|
public GetSafeHtmlFragment ( string htmlText, string[]>.Dictionary |
||
| htmlText | string | |
| tagsWhiteList | string[]>.Dictionary | |
| Résultat | string | |
public void MakeSureItSanitized(string htmlFragment, string message)
{
var target = new DefaultHtmlSanitizer();
var elementWhiteList = CreateElementWhiteList();
var actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
if(htmlFragment != "See Below")
StringAssert.AreNotEqualIgnoringCase(htmlFragment, actual, message);
}
public void AnchorTagContentReplaceXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<A HREF=\"http://www.gohttp://www.google.com/ogle.com/\">XSS</A>";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<A HREF=\"http://www.gohttp://www.google.com/ogle.com/\">XSS</A>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void AnchorTagDownlevelHiddenBlockXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->\">XSS</A>";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<a href=\"http://www.codeplex.com?url=<!--[if gte IE 4]><>alert('XSS');</><![endif]-->\">XSS</a>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void AnchorTagDownlevelHiddenBlockXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->\">XSS</A>";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<A HREF=\"http://www.codeplex.com?url=&lt;!--[if gte IE 4]&gt;&lt;&gt;alert(&#39;XSS&#39;);&lt;/&gt;&lt;![endif]--&gt;\">XSS</A>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void AnchorTagDwordEncodingXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<A HREF=\"http://1113982867/\">XSS</A>";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<a href=\"http://1113982867/\">XSS</a>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void DivExpressionXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<DIV STYLE=\"width: expression(alert('XSS'));\">";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<div style=\"width:(alert('XSS'));\"></div>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void DivBackgroundImageXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<div style=\"background-image: url(\"></div>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void DivStyleExpressionHtmlQuotesEncapsulation1XSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<Div style=\"background-color: expression(<SCRIPT a=\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>)\">";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<div style=\"background-color:(<a=\">\" SRC=\"http://ha.ckers.org/xss.js\">)\"></div>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void XmlWithEmbeddedScriptXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<XML SRC=\"xsstest.xml\" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<SPAN></SPAN>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void AnchorTagJavascriptLinkLocationXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<A HREF=\"javascript:document.location='http://www.google.com/'\">XSS</A>";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<A HREF=\"\">XSS</A>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void DivStyleExpressionDownlevelHiddenBlockXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<Div style=\"background-color: expression(<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->)\">";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<div style=\"background-color:(<!--[if gte IE 4]><>alert('XSS');</><![endif]-->)\"></div>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void AnchorTagStyleExpressionXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "exp/*<A STYLE='no\\xss:noxss(\"*//*\");xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'>";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "exp/*<a></a>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void AnchorTagExtraneousOpenBracketsXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=<<SCRIPT>alert(\"XSS\");//<</SCRIPT>\">XSS</A>";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<a href=\"http://www.codeplex.com?url=<<>alert(\"></a>\">XSS";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void AnchorTagProtocolResolutionScriptXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=<SCRIPT SRC=//ha.ckers.org/.j>\">XSS</A>";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<a href=\"http://www.codeplex.com?url=<SRC=//ha.ckers.org/.j>\">XSS</a>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void AnchorTagProtocolResolutionXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<A HREF=\"//www.google.com/\">XSS</A>";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<a href=\"//www.google.com/\">XSS</a>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void AnchorTagNoQuotesXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>\">XSS</A>";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<a href=\"http://www.codeplex.com?url=<>a=/XSS/alert(a.source)</>\">XSS</a>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void AnchorTagNonAlphaNonDigitXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>\">XSS</A>";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<a href=\"http://www.codeplex.com?url=</XSS SRC=\">\">XSS</a>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void AnchorTagMixedEncodingXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = @"<A HREF=""h
tt p://6	6.000146.0x7.147/"">XSS</A>";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<a href=\"h\r\ntt\tp://6&#9;6.000146.0x7.147/\">XSS</a>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void DivHtmlQuotesEncapsulation7XSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<Div style=\"background-color: http://www.codeplex.com?url=<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>\">";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<div style=\"background-color: http://www.codeplex.com?url=<>document.write(\"></div>PT SRC=\"http://ha.ckers.org/xss.js\">\">";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void DivNoQuotesXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<Div style=\"background-color: http://www.codeplex.com?url=<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>\">";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<div style=\"background-color: http://www.codeplex.com?url=<>a=/XSS/alert(a.source)</>\"></div>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void DivJavascriptEscapingXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<div style=\"\";alert('XSS');//\">";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<div style=\"\"></div>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void XSSLocatorTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<a href=\"'';!--\"<XSS>=&{()}\">";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<a href=\"'';!--\"></a>";
Assert.AreEqual(expected, actual);
}
public void DivNonAlphaNonDigitXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<Div style=\"background-color: http://www.codeplex.com?url=<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>\">";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<div style=\"background-color: http://www.codeplex.com?url=</XSS SRC=\">\"></div>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void AnchorTagUSASCIIEncodingXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=¼script¾alert(¢XSS¢)¼/script¾\">XSS</A>";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<a href=\"http://www.codeplex.com?url=¼¾alert(¢XSS¢)¼/¾\">XSS</a>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void DivProtocolResolutionScriptXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<Div style=\"background-color: http://www.codeplex.com?url=<SCRIPT SRC=//ha.ckers.org/.j>\">";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<div style=\"background-color: http://www.codeplex.com?url=<SRC=//ha.ckers.org/.j>\"></div>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void BGSoundXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<BGSOUND SRC=\"javascript:alert('XSS');\">";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void DivStyleExpressionExtraneousOpenBracketsXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<Div style=\"background-color: expression(<<SCRIPT>alert(\"XSS\");//<</SCRIPT>)\">";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<div style=\"background-color:(<<>alert(\"></div>)\">";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void DivBackgroundImageWithUnicodedXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<div style=\"background-image:�075�072�06C�028'�06a�061�076�061�073�063�072�069�070�074�03a�061�06c�065�072�074�028.1027�058.1053�053�027�029'�029\"></div>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void BRJavascriptIncludeXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<BR SIZE=\"&{alert('XSS')}\">";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<BR>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
public void XmlWithCommentObfuscationXSSTest()
{
// Arrange
DefaultHtmlSanitizer target = new DefaultHtmlSanitizer();
Dictionary<string, string[]> elementWhiteList = CreateElementWhiteList();
// Act
string htmlFragment = "<XML ID=\"xss\"><I><B><IMG SRC=\"javas<!-- -->cript:alert('XSS')\"></B></I></XML><SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"></SPAN>";
string actual = target.GetSafeHtmlFragment(htmlFragment, elementWhiteList);
// Assert
string expected = "<SPAN></SPAN>";
StringAssert.AreEqualIgnoringCase(expected, actual);
}
