public void WhitelistFalse()
{
string input = @"<html>
<body>
<h1>Heading</h1>
<p>Some comments<span></span></p>
<script type=""text/javascript"">I'm illegal for sure</script>
<p><a href=""http://www.vereyon.com/"">Nofollow legal link</a> and here's another one: <a href=""javascript:alert('test')"">Obviously I'm illegal</a></p>
</body>
</html>";
// The script tag is going to be preserved because we are not running on the white list.
// The second link is going to be dropped due to an invalid href attribute value.
string expected = @"<html>
<body>
<h1>Heading</h1>
<p>Some comments</p>
<script type=""text/javascript"">I'm illegal for sure</script>
<p><a href=""http://www.vereyon.com/"" target=""_blank"" rel=""nofollow"">Nofollow legal link</a> and here's another one: Obviously I'm illegal</p>
</body>
</html>";
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
sanitizer.WhiteListMode = false;
var output = sanitizer.Sanitize(input);
Assert.Equal(expected, output);
}
public void SimpleNoCssTest()
{
string input = @"<p class=""illegal"">Test content</p>Outside tag";
string expected = @"<p>Test content</p>Outside tag";
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
var result = sanitizer.Sanitize(input);
Assert.Equal(expected, result);
}
public void CapitalizedHtml()
{
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
string input = @"<p><SPAN ID=""1234abc"">Test</SPAN></p>";
string expected = @"<p><span>Test</span></p>";
var output = sanitizer.Sanitize(input);
Assert.Equal(expected, output);
}
public void DirtyAttributesTest()
{
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
string input = @"<p><span onclick=""alert('test')"">Test</span></p>";
string expected = @"<p><span>Test</span></p>";
var output = sanitizer.Sanitize(input);
Assert.Equal(expected, output);
}
public void SimpleWhitelistCssTest()
{
string input = @"<p class=""illegal"">Test content</p>Outside tag";
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
sanitizer.AllowCss("illegal");
var result = sanitizer.Sanitize(input);
Assert.Equal(input, result);
}
public void AllowCommentsTest()
{
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
sanitizer.RemoveComments = false;
string input = @"Test <!-- No comment --> Test";
string expected = @"Test <!-- No comment --> Test";
var output = sanitizer.Sanitize(input);
Assert.Equal(expected, output);
}
public void BreakoutSrcCheck()
{
string input, result, expected;
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
sanitizer.Tag("img").CheckAttributeUrl("src");
input = @"<IMG SRC =# onmouseover=""alert('xxs')"">";
expected = @"";
result = sanitizer.Sanitize(input);
Assert.Equal(expected, result);
}
public void EmbeddedTab()
{
string input, result, expected;
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
sanitizer.Tag("img");
input = @"<IMG SRC=""jav ascript:alert('XSS'); "">";
expected = @"<img>";
result = sanitizer.Sanitize(input);
Assert.Equal(expected, result);
}
public void EscapeCharactersTest()
{
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
sanitizer.RemoveComments = false;
// The extra greater than characters are going to get lost because the tags are malformed.
// I would say this is sort of to be expected.
string input = @"<<p>""><test<</p>"" test";
string expected = @"<<p>"><test<</p>" test";
var output = sanitizer.Sanitize(input);
Assert.Equal(expected, output);
}
public void SimpleSanitizerTests()
{
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
string input = @"<h1>Heading</h1>
<p onclick=""alert('gotcha!')"">Some comments<span></span></p>
<script type=""text/javascript"">I'm illegal for sure</script>
<p><a href=""http://www.vereyon.com/"">Nofollow legal link</a> and here's another one: <a href=""javascript:alert('test')"">Obviously I'm illegal</a></p>";
string expected = @"<h1>Heading</h1>
<p>Some comments</p>
<p><a href=""http://www.vereyon.com/"" target=""_blank"" rel=""nofollow"">Nofollow legal link</a> and here's another one: Obviously I'm illegal</p>";
var output = sanitizer.Sanitize(input);
Assert.Equal(expected, output);
}
public void UnclosedTagsTest()
{
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
string input = @"<div><strong>Not properly closed</div>";
string expected = @"<strong>Not properly closed</strong>";
var output = sanitizer.Sanitize(input);
Assert.Equal(expected, output);
// Also test with an unclosed tag at the end.
input = @"<div>The next tag is not properly closed<strong></div>";
expected = @"The next tag is not properly closed";
output = sanitizer.Sanitize(input);
Assert.Equal(expected, output);
}