public void invalid_a_hrefs_should_be_filtered()
{
var scanner = new AntiSamy();
/*
* remove non-allowed hrefs
*/
var input = @"<div>
<a href='mysite.com/image.jpg' /> <!-- to be allowed --!>
<a href='mysite.com/some_relative_path' /> <!-- to be allowed --!>
<a href='mysite.com/some_relative_path/level2' /> <!-- to be allowed --!>
Some description
<a href='hackers.com/xss.js' />
<a href='abc.com' />
another description
</div>";
AntiySamyResult result = scanner.Scan(input, TestPolicy);
// safe - allowed url pattern in the antisamy1.xml
result.CleanHtml.Should().Contain("<div");
result.CleanHtml.Should().Contain("Some description");
result.CleanHtml.Should().Contain("another description");
result.CleanHtml.Should().Contain("mysite.com/image.jpg");
result.CleanHtml.Should().Contain("mysite.com/some_relative_path");
result.CleanHtml.Should().Contain("mysite.com/some_relative_path/level2");
// non safe
result.CleanHtml.Should().NotContain("hackers.com/xss.js");
result.CleanHtml.Should().NotContain("abc.com");
}
public void invalid_tags_should_be_removed()
{
var scanner = new AntiSamy();
/*
* remove iframe, object, embed, frame, frameset
*/
var input = @"<div>
Some description
<iframe src='hackers.com/xss' />
<object data='hackers.com/xss' />
<embed />
<frame />
<frameset />
</div>";
AntiySamyResult result = scanner.Scan(input, TestPolicy);
//safe
result.CleanHtml.Should().Contain("<div");
result.CleanHtml.Should().Contain("Some description");
// non safe
result.CleanHtml.Should().NotContain("<iframe");
result.CleanHtml.Should().NotContain("<object");
result.CleanHtml.Should().NotContain("<embed");
result.CleanHtml.Should().NotContain("<frame");
result.CleanHtml.Should().NotContain("<frameset");
}
public void allow_any_src_in_img_tag()
{
var scanner = new AntiSamy();
/*
* remove non-allowed hrefs
*/
var input = "Size Table: ;<p><img src=\"/Assets/ProductImages/chartlar/image.jpg\" width=\"456\" height=\"197\" alt=\"\" /></p> ; Lorem ipsum";
AntiySamyResult result = scanner.Scan(input, GetPolicy("antisamy-mysite.xml"));
result.CleanHtml.Should().Be(input);
}
public void TestMessageInSupportedCulture()
{
foreach (string cultureName in Constants.SUPPORTED_LANGUAGES.Union(new List <string> {
"en-US", "es-UY"
}))
{
string message = null;
try
{
policy.Should().NotBeNull();
antisamy.SetCulture(cultureName);
CleanResults results = antisamy.Scan("<unknowntag>", policy);
results.GetNumberOfErrors().Should().Be(1);
message = results.GetErrorMessages().First();
}
catch
{
// To comply with try/catch
}
message.Should().NotBeNull(because: $"\"{cultureName}\" should be a valid culture and have an associated message.");
}
}
public void invalid_img_urls_should_be_filtered()
{
var scanner = new AntiSamy();
/*
* remove non-allowed image srcs
*/
var input = @"<div>
<img src='mysite.com/image.jpg' /> <!-- to be allowed --!>
Some description
<img src='hackers.com/xss.js' />
</div>";
AntiySamyResult result = scanner.Scan(input, TestPolicy);
// safe - allowed url pattern in the antisamy1.xml
result.CleanHtml.Should().Contain("Some description");
result.CleanHtml.Should().Contain("<div");
result.CleanHtml.Should().Contain("mysite.com/image.jpg");
// non safe
result.CleanHtml.Should().NotContain("hackers.com/xss.js");
}
public void script_references_should_be_removed_by_default()
{
var scanner = new AntiSamy();
/*
* remove non-allowed hrefs
*/
var input = @"<script type='text/javascript' src='hackers.com/xss.js' />
<script>alert('XSS !!!');</script>
<div>
Some description
<script type='text/javascript' src='hackers.com/xss.js' />
</div>";
AntiySamyResult result = scanner.Scan(input, TestPolicy);
//safe
result.CleanHtml.Should().Contain("<div");
result.CleanHtml.Should().Contain("Some description");
// non safe
result.CleanHtml.Should().NotContain("<script");
}
public void scriptAttacks()
{
_sut.Scan("test<script>alert(document.cookie)</script>", TestPolicy).CleanHtml.Contains("script").Should().BeFalse();
_sut.Scan("<<<><<script src=http://fake-evil.ru/test.js>", TestPolicy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<script<script src=http://fake-evil.ru/test.js>>", TestPolicy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", TestPolicy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>", TestPolicy).CleanHtml.Contains("onload").Should().BeFalse();
_sut.Scan("<BODY ONLOAD=alert('XSS')>", TestPolicy).CleanHtml.Contains("alert").Should().BeFalse();
_sut.Scan("<iframe src=http://ha.ckers.org/scriptlet.html <", TestPolicy).CleanHtml.Contains("<iframe").Should().BeFalse();
_sut.Scan("<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">", TestPolicy).CleanHtml.Contains("src").Should().BeFalse();
_sut.Scan("<a onblur=\"alert(secret)\" href=\"http://www.google.com\">Google</a>", TestPolicy);
}
public void TestDomGoodResult()
{
const string goodHtml = "<div align=\"right\">html</div>";
antisamy.Scan(goodHtml, policy).GetErrorMessages().Should().BeEmpty();
}