public void DoNotClearUrlText()
{
var extender = new HtmlEditorExtender();
extender.EnableSanitization = false;
var text = "Please click <a href=\"www.curl.com\">here</a>.";
var actual = extender.Decode(text);
var expected = text;
Assert.AreEqual(expected, actual);
}
public void StripScriptTagWithoutAttributes()
{
var extender = new HtmlEditorExtender {
EnableSanitization = false
};
var text = @" <script>";
var actual = extender.Decode(text);
Assert.AreEqual("", actual);
}
public void TestDecodeSanitizerProvider()
{
// Arrange
var editor = new HtmlEditorExtender();
// Act
editor.SanitizerProvider = new HtmlAgilityPackSanitizerProvider();
// Assert
Assert.AreEqual("AjaxControlToolkit.Sanitizer.HtmlAgilityPackSanitizerProvider", editor.SanitizerProvider.ToString());
}
public void DoNotStripTagsWithAttributeNameStartsWithScript()
{
var extender = new HtmlEditorExtender {
EnableSanitization = false
};
var text = @"<mrow class=""MJX-TeXAtom-ORD""><mstyle displaystyle=""true"" scriptlevel=""0""></mstyle></mrow>";
var actual = extender.Decode(text);
var expected = text;
Assert.AreEqual(expected, actual);
}
public void DoNotStripDataEncodedImage()
{
using (var html = new HtmlEditorExtender()) {
html.Sanitizer = new DefaultHtmlSanitizer();
var decodedText = html.Decode(@"
<img src=""data:text/javascript,alert(1)"">
<img src=""data:image/png;base64,iVBOReprst"">
");
Assert.True(decodedText.Contains("data:image/png"));
Assert.False(decodedText.Contains("data:text/javascript"));
}
}
public void TestDecode()
{
// Arrange
var editor = new HtmlEditorExtender();
editor.SanitizerProvider = new HtmlAgilityPackSanitizerProvider();
var input = TestContext.DataRow["Input"] as string;
var output = TestContext.DataRow["Output"] as string;
// Act
var result = editor.Decode(input);
// Assert
Assert.AreEqual(output, input);
}
public void AlwaysHasDefaultWhitelistEements()
{
var extender = new HtmlEditorExtender();
extender.EnableSanitization = true;
var sanitizerMoq = new Mock <IHtmlSanitizer>();
sanitizerMoq.Setup(c => c.GetSafeHtmlFragment(It.IsAny <string>(), It.IsAny <Dictionary <string, string[]> >())).Returns((string x, Dictionary <string, string[]> y) => x);
extender.Sanitizer = sanitizerMoq.Object;
var text = "<span>text</span><br />";
var actual = extender.Decode(text);
var expected = text;
Assert.AreEqual(expected, actual);
}
public void RemoveInsecureHtml()
{
using (var html = new HtmlEditorExtender()) {
html.EnableSanitization = false;
// was "Z"
Assert.AreEqual("A", html.Decode("A<script>Z"));
// was "<script>Z"
Assert.AreEqual("", html.Decode("<script>Z"));
Assert.AreEqual("AZ", html.Decode("A<script attr>...</script attr>Z"));
// was "Hello world!alert()" - see https://github.com/DevExpress/AjaxControlToolkit/issues/525
Assert.AreEqual(
"Hello world! ",
html.Decode("Hello world! <script>alert();</script>")
);
// was "<style</style>" - see https://github.com/DevExpress/AjaxControlToolkit/issues/513
var issue513html = "<style><!-- body { font-family: Script; } --></style>";
Assert.AreEqual(issue513html, html.Decode(issue513html));
// was "<pClick me</a></p>"
Assert.AreEqual(
"<p><a>Click me</a></p>",
html.Decode("<p><a href='javascript:alert()'>Click me</a></p>")
);
var comment = "<!-- behavior of expression filter data:text/plain -->";
Assert.AreEqual(comment, html.Decode(comment));
Assert.AreEqual(
"<p><p><p><p>",
html.Decode(
"<p style='width: expression(1)'>" +
"<p style='position: absolute'>" +
"<p style='filter: inherit'>" +
"<p style='behavior: url(something.htc)>"
)
);
}
}
protected void GenerateTacPreviews(DataTable dt_tac_data)
{
// For each TAC entry
for (int i = 0; i < dt_tac_data.Rows.Count; i++)
{
HtmlTable t = new HtmlTable();
Panel p_expand = new Panel();
p_expand.ID = "p_ex_" + DateTime.Now.Ticks + "_" + i;
p_expand.BorderColor = Color.Red;
p_expand.BorderWidth = 1;
p_expand.BackColor = Color.LightGray;
p_expand.Width = 730;
p_expand.Controls.Add(t);
Panel p_collapse = new Panel();
p_collapse.ID = "p_co_" + DateTime.Now.Ticks + "_" + i;
Label lbl_toggle = new Label();
lbl_toggle.BackColor = Color.MintCream;
lbl_toggle.ForeColor = Color.Gray;
lbl_toggle.Height = 25;
lbl_toggle.Width = 400;
lbl_toggle.Font.Bold = true;
Util.AddHoverAndClickStylingAttributes(lbl_toggle, true);
lbl_toggle.ID = "lbl_co" + DateTime.Now.Ticks + "_" + i;
lbl_toggle.Attributes.Add("onclick", "var w=GetRadWindow(); if(w.get_height() == 200){w.set_height(800);}else{w.set_height(200);} w.center();");
p_collapse.Controls.Add(lbl_toggle);
Label lbl_date = new Label();
lbl_date.Text = " Created " + Server.HtmlEncode(dt_tac_data.Rows[i]["DateCreated"].ToString().Substring(0, 10));
lbl_date.ForeColor = Color.DarkOrange;
lbl_date.Attributes.Add("style", "position:relative; top:8px;");
p_collapse.Controls.Add(lbl_date);
div_previews.Controls.Add(p_collapse);
div_previews.Controls.Add(p_expand);
// Tac Code Label
t.Rows.Add(MakeRow("<b>Agreement Number:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["AgreementNumber"].ToString())));
// Company Name label
t.Rows.Add(MakeRow("<b>Company Name:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["CompanyName"].ToString())));
// sale_person Label
t.Rows.Add(MakeRow("<b>Sale Person:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["sale_person"].ToString())));
// sale_email Label
t.Rows.Add(MakeRow("<b>Sale E-mail:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["sale_email"].ToString())));
// sale_contact_no Label
t.Rows.Add(MakeRow("<b>Sale Contact No.:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["sale_contact_no"].ToString())));
// sale_address Label
t.Rows.Add(MakeRow("<b>Sale Address:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["sale_address"].ToString())));
// sale_phno Label
t.Rows.Add(MakeRow("<b>Sale Phone:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["sale_phno"].ToString())));
// DateCreated Label
t.Rows.Add(MakeRow("<b>Date Created:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["DateCreated"].ToString())));
// DateModified Label
t.Rows.Add(MakeRow("<b>Date Modified:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["DateModified"].ToString())));
// StatusList Label
t.Rows.Add(MakeRow("<b>Status:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["StatusList"].ToString())));
// signedby Label
t.Rows.Add(MakeRow("<b>Signed By:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["signedby"].ToString())));
// Conditions Label
t.Rows.Add(MakeRow("<br/><b>Conditions:</b>"));
// Conditions Textboxes
HtmlTableRow r = new HtmlTableRow();
HtmlTableCell c = new HtmlTableCell();
c.BgColor = "White";
t.Rows.Add(r);
r.Cells.Add(c);
TextBox tb_preview = new TextBox();
tb_preview.EnableViewState = true;
tb_preview.TextMode = TextBoxMode.MultiLine;
tb_preview.ID = "tb_c_prev_" + DateTime.Now.Ticks + "_" + i;
tb_preview.Height = 500;
tb_preview.Width = 700;
tb_preview.Text = dt_tac_data.Rows[i]["tn_condition"].ToString();
HtmlEditorExtender html_e = new HtmlEditorExtender();
html_e.ID = "html_c_e" + DateTime.Now.Ticks + "_" + i;
html_e.TargetControlID = tb_preview.ID;
html_e.DisplaySourceTab = true;
c.Controls.Add(tb_preview);
c.Controls.Add(html_e);
// break
t.Rows.Add(MakeRow("<br/>"));
// Payment Label
t.Rows.Add(MakeRow("<b>Payment Information:</b>"));
// Payment Textboxes
r = new HtmlTableRow();
c = new HtmlTableCell();
c.BgColor = "White";
t.Rows.Add(r);
r.Cells.Add(c);
tb_preview = new TextBox();
tb_preview.EnableViewState = true;
tb_preview.TextMode = TextBoxMode.MultiLine;
tb_preview.ID = "tb_p_prev_" + DateTime.Now.Ticks + "_" + i;
tb_preview.Height = 250;
tb_preview.Width = 700;
tb_preview.Text = dt_tac_data.Rows[i]["PaymentInformation"].ToString();
html_e = new HtmlEditorExtender();
html_e.ID = "html_p_e" + DateTime.Now.Ticks + "_" + i;
html_e.TargetControlID = tb_preview.ID;
html_e.DisplaySourceTab = true;
c.Controls.Add(tb_preview);
c.Controls.Add(html_e);
// break
t.Rows.Add(MakeRow("<br/><br/>"));
// Generate collapsible panel
CollapsiblePanelExtender cpe = new CollapsiblePanelExtender();
cpe.ID = "cpe_" + DateTime.Now.Ticks + "_" + i;
cpe.ScrollContents = true;
cpe.ExpandDirection = CollapsiblePanelExpandDirection.Vertical;
cpe.AutoExpand = false;
cpe.AutoCollapse = false;
cpe.ExpandedSize = 750;
cpe.CollapsedSize = 0;
cpe.CollapsedText = " Click to expand TAC agreement " + dt_tac_data.Rows[i]["AgreementNumber"] + " (" + (i + 1) + " of " + dt_tac_data.Rows.Count + ")";
cpe.ExpandedText = cpe.CollapsedText.Replace(" expand ", " collapse ");
cpe.Collapsed = true;
cpe.TargetControlID = p_expand.ID;
cpe.CollapseControlID = p_collapse.ID;
cpe.ExpandControlID = p_collapse.ID;
cpe.TextLabelID = lbl_toggle.ID;
p_expand.Controls.Add(cpe);
// break
div_previews.Controls.Add(new LiteralControl("<hr/>"));
div_previews.Controls.Add(new LiteralControl("<br/>"));
}
}
