public void DoNotClearUrlText() { var extender = new HtmlEditorExtender(); extender.EnableSanitization = false; var text = "Please click <a href=\"www.curl.com\">here</a>."; var actual = extender.Decode(text); var expected = text; Assert.AreEqual(expected, actual); }
public void StripScriptTagWithoutAttributes() { var extender = new HtmlEditorExtender { EnableSanitization = false }; var text = @" <script>"; var actual = extender.Decode(text); Assert.AreEqual("", actual); }
public void TestDecodeSanitizerProvider() { // Arrange var editor = new HtmlEditorExtender(); // Act editor.SanitizerProvider = new HtmlAgilityPackSanitizerProvider(); // Assert Assert.AreEqual("AjaxControlToolkit.Sanitizer.HtmlAgilityPackSanitizerProvider", editor.SanitizerProvider.ToString()); }
public void DoNotStripTagsWithAttributeNameStartsWithScript() { var extender = new HtmlEditorExtender { EnableSanitization = false }; var text = @"<mrow class=""MJX-TeXAtom-ORD""><mstyle displaystyle=""true"" scriptlevel=""0""></mstyle></mrow>"; var actual = extender.Decode(text); var expected = text; Assert.AreEqual(expected, actual); }
public void DoNotStripDataEncodedImage() { using (var html = new HtmlEditorExtender()) { html.Sanitizer = new DefaultHtmlSanitizer(); var decodedText = html.Decode(@" <img src=""data:text/javascript,alert(1)""> <img src=""data:image/png;base64,iVBOReprst""> "); Assert.True(decodedText.Contains("data:image/png")); Assert.False(decodedText.Contains("data:text/javascript")); } }
public void TestDecode() { // Arrange var editor = new HtmlEditorExtender(); editor.SanitizerProvider = new HtmlAgilityPackSanitizerProvider(); var input = TestContext.DataRow["Input"] as string; var output = TestContext.DataRow["Output"] as string; // Act var result = editor.Decode(input); // Assert Assert.AreEqual(output, input); }
public void AlwaysHasDefaultWhitelistEements() { var extender = new HtmlEditorExtender(); extender.EnableSanitization = true; var sanitizerMoq = new Mock <IHtmlSanitizer>(); sanitizerMoq.Setup(c => c.GetSafeHtmlFragment(It.IsAny <string>(), It.IsAny <Dictionary <string, string[]> >())).Returns((string x, Dictionary <string, string[]> y) => x); extender.Sanitizer = sanitizerMoq.Object; var text = "<span>text</span><br />"; var actual = extender.Decode(text); var expected = text; Assert.AreEqual(expected, actual); }
public void RemoveInsecureHtml() { using (var html = new HtmlEditorExtender()) { html.EnableSanitization = false; // was "Z" Assert.AreEqual("A", html.Decode("A<script>Z")); // was "<script>Z" Assert.AreEqual("", html.Decode("<script>Z")); Assert.AreEqual("AZ", html.Decode("A<script attr>...</script attr>Z")); // was "Hello world!alert()" - see https://github.com/DevExpress/AjaxControlToolkit/issues/525 Assert.AreEqual( "Hello world! ", html.Decode("Hello world! <script>alert();</script>") ); // was "<style</style>" - see https://github.com/DevExpress/AjaxControlToolkit/issues/513 var issue513html = "<style><!-- body { font-family: Script; } --></style>"; Assert.AreEqual(issue513html, html.Decode(issue513html)); // was "<pClick me</a></p>" Assert.AreEqual( "<p><a>Click me</a></p>", html.Decode("<p><a href='javascript:alert()'>Click me</a></p>") ); var comment = "<!-- behavior of expression filter data:text/plain -->"; Assert.AreEqual(comment, html.Decode(comment)); Assert.AreEqual( "<p><p><p><p>", html.Decode( "<p style='width: expression(1)'>" + "<p style='position: absolute'>" + "<p style='filter: inherit'>" + "<p style='behavior: url(something.htc)>" ) ); } }
protected void GenerateTacPreviews(DataTable dt_tac_data) { // For each TAC entry for (int i = 0; i < dt_tac_data.Rows.Count; i++) { HtmlTable t = new HtmlTable(); Panel p_expand = new Panel(); p_expand.ID = "p_ex_" + DateTime.Now.Ticks + "_" + i; p_expand.BorderColor = Color.Red; p_expand.BorderWidth = 1; p_expand.BackColor = Color.LightGray; p_expand.Width = 730; p_expand.Controls.Add(t); Panel p_collapse = new Panel(); p_collapse.ID = "p_co_" + DateTime.Now.Ticks + "_" + i; Label lbl_toggle = new Label(); lbl_toggle.BackColor = Color.MintCream; lbl_toggle.ForeColor = Color.Gray; lbl_toggle.Height = 25; lbl_toggle.Width = 400; lbl_toggle.Font.Bold = true; Util.AddHoverAndClickStylingAttributes(lbl_toggle, true); lbl_toggle.ID = "lbl_co" + DateTime.Now.Ticks + "_" + i; lbl_toggle.Attributes.Add("onclick", "var w=GetRadWindow(); if(w.get_height() == 200){w.set_height(800);}else{w.set_height(200);} w.center();"); p_collapse.Controls.Add(lbl_toggle); Label lbl_date = new Label(); lbl_date.Text = " Created " + Server.HtmlEncode(dt_tac_data.Rows[i]["DateCreated"].ToString().Substring(0, 10)); lbl_date.ForeColor = Color.DarkOrange; lbl_date.Attributes.Add("style", "position:relative; top:8px;"); p_collapse.Controls.Add(lbl_date); div_previews.Controls.Add(p_collapse); div_previews.Controls.Add(p_expand); // Tac Code Label t.Rows.Add(MakeRow("<b>Agreement Number:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["AgreementNumber"].ToString()))); // Company Name label t.Rows.Add(MakeRow("<b>Company Name:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["CompanyName"].ToString()))); // sale_person Label t.Rows.Add(MakeRow("<b>Sale Person:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["sale_person"].ToString()))); // sale_email Label t.Rows.Add(MakeRow("<b>Sale E-mail:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["sale_email"].ToString()))); // sale_contact_no Label t.Rows.Add(MakeRow("<b>Sale Contact No.:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["sale_contact_no"].ToString()))); // sale_address Label t.Rows.Add(MakeRow("<b>Sale Address:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["sale_address"].ToString()))); // sale_phno Label t.Rows.Add(MakeRow("<b>Sale Phone:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["sale_phno"].ToString()))); // DateCreated Label t.Rows.Add(MakeRow("<b>Date Created:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["DateCreated"].ToString()))); // DateModified Label t.Rows.Add(MakeRow("<b>Date Modified:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["DateModified"].ToString()))); // StatusList Label t.Rows.Add(MakeRow("<b>Status:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["StatusList"].ToString()))); // signedby Label t.Rows.Add(MakeRow("<b>Signed By:</b> " + Server.HtmlEncode(dt_tac_data.Rows[i]["signedby"].ToString()))); // Conditions Label t.Rows.Add(MakeRow("<br/><b>Conditions:</b>")); // Conditions Textboxes HtmlTableRow r = new HtmlTableRow(); HtmlTableCell c = new HtmlTableCell(); c.BgColor = "White"; t.Rows.Add(r); r.Cells.Add(c); TextBox tb_preview = new TextBox(); tb_preview.EnableViewState = true; tb_preview.TextMode = TextBoxMode.MultiLine; tb_preview.ID = "tb_c_prev_" + DateTime.Now.Ticks + "_" + i; tb_preview.Height = 500; tb_preview.Width = 700; tb_preview.Text = dt_tac_data.Rows[i]["tn_condition"].ToString(); HtmlEditorExtender html_e = new HtmlEditorExtender(); html_e.ID = "html_c_e" + DateTime.Now.Ticks + "_" + i; html_e.TargetControlID = tb_preview.ID; html_e.DisplaySourceTab = true; c.Controls.Add(tb_preview); c.Controls.Add(html_e); // break t.Rows.Add(MakeRow("<br/>")); // Payment Label t.Rows.Add(MakeRow("<b>Payment Information:</b>")); // Payment Textboxes r = new HtmlTableRow(); c = new HtmlTableCell(); c.BgColor = "White"; t.Rows.Add(r); r.Cells.Add(c); tb_preview = new TextBox(); tb_preview.EnableViewState = true; tb_preview.TextMode = TextBoxMode.MultiLine; tb_preview.ID = "tb_p_prev_" + DateTime.Now.Ticks + "_" + i; tb_preview.Height = 250; tb_preview.Width = 700; tb_preview.Text = dt_tac_data.Rows[i]["PaymentInformation"].ToString(); html_e = new HtmlEditorExtender(); html_e.ID = "html_p_e" + DateTime.Now.Ticks + "_" + i; html_e.TargetControlID = tb_preview.ID; html_e.DisplaySourceTab = true; c.Controls.Add(tb_preview); c.Controls.Add(html_e); // break t.Rows.Add(MakeRow("<br/><br/>")); // Generate collapsible panel CollapsiblePanelExtender cpe = new CollapsiblePanelExtender(); cpe.ID = "cpe_" + DateTime.Now.Ticks + "_" + i; cpe.ScrollContents = true; cpe.ExpandDirection = CollapsiblePanelExpandDirection.Vertical; cpe.AutoExpand = false; cpe.AutoCollapse = false; cpe.ExpandedSize = 750; cpe.CollapsedSize = 0; cpe.CollapsedText = " Click to expand TAC agreement " + dt_tac_data.Rows[i]["AgreementNumber"] + " (" + (i + 1) + " of " + dt_tac_data.Rows.Count + ")"; cpe.ExpandedText = cpe.CollapsedText.Replace(" expand ", " collapse "); cpe.Collapsed = true; cpe.TargetControlID = p_expand.ID; cpe.CollapseControlID = p_collapse.ID; cpe.ExpandControlID = p_collapse.ID; cpe.TextLabelID = lbl_toggle.ID; p_expand.Controls.Add(cpe); // break div_previews.Controls.Add(new LiteralControl("<hr/>")); div_previews.Controls.Add(new LiteralControl("<br/>")); } }