGracefully();}" + "catch(e) {}\""
+ "href=\"http://www.charityadvantage.com/ChildrensmuseumEaston/images/BookswithBill.jpg\"><img" + "style=\"FLOAT: right; MARGIN: 0px 0px 10px 10px; WIDTH: 150px; CURSOR:"
+ "hand; HEIGHT: 100px\" alt=\"\"" + "src=\"http://www.charityadvantage.com/ChildrensmuseumEaston/images/BookswithBill.jpg\""
+ "border=\"0\" /></a><br />Poor Bill, couldn't make it to the Museum's <span" + "class=\"blsp-spelling-corrected\" id=\"SPELLING_ERROR_0\">story time</span>"
+ "today, he was so busy shoveling! Well, we sure missed you Bill! So since" + "ou were busy moving snow we read books about snow. We found a clue in one"
+ "book which revealed a snowplow at the end of the story - we wish it had" + "driven to your driveway Bill. We also read a story which shared fourteen"
+ "<em>Names For Snow. </em>We'll catch up with you next week....wonder which" + "hat Bill will wear?<br />Jane";
Policy mySpacePolicy = GetPolicy("antisamy-myspace.xml");
AntiySamyResult cr = _sut.Scan(dirty, mySpacePolicy);
cr.CleanHtml.Should().NotBeNull();
Policy ebayPolicy = GetPolicy("antisamy-ebay.xml");
cr = _sut.Scan(dirty, ebayPolicy);
cr.CleanHtml.Should().NotBeNull();
Policy slashdotPolicy = GetPolicy("antisamy-slashdot.xml");
cr = _sut.Scan(dirty, slashdotPolicy);
cr.CleanHtml.Should().NotBeNull();
}
public void issue58()
{
/* issue #58 - input not in list of allowed-to-be-empty tags */
var s = "tgdan <input/> g h";
AntiySamyResult result = _sut.Scan(s, TestPolicy);
result.ErrorMessages.Count().Should().Be(0);
}
public void issue51()
{
/* issue #51 - offsite urls with () are found to be invalid */
var s = "<a href='http://subdomain.domain/(S(ke0lpq54bw0fvp53a10e1a45))/MyPage.aspx'>test</a>";
AntiySamyResult result = _sut.Scan(s, TestPolicy);
result.ErrorMessages.Count().Should().Be(0);
}
public void issue29()
{
/* issue #29 - missing quotes around properties with spaces */
var s = "<style type=\"text/css\"><![CDATA[P {\n font-family: \"Arial Unicode MS\";\n}\n]]></style>";
AntiySamyResult result = _sut.Scan(s, TestPolicy);
s.Should().BeEquivalentTo(result.CleanHtml);
}
public void CDATAByPass()
{
String malInput = "<![CDATA[]><script>alert(1)</script>]]>";
AntiySamyResult result = _sut.Scan(malInput, TestPolicy);
result.ErrorMessages.Should().NotBeEmpty();
result.CleanHtml.Should().Contain("<script");
result.CleanHtml.Should().NotContain("<script");
}
public void isssue31()
{
var test = "<b><u><g>foo";
//Policy revised = policy.cloneWithDirective("onUnknownTag", "encode");
AntiySamyResult cr = _sut.Scan(test, TestPolicy);
string s = cr.CleanHtml;
s.Contains("<g>").Should().BeTrue();
}
public void issue61()
{
/* issue #61 - input has newline appended if ends with an accepted tag */
var dirtyInput = "blah <b>blah</b>.";
//Format output not supported
//Policy revised = policy.cloneWithDirective(Policy.FORMAT_OUTPUT, "false");
AntiySamyResult result = _sut.Scan(dirtyInput, TestPolicy);
result.CleanHtml.Should().BeEquivalentTo(dirtyInput);
}
public void isssue56()
{
/* issue #56 - unnecessary spaces */
var s = "<SPAN style='font-weight: bold;'>Hello World!</SPAN>";
var expected = "<span style='font-weight: bold'>Hello World!</span>";
AntiySamyResult result = _sut.Scan(s, TestPolicy);
result.CleanHtml.Should().BeEquivalentTo(expected);
}
public void issue40()
{
/* issue #40 - handling <style> media attributes right */
var s = "<style media=\"print, projection, screen\"> P { margin: 1em; }</style>";
//Policy revised = policy.cloneWithDirective(Policy.PRESERVE_SPACE, "true");
AntiySamyResult result = _sut.Scan(s, TestPolicy);
result.CleanHtml.Contains("print, projection, screen").Should().BeTrue();
}
public void allow_any_src_in_img_tag()
{
var scanner = new AntiSamy();
/*
* remove non-allowed hrefs
*/
var input = "Size Table: ;<p><img src=\"/Assets/ProductImages/chartlar/image.jpg\" width=\"456\" height=\"197\" alt=\"\" /></p> ; Lorem ipsum";
AntiySamyResult result = scanner.Scan(input, GetPolicy("antisamy-mysite.xml"));
result.CleanHtml.Should().Be(input);
}
public void literalLists()
{
/* this test is for confirming literal-lists work as
* advertised. it turned out to be an invalid / non-
* reproducible bug report but the test seemed useful
* enough to keep.
*/
var malInput = "hello<p align='invalid'>world</p>";
AntiySamyResult result = _sut.Scan(malInput, TestPolicy);
result.CleanHtml.Contains("invalid").Should().BeFalse();
result.ErrorMessages.Count().Should().Be(1);
var goodInput = "hello<p align='left'>world</p>";
_sut.Scan(goodInput, TestPolicy).CleanHtml.Contains("left").Should().BeTrue();
}
public void issue30()
{
var s = "<style type=\"text/css\"><![CDATA[P { margin-bottom: 0.08in; } ]]></style>";
_sut.Scan(s, TestPolicy);
/* followup - does the patch fix multiline CSS? */
var s2 = "<style type=\"text/css\"><![CDATA[\r\nP {\r\n margin-bottom: 0.08in;\r\n}\r\n]]></style>";
AntiySamyResult cr = _sut.Scan(s2, TestPolicy);
"<style type=\"text/css\"><![CDATA[P {\n\tmargin-bottom: 0.08in;\n}\n]]></style>".Should().BeEquivalentTo(cr.CleanHtml);
/* next followup - does non-CDATA parsing still work? */
//var s3 = "<style>P {\n\tmargin-bottom: 0.08in;\n}\n";
//policy.UseXhtml = false;
//cr = _sut.Scan(s3, );
//"<style>P {\n\tmargin-bottom: 0.08in;\n}\n</style>\n".Should().BeEquivalentTo(cr.CleanHtml);
}
public void script_references_should_be_removed_by_default()
{
var scanner = new AntiSamy();
/*
* remove non-allowed hrefs
*/
var input = @"<script type='text/javascript' src='hackers.com/xss.js' />
<script>alert('XSS !!!');</script>
<div>
Some description
<script type='text/javascript' src='hackers.com/xss.js' />
</div>";
AntiySamyResult result = scanner.Scan(input, TestPolicy);
//safe
result.CleanHtml.Should().Contain("<div");
result.CleanHtml.Should().Contain("Some description");
// non safe
result.CleanHtml.Should().NotContain("<script");
}
public void invalid_img_urls_should_be_filtered()
{
var scanner = new AntiSamy();
/*
* remove non-allowed image srcs
*/
var input = @"<div>
<img src='mysite.com/image.jpg' /> <!-- to be allowed --!>
Some description
<img src='hackers.com/xss.js' />
</div>";
AntiySamyResult result = scanner.Scan(input, TestPolicy);
// safe - allowed url pattern in the antisamy1.xml
result.CleanHtml.Should().Contain("Some description");
result.CleanHtml.Should().Contain("<div");
result.CleanHtml.Should().Contain("mysite.com/image.jpg");
// non safe
result.CleanHtml.Should().NotContain("hackers.com/xss.js");
}
