Example #1
1
        public void DivBackgroundImageWithUnicodedXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = @"<DIV STYLE=""background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028\0027\0058\0053\0053\0027\0029'\0029"">";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<div></div>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #2
0
        static HtmlSanitizerUtility()
        {
            _sanitizerReducedSet = new HtmlSanitizer();
            _sanitizerReducedSet.AllowedTags = new List<string>()
            {
                "b",
                "blockquote",
                "code",
                "del",
                "dd",
                "dl",
                "dt",
                "em",
                "h1",
                "h2",
                "h3",
                "i",
                "kbd",
                "li",
                "ol",
                "p",
                "pre",
                "s",
                "sup",
                "sub",
                "strong",
                "strike",
                "ul",
                "br",
                "hr",
            };

            _noHtmlSanitizer = new HtmlSanitizer();
            _baseSite = VirtualPathUtility.ToAbsolute("~/");
        }
Example #3
0
        public void BRJavascriptIncludeXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<BR SIZE=\"&{alert('XSS')}\">";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<BR>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #4
0
        public void ImageInputXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<input type=\"image\">";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #5
0
        public void DivJavascriptEscapingXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<div style=\"\";alert('XSS');//\">";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<div></div>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #6
0
        public void ImageDoubleOpenAngleBracketXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<image src=http://ha.ckers.org/scriptlet.html <";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #7
0
        public void ImageSpaceAndMetaCharXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<IMG SRC=\" &#14;  javascript:alert('XSS');\">";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<img>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #8
0
        public void ImageNullBreaksUpXSSTest2()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #9
0
        public void ImageNullBreaksUpXSSTest1()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<IMG SRC=java\0script:alert(\"XSS\")>";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<img>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #10
0
        public void ImageMultilineInjectedXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = @"<IMG
SRC
=
"" 
j
a
v
a
s
c
r
i
p
t
:
a
l
e
r
t
(
'
X
S
S
'
)
""
>
";

            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<img>\n";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #11
0
        public void ImageEmbeddedCarriageReturnXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<img>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #12
0
        public void ImageHexEncodeXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<img>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #13
0
        public void ImageLongUTF8UnicodeXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<img>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #14
0
        public void PWithUrlInStyleXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<p STYLE=\"behavior: url(www.ha.ckers.org);\">";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            // intentionally keep it failing to get notice when reviewing unit tests so can disucss
            string expected = "<p></p>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #15
0
        public void ImageWithVBScriptXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<IMG SRC='vbscript:msgbox(\"XSS\")'>";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<img>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #16
0
        public void XmlNamespaceXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<HTML xmlns:xss>  <?import namespace=\"xss\" implementation=\"http://ha.ckers.org/xss.htc\">  <xss:xss>XSS</xss:xss></HTML>";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #17
0
        public void XmlWithCDataXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<XML ID=I><X><C><![CDATA[<IMG SRC=\"javas]]><![CDATA[cript:alert('XSS');\">]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<SPAN></SPAN>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #18
0
        public void EmbedTagXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<EMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"></EMBED>";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #19
0
        public void EmbedSVGXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED>";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #20
0
        public void AnchorTagStyleExpressionXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "exp/*<A STYLE='no\\xss:noxss(\"*//*\");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert(\"XSS\"))'>";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "exp/*<a></a>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #21
0
        public void BaseTagXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<BASE HREF=\"javascript:alert('XSS');//\">";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #22
0
        public void DivExpressionXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<DIV STYLE=\"width: expression(alert('XSS'));\">";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<div></div>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #23
0
        public void ImageStyleExpressionXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<IMG>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #24
0
        public void TDXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<table><tbody><tr><td></td></tr></tbody></table>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #25
0
        public void DivBackgroundImageWithExtraCharactersXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<DIV STYLE=\"background-image: url(&#1;javascript:alert('XSS'))\">";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<div></div>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #26
0
        public void FrameXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #27
0
        public void ImageWithLivescriptXSSTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<IMG SRC=\"Livescript:[code]\">";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<img>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #28
-1
 public static string Sanitize(string unsafeHTML)
 {
     var sanitizer = new Html.HtmlSanitizer();
       // sanitizer.AllowedTags = new[] { "a", "p", "br", "img" };
       var sanitized = sanitizer.Sanitize(unsafeHTML, HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Authority));
       return sanitized;
 }
Example #29
-1
    public static string Sanitize(string unsafeHTML)
    {
        var sanitizer = new Html.HtmlSanitizer();
        // sanitizer.AllowedTags = new[] { "a", "p", "br", "img" };
        var sanitized = sanitizer.Sanitize(unsafeHTML, HttpContext.Current.Request.Url.GetLeftPart(UriPartial.Authority));

        return(sanitized);
    }
Example #30
-1
        public void XSSLocatorTest()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();

            // Act
            string htmlFragment = "<a href=\"'';!--\"<XSS>=&{()}\">";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = @"<a href=""'';!--"">=&amp;{()}&quot;&gt;</a>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Example #31
-1
        public void ImageXSS2Test()
        {
            // Arrange
            var sanitizer = new HtmlSanitizer();


            // Act
            string htmlFragment = "<IMG SRC=javascript:alert('XSS')>";
            string actual = sanitizer.Sanitize(htmlFragment);

            // Assert
            string expected = "<IMG>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }