public void invalid_a_hrefs_should_be_filtered() { var scanner = new AntiSamy(); /* * remove non-allowed hrefs */ var input = @"<div> <a href='mysite.com/image.jpg' /> <!-- to be allowed --!> <a href='mysite.com/some_relative_path' /> <!-- to be allowed --!> <a href='mysite.com/some_relative_path/level2' /> <!-- to be allowed --!> Some description <a href='hackers.com/xss.js' /> <a href='abc.com' /> another description </div>"; AntiySamyResult result = scanner.Scan(input, TestPolicy); // safe - allowed url pattern in the antisamy1.xml result.CleanHtml.Should().Contain("<div"); result.CleanHtml.Should().Contain("Some description"); result.CleanHtml.Should().Contain("another description"); result.CleanHtml.Should().Contain("mysite.com/image.jpg"); result.CleanHtml.Should().Contain("mysite.com/some_relative_path"); result.CleanHtml.Should().Contain("mysite.com/some_relative_path/level2"); // non safe result.CleanHtml.Should().NotContain("hackers.com/xss.js"); result.CleanHtml.Should().NotContain("abc.com"); }
public void TestDoesNotBlowUpWithAllPolicies([ValueSource("AllPolicyFilePaths")] string policyFile) { const string html = "<a onblur=\"try {parent.deselectBloggerImageGracefully();}" + "catch(e) {}\"" + "href=\"http://www.charityadvantage.com/ChildrensmuseumEaston/images/BookswithBill.jpg\"><img" + "style=\"FLOAT: right; MARGIN: 0px 0px 10px 10px; WIDTH: 150px; CURSOR:" + "hand; HEIGHT: 100px\" alt=\"\"" + "src=\"http://www.charityadvantage.com/ChildrensmuseumEaston/images/BookswithBill.jpg\"" + "border=\"0\" /></a><br />Poor Bill, couldn't make it to the Museum's <span" + "class=\"blsp-spelling-corrected\" id=\"SPELLING_ERROR_0\">story time</span>" + "today, he was so busy shoveling! Well, we sure missed you Bill! So since" + "ou were busy moving snow we read books about snow. We found a clue in one" + "book which revealed a snowplow at the end of the story - we wish it had" + "driven to your driveway Bill. We also read a story which shared fourteen" + "<em>Names For Snow. </em>We'll catch up with you next week....wonder which" + "hat Bill will wear?<br />Jane"; Policy testPolicy = null; string result = null; try { testPolicy = Policy.GetInstance(policyFile); result = new AntiSamy().Scan(html, testPolicy).GetCleanHtml(); } catch { // To comply with try/catch } testPolicy.Should().NotBeNull(); result.Should().NotBeNull(); }
public void invalid_tags_should_be_removed() { var scanner = new AntiSamy(); /* * remove iframe, object, embed, frame, frameset */ var input = @"<div> Some description <iframe src='hackers.com/xss' /> <object data='hackers.com/xss' /> <embed /> <frame /> <frameset /> </div>"; AntiySamyResult result = scanner.Scan(input, TestPolicy); //safe result.CleanHtml.Should().Contain("<div"); result.CleanHtml.Should().Contain("Some description"); // non safe result.CleanHtml.Should().NotContain("<iframe"); result.CleanHtml.Should().NotContain("<object"); result.CleanHtml.Should().NotContain("<embed"); result.CleanHtml.Should().NotContain("<frame"); result.CleanHtml.Should().NotContain("<frameset"); }
public void Test_dom_good_result() { var html = "<div align=\"right\">html</div>"; AntiySamyResult result = new AntiSamy().Scan(html, TestPolicy); result.ErrorMessages.Count().Should().Be(0); }
public void TestDomBadResult() { var badHtml = "<div align=\"foo\">badhtml</div>"; AntiySamyResult result = new AntiSamy().Scan(badHtml, TestPolicy); result.ErrorMessages.Count().Should().BeGreaterThan(0); }
public void allow_any_src_in_img_tag() { var scanner = new AntiSamy(); /* * remove non-allowed hrefs */ var input = "Size Table: ;<p><img src=\"/Assets/ProductImages/chartlar/image.jpg\" width=\"456\" height=\"197\" alt=\"\" /></p> ; Lorem ipsum"; AntiySamyResult result = scanner.Scan(input, GetPolicy("antisamy-mysite.xml")); result.CleanHtml.Should().Be(input); }
public void TestDoesNotBlowUpShortScriptTagWithAllPolicies([ValueSource("AllPolicyFilePaths")] string policyFile) { Policy testPolicy = null; string result = null; try { testPolicy = Policy.GetInstance(policyFile); result = new AntiSamy().Scan("<script src=\"<. \">\"></script>", testPolicy).GetCleanHtml(); } catch { // To comply with try/catch } testPolicy.Should().NotBeNull(); result.Should().NotBeNull(); }
public void TestDoesNotBlowUpOnEmptyTableWithAllPolicies([ValueSource("AllPolicyFilePaths")] string policyFile) { Policy testPolicy = null; string result = null; try { testPolicy = Policy.GetInstance(policyFile); result = new AntiSamy().Scan("<table><tr><td></td></tr></table>", testPolicy).GetCleanHtml(); } catch { // To comply with try/catch } testPolicy.Should().NotBeNull(); result.Should().NotBeNull(); }
public void invalid_img_urls_should_be_filtered() { var scanner = new AntiSamy(); /* * remove non-allowed image srcs */ var input = @"<div> <img src='mysite.com/image.jpg' /> <!-- to be allowed --!> Some description <img src='hackers.com/xss.js' /> </div>"; AntiySamyResult result = scanner.Scan(input, TestPolicy); // safe - allowed url pattern in the antisamy1.xml result.CleanHtml.Should().Contain("Some description"); result.CleanHtml.Should().Contain("<div"); result.CleanHtml.Should().Contain("mysite.com/image.jpg"); // non safe result.CleanHtml.Should().NotContain("hackers.com/xss.js"); }
public void script_references_should_be_removed_by_default() { var scanner = new AntiSamy(); /* * remove non-allowed hrefs */ var input = @"<script type='text/javascript' src='hackers.com/xss.js' /> <script>alert('XSS !!!');</script> <div> Some description <script type='text/javascript' src='hackers.com/xss.js' /> </div>"; AntiySamyResult result = scanner.Scan(input, TestPolicy); //safe result.CleanHtml.Should().Contain("<div"); result.CleanHtml.Should().Contain("Some description"); // non safe result.CleanHtml.Should().NotContain("<script"); }
public void SetUp() { antisamy = new AntiSamy(); policy = Policy.GetInstance(TestConstants.DEFAULT_POLICY_PATH); }