public ActionResult EditRecomment(Blog blogView, string[] link, int[] linkId, string recommentTitle, int[] selectedCategory, string[] linkDescription)
{
if (ModelState.IsValid)
{
var userId = User.Identity.GetUserId <int>();
var blog = _blogService.Find(blogView.Id, userId);
blog.Title = blogView.Title;
blog.TimeStamp = DateTime.Now;
blog.HtmlContent = Sanitizer.GetSafeHtml(blogView.HtmlContent);
blog.Content = blogView.Content;
if (blogView.Status == BlogStatus.Report || blogView.Status == BlogStatus.Verify)
{
blog.Status = BlogStatus.Verify;
}
else
{
blog.Status = BlogStatus.Publish;
}
blog = _blogService.Update(blog, link, linkId, linkDescription);
HttpPostedFileBase file = Request.Files["fileField"];
_blogService.SaveRecomment(file, recommentTitle, blog.Id, selectedCategory);
return(RedirectToAction("PublishSuccess", new { id = blog.Id }));
}
blogView.Links = new Collection <Link>();
return(View(blogView));
}
public ActionResult SaveTestimonialDetails(TestimonialModel testimonialModel)
{
var serialization = new Serialization();
var testimonialBA = new Testimonial();
var HashCriteria = new Hashtable();
var TestimonialDetails = new TestimonialModel();
var actualCriteria = string.Empty;
if (ModelState.IsValid)
{
HashCriteria.Add("ID", testimonialModel.ID);
HashCriteria.Add("Author", testimonialModel.Author);
var description = Sanitizer.GetSafeHtml(testimonialModel.Description);
HashCriteria.Add("Description", description);
HashCriteria.Add("UserID", userID);
actualCriteria = serialization.SerializeBinary((object)HashCriteria);
var result = testimonialBA.SaveTestimonialDetails(actualCriteria);
var testimonialID = Convert.ToInt32(serialization.DeSerializeBinary(Convert.ToString(result)));
SaveTestimonialImages(testimonialID);
Session["TestimonialImages"] = null;
if (testimonialModel.ID <= 0)
{
TempData["TestimonialSuccess"] = "Testimonial details has been saved successfully..!";
}
else
{
TempData["TestimonialSuccess"] = "Testimonial details has been modified successfully..!";
}
}
return(RedirectToAction("Admin", "Dashboard"));
}
public ActionResult Manifest(Guid id)
{
var model = computerDataService.SelectOne(c => c.Id == id);
model.ManifestHtml = Sanitizer.GetSafeHtml(model.ManifestHtml);
return(View(model));
}
public ActionResult FroalaAutoSave(string body, int?postId) // نام پارامتر بادي را تغيير ندهيد
{
body = Sanitizer.GetSafeHtml(body);
//todo: save body ...
return(new EmptyResult());
}
/// <summary>
/// 过滤脚本
/// </summary>
/// <param name="value"></param>
/// <param name="defalutValue"></param>
/// <returns></returns>
public static string FilterJavaScript(this string value, string defalutValue)
{
if (value.IsNullOrEmpty())
{
return(defalutValue);
}
else
{
return(Sanitizer.GetSafeHtml(value));
}
}
public void GetSafeHtml_SourceEncodingShouldBeRemovedFromImageTag()
{
// Arrange
const string input = "<html><head></head><body><IMG SRC=\"jav	ascript:alert('XSS');\"></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n<img src=\"\">\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_LinkTagsShouldBeRemoved()
{
// Arrange
const string input = "<html><head><link rel=javascript:alert('XSS');></head><body></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_ScriptInImageSourceShouldBeRemovedThree()
{
// Arrange
const string input = "<html><head></head><body><img src=jav ascript:alert('XSS');></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n<img src=\"jav\">\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_ScriptInMalformedImageTagShouldBeRemoved()
{
// Arrange
const string input = "<html><head></head><body><img><script>alert(\"XSS\")</script></img></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n<img>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_EmbedTagsShouldBeRemoved()
{
// Arrange
const string input = "<html><head></head><body><embed src=\"\" AllowScriptAccess=\"always\"></embed></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_OnMouseOverAttributeOnTagShouldBeRemoved()
{
// Arrange
const string input = "<html><head></head><body><p onmouseover=\"\"></p></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n<p></p>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_StyleableAttributeOnTagShouldBeRemovedLeavingOtherTags()
{
// Arrange
const string input = "<html><head></head><body><a href=\"\" style=\"\"></a></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n<a href=\"\"></a>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_ScriptInTableBackgroundAttributeShouldBeRemoved()
{
// Arrange
const string input = "<html><head></head><body><table background=\"javascript:alert('XSS');\"></table></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n<table background=\"\">\r\n</table>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_DivTagsShouldNotBeAdded()
{
// Arrange
const string input = "<html><head></head><body><input type=\"text\" /></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n<input type=\"text\">\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_DuplicateAttributesShouldBeHandledAppropriately()
{
// Arrange
const string input = "<html><head></head><body><p id=\"\" id=\"\" style=\"\" style=\"\"></p></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n<p id=\"\" id=\"\"></p>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_StyleTagShouldBeRemovedUserTwo()
{
// Arrange
const string input = "<div style=\"font-family:Foo,Bar\\,'a\\a';font-family:';color:expression(alert(1));y'\">aaa</div>";
const string expected = "<html>\r\n<body>\r\n<div>aaa</div>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_ErrorAttributeShouldBeRemoved()
{
// Arrange
const string input = "<html><head></head><body><img src=\"\" onerror=\"XSS\" /></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n<img src=\"\">\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_OnLoadAttributeOnBodyTagShouldBeRemoved()
{
// Arrange
const string input = "<html><head></head><body onload=\"\"></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_StyleTagInHeaderShouldBeRemoved()
{
// Arrange
const string input = "<html><head><style></style></head><body></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_ShouldNotRemoveNonOffendingText()
{
// Arrange
const string input = "<html><head></head><body><script>alert('hi');</script>This text is removed</body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\nThis text is removed\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_MetaTagsShouldBeRemoved()
{
// Arrange
const string input = "<html><head><meta http-equiv=\"refresh\" content=\"0;url=javascript:alert('XSS');\"></head><body></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_StyleTagInHeaderShouldBeRemovedAdvanced()
{
// Arrange
const string input = "<html><head><style>* {color:rgb(0,0,0)\\-o-link:'data:text/html,%3c%73%63%72%69%70%74%3e%61%6c%65%72%74%28%31%29%3c%2f%73%63%72%69%70%74%3e';color:rgb(x)\\-o-link-source:current;}</style></head><body></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_ObjectTagsShouldBeRemoved()
{
// Arrange
const string input = "<html><head></head><body><object classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></object></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public ActionResult Edit(Article article)
{
if (ModelState.IsValid)
{
article.Body = Sanitizer.GetSafeHtml(article.Body);
db.Articles.Attach(article);
db.ObjectStateManager.ChangeObjectState(article, EntityState.Modified);
db.SaveChanges();
return(RedirectToAction("Index"));
}
return(View(article));
}
public void GetSafeHtml_XMLTagsShouldBeRemoved()
{
// Arrange
const string input = "<html><head></head><body><xml id=\"xss\"></xml></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_OutOfOrderTagsShouldStillRemoveScriptsTwo()
{
// Arrange
const string input = "<html><head></head><body><div><p><div><p><script src=\"\" /></p></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n<div>\r\n<p></p>\r\n<div>\r\n<p></p>\r\n</div>\r\n</div>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public void GetSafeHtml_ChildControlsShouldNotBeRemoved()
{
// Arrange
const string input = "<html><head></head><body><a href=\"\" target=\"\"><img src=\"\" /> My Image</a></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n<a href=\"\" target=\"\"><img src=\"\"> My Image</a>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public ActionResult Create(Article article)
{
if (ModelState.IsValid)
{
article.Body = Sanitizer.GetSafeHtml(article.Body);
db.Articles.AddObject(article);
db.SaveChanges();
return(RedirectToAction("Index"));
}
return(View(article));
}
public void GetSafeHtml_NonBlacklistedTagsShouldNotBeRemoved()
{
// Arrange
const string input = "<html><head></head><body><b>Some text</b><strong>More text</strong></body></html>";
const string expected = "<html>\r\n<head>\r\n</head>\r\n<body>\r\n<b>Some text</b><strong>More text</strong>\r\n</body>\r\n</html>\r\n";
// Act
string actual = Sanitizer.GetSafeHtml(input);
// Assert
Assert.AreEqual(expected, actual);
}
public IActionResult Demo(MyPerson model)
{
if (ModelState.IsValid)
{
model.Bio = Sanitizer.GetSafeHtml(model.Bio);
ViewData.Model = model;
return(View("DemoResult"));
}
ModelState.AddModelError("", "This is not connected to a field!");
return(View());
}
