public void Ctor_UnicodeRanges()
        {
            // Act
            var filter = new CodePointFilter(UnicodeRanges.LatinExtendedA, UnicodeRanges.LatinExtendedC);

            // Assert
            for (int i = 0; i < 0x0100; i++)
            {
                Assert.False(filter.IsCharacterAllowed((char)i));
            }
            for (int i = 0x0100; i <= 0x017F; i++)
            {
                Assert.True(filter.IsCharacterAllowed((char)i));
            }
            for (int i = 0x0180; i < 0x2C60; i++)
            {
                Assert.False(filter.IsCharacterAllowed((char)i));
            }
            for (int i = 0x2C60; i <= 0x2C7F; i++)
            {
                Assert.True(filter.IsCharacterAllowed((char)i));
            }
            for (int i = 0x2C80; i <= Char.MaxValue; i++)
            {
                Assert.False(filter.IsCharacterAllowed((char)i));
            }
        }
        public void Ctor_Parameterless_CreatesEmptyFilter()
        {
            // Act
            var filter = new CodePointFilter();

            // Assert
            for (int i = 0; i <= Char.MaxValue; i++)
            {
                Assert.False(filter.IsCharacterAllowed((char)i));
            }
        }
        public void Ctor_OtherCodePointFilterAsInterface()
        {
            // Arrange
            var originalFilter = new OddCodePointFilter();

            // Act
            var newFilter = new CodePointFilter(originalFilter);

            // Assert
            for (int i = 0; i <= Char.MaxValue; i++)
            {
                Assert.Equal((i % 2) == 1, newFilter.IsCharacterAllowed((char)i));
            }
        }
        public void Ctor_OtherCodePointFilterAsConcreteType_Clones()
        {
            // Arrange
            var originalFilter = new CodePointFilter().AllowChar('x');

            // Act
            var newFilter = new CodePointFilter(originalFilter).AllowChar('y');

            // Assert
            Assert.True(originalFilter.IsCharacterAllowed('x'));
            Assert.False(originalFilter.IsCharacterAllowed('y'));
            Assert.True(newFilter.IsCharacterAllowed('x'));
            Assert.True(newFilter.IsCharacterAllowed('y'));
        }
        public void Ctor_WithCustomFilters()
        {
            // Arrange
            var filter = new CodePointFilter().AllowChars("ab").AllowChars('\0', '&', '\uFFFF', 'd');
            UnicodeEncoderBase encoder = new CustomUnicodeEncoderBase(filter);

            // Act & assert
            Assert.Equal("a", encoder.Encode("a"));
            Assert.Equal("b", encoder.Encode("b"));
            Assert.Equal("[U+0063]", encoder.Encode("c"));
            Assert.Equal("d", encoder.Encode("d"));
            Assert.Equal("[U+0000]", encoder.Encode("\0")); // we still always encode control chars
            Assert.Equal("[U+0026]", encoder.Encode("&")); // we still always encode HTML-special chars
            Assert.Equal("[U+FFFF]", encoder.Encode("\uFFFF")); // we still always encode non-chars and other forbidden chars
        }
Exemple #6
0
        public void Ctor_WithCustomFilters()
        {
            // Arrange
            var filter = new CodePointFilter().AllowChars("ab").AllowChars('\0', '&', '\uFFFF', 'd');
            UnicodeEncoderBase encoder = new CustomUnicodeEncoderBase(filter);

            // Act & assert
            Assert.Equal("a", encoder.Encode("a"));
            Assert.Equal("b", encoder.Encode("b"));
            Assert.Equal("[U+0063]", encoder.Encode("c"));
            Assert.Equal("d", encoder.Encode("d"));
            Assert.Equal("[U+0000]", encoder.Encode("\0"));     // we still always encode control chars
            Assert.Equal("[U+0026]", encoder.Encode("&"));      // we still always encode HTML-special chars
            Assert.Equal("[U+FFFF]", encoder.Encode("\uFFFF")); // we still always encode non-chars and other forbidden chars
        }
        public void Ctor_WithCodePointFilter()
        {
            // Arrange
            var filter = new CodePointFilter().AllowChars("ab").AllowChars('\0', '&', '\uFFFF', 'd');
            UrlEncoder encoder = new UrlEncoder(filter);

            // Act & assert
            Assert.Equal("a", encoder.UrlEncode("a"));
            Assert.Equal("b", encoder.UrlEncode("b"));
            Assert.Equal("%63", encoder.UrlEncode("c"));
            Assert.Equal("d", encoder.UrlEncode("d"));
            Assert.Equal("%00", encoder.UrlEncode("\0")); // we still always encode control chars
            Assert.Equal("%26", encoder.UrlEncode("&")); // we still always encode HTML-special chars
            Assert.Equal("%EF%BF%BF", encoder.UrlEncode("\uFFFF")); // we still always encode non-chars and other forbidden chars
        }
        public void Ctor_WithCodePointFilter()
        {
            // Arrange
            var         filter  = new CodePointFilter().AllowChars("ab").AllowChars('\0', '&', '\uFFFF', 'd');
            HtmlEncoder encoder = new HtmlEncoder(filter);

            // Act & assert
            Assert.Equal("a", encoder.HtmlEncode("a"));
            Assert.Equal("b", encoder.HtmlEncode("b"));
            Assert.Equal("&#x63;", encoder.HtmlEncode("c"));
            Assert.Equal("d", encoder.HtmlEncode("d"));
            Assert.Equal("&#x0;", encoder.HtmlEncode("\0"));        // we still always encode control chars
            Assert.Equal("&amp;", encoder.HtmlEncode("&"));         // we still always encode HTML-special chars
            Assert.Equal("&#xFFFF;", encoder.HtmlEncode("\uFFFF")); // we still always encode non-chars and other forbidden chars
        }
        public void AllowChars_String()
        {
            // Arrange
            var filter = new CodePointFilter();

            // Act
            var retVal = filter.AllowChars("\u0100\u0102");

            // Assert
            Assert.Same(filter, retVal); // returns 'this' instance
            Assert.True(filter.IsCharacterAllowed('\u0100'));
            Assert.False(filter.IsCharacterAllowed('\u0101'));
            Assert.True(filter.IsCharacterAllowed('\u0102'));
            Assert.False(filter.IsCharacterAllowed('\u0103'));
        }
Exemple #10
0
        public void Ctor_WithCodePointFilter()
        {
            // Arrange
            var filter = new CodePointFilter().AllowChars("ab").AllowChars('\0', '&', '\uFFFF', 'd');
            JavaScriptStringEncoder encoder = new JavaScriptStringEncoder(filter);

            // Act & assert
            Assert.Equal("a", encoder.JavaScriptStringEncode("a"));
            Assert.Equal("b", encoder.JavaScriptStringEncode("b"));
            Assert.Equal(@"\u0063", encoder.JavaScriptStringEncode("c"));
            Assert.Equal("d", encoder.JavaScriptStringEncode("d"));
            Assert.Equal(@"\u0000", encoder.JavaScriptStringEncode("\0"));     // we still always encode control chars
            Assert.Equal(@"\u0026", encoder.JavaScriptStringEncode("&"));      // we still always encode HTML-special chars
            Assert.Equal(@"\uFFFF", encoder.JavaScriptStringEncode("\uFFFF")); // we still always encode non-chars and other forbidden chars
        }
        public void Ctor_WithCodePointFilter()
        {
            // Arrange
            var filter = new CodePointFilter().AllowChars("ab").AllowChars('\0', '&', '\uFFFF', 'd');
            HtmlEncoder encoder = new HtmlEncoder(filter);

            // Act & assert
            Assert.Equal("a", encoder.HtmlEncode("a"));
            Assert.Equal("b", encoder.HtmlEncode("b"));
            Assert.Equal("&#x63;", encoder.HtmlEncode("c"));
            Assert.Equal("d", encoder.HtmlEncode("d"));
            Assert.Equal("&#x0;", encoder.HtmlEncode("\0")); // we still always encode control chars
            Assert.Equal("&amp;", encoder.HtmlEncode("&")); // we still always encode HTML-special chars
            Assert.Equal("&#xFFFF;", encoder.HtmlEncode("\uFFFF")); // we still always encode non-chars and other forbidden chars
        }
        public void AllowFilter()
        {
            // Arrange
            var filter = new CodePointFilter(UnicodeRanges.BasicLatin);

            // Act
            var retVal = filter.AllowFilter(new OddCodePointFilter());

            // Assert
            Assert.Same(filter, retVal); // returns 'this' instance
            for (int i = 0; i <= 0x007F; i++)
            {
                Assert.True(filter.IsCharacterAllowed((char)i));
            }
            for (int i = 0x0080; i <= Char.MaxValue; i++)
            {
                Assert.Equal((i % 2) == 1, filter.IsCharacterAllowed((char)i));
            }
        }
        public void ForbidRange()
        {
            // Arrange
            var filter = new CodePointFilter(new OddCodePointFilter());

            // Act
            var retVal = filter.ForbidRange(UnicodeRanges.Specials);

            // Assert
            Assert.Same(filter, retVal); // returns 'this' instance
            for (int i = 0; i <= 0xFFEF; i++)
            {
                Assert.Equal((i % 2) == 1, filter.IsCharacterAllowed((char)i));
            }
            for (int i = 0xFFF0; i <= Char.MaxValue; i++)
            {
                Assert.False(filter.IsCharacterAllowed((char)i));
            }
        }
Exemple #14
0
        /// <summary>
        /// Instantiates the filter by cloning the allow list of another <see cref="ICodePointFilter"/>.
        /// </summary>
        public CodePointFilter(ICodePointFilter other)
        {
            if (other == null)
            {
                throw new ArgumentNullException(nameof(other));
            }

            CodePointFilter otherAsCodePointFilter = other as CodePointFilter;

            if (otherAsCodePointFilter != null)
            {
                _allowedCharsBitmap = otherAsCodePointFilter.GetAllowedCharsBitmap();
            }
            else
            {
                _allowedCharsBitmap = AllowedCharsBitmap.CreateNew();
                AllowFilter(other);
            }
        }
        public void GetAllowedCodePoints()
        {
            // Arrange
            var expected = Enumerable.Range(UnicodeRanges.BasicLatin.FirstCodePoint, UnicodeRanges.BasicLatin.RangeSize)
                           .Concat(Enumerable.Range(UnicodeRanges.Specials.FirstCodePoint, UnicodeRanges.Specials.RangeSize))
                           .Except(new int[] { 'x' })
                           .OrderBy(i => i)
                           .ToArray();

            var filter = new CodePointFilter(UnicodeRanges.BasicLatin, UnicodeRanges.Specials);

            filter.ForbidChar('x');

            // Act
            var retVal = filter.GetAllowedCodePoints().OrderBy(i => i).ToArray();

            // Assert
            Assert.Equal <int>(expected, retVal);
        }
        public void Clear()
        {
            // Arrange
            var filter = new CodePointFilter();

            for (int i = 1; i <= Char.MaxValue; i++)
            {
                filter.AllowChar((char)i);
            }

            // Act
            var retVal = filter.Clear();

            // Assert
            Assert.Same(filter, retVal); // returns 'this' instance
            for (int i = 0; i <= Char.MaxValue; i++)
            {
                Assert.False(filter.IsCharacterAllowed((char)i));
            }
        }
        /// <summary>
        /// Instantiates an encoder using a custom allow list of characters.
        /// </summary>
        protected UnicodeEncoderBase(CodePointFilter filter, int maxOutputCharsPerInputChar)
        {
            _maxOutputCharsPerInputChar = maxOutputCharsPerInputChar;
            _allowedCharsBitmap         = filter.GetAllowedCharsBitmap();

            // Forbid characters that are special in HTML.
            // Even though this is a common encoder used by everybody (including URL
            // and JavaScript strings), it's unfortunately common for developers to
            // forget to HTML-encode a string once it has been URL-encoded or
            // JavaScript string-escaped, so this offers extra protection.
            ForbidCharacter('<');
            ForbidCharacter('>');
            ForbidCharacter('&');
            ForbidCharacter('\''); // can be used to escape attributes
            ForbidCharacter('\"'); // can be used to escape attributes
            ForbidCharacter('+');  // technically not HTML-specific, but can be used to perform UTF7-based attacks

            // Forbid codepoints which aren't mapped to characters or which are otherwise always disallowed
            // (includes categories Cc, Cs, Co, Cn, Zs [except U+0020 SPACE], Zl, Zp)
            _allowedCharsBitmap.ForbidUndefinedCharacters();
        }
        /// <summary>
        /// Instantiates an encoder using a custom allow list of characters.
        /// </summary>
        protected UnicodeEncoderBase(CodePointFilter filter, int maxOutputCharsPerInputChar)
        {
            _maxOutputCharsPerInputChar = maxOutputCharsPerInputChar;
            _allowedCharsBitmap = filter.GetAllowedCharsBitmap();

            // Forbid characters that are special in HTML.
            // Even though this is a common encoder used by everybody (including URL
            // and JavaScript strings), it's unfortunately common for developers to
            // forget to HTML-encode a string once it has been URL-encoded or
            // JavaScript string-escaped, so this offers extra protection.
            ForbidCharacter('<');
            ForbidCharacter('>');
            ForbidCharacter('&');
            ForbidCharacter('\''); // can be used to escape attributes
            ForbidCharacter('\"'); // can be used to escape attributes
            ForbidCharacter('+'); // technically not HTML-specific, but can be used to perform UTF7-based attacks

            // Forbid codepoints which aren't mapped to characters or which are otherwise always disallowed
            // (includes categories Cc, Cs, Co, Cn, Zs [except U+0020 SPACE], Zl, Zp)
            _allowedCharsBitmap.ForbidUndefinedCharacters();
        }
        public void AllowRange()
        {
            // Arrange
            var filter = new CodePointFilter();

            // Act
            var retVal = filter.AllowRange(UnicodeRanges.LatinExtendedA);

            // Assert
            Assert.Same(filter, retVal); // returns 'this' instance
            for (int i = 0; i < 0x0100; i++)
            {
                Assert.False(filter.IsCharacterAllowed((char)i));
            }
            for (int i = 0x0100; i <= 0x017F; i++)
            {
                Assert.True(filter.IsCharacterAllowed((char)i));
            }
            for (int i = 0x0180; i <= Char.MaxValue; i++)
            {
                Assert.False(filter.IsCharacterAllowed((char)i));
            }
        }
 // We pass a (known bad) value of 1 for 'max output chars per input char',
 // which also tests that the code behaves properly even if the original
 // estimate is incorrect.
 public CustomUnicodeEncoderBase(CodePointFilter filter)
     : base(filter, maxOutputCharsPerInputChar: 1)
 {
 }
        public void AllowRanges()
        {
            // Arrange
            var filter = new CodePointFilter();

            // Act
            var retVal = filter.AllowRanges(UnicodeRanges.LatinExtendedA, UnicodeRanges.LatinExtendedC);

            // Assert
            Assert.Same(filter, retVal); // returns 'this' instance
            for (int i = 0; i < 0x0100; i++)
            {
                Assert.False(filter.IsCharacterAllowed((char)i));
            }
            for (int i = 0x0100; i <= 0x017F; i++)
            {
                Assert.True(filter.IsCharacterAllowed((char)i));
            }
            for (int i = 0x0180; i < 0x2C60; i++)
            {
                Assert.False(filter.IsCharacterAllowed((char)i));
            }
            for (int i = 0x2C60; i <= 0x2C7F; i++)
            {
                Assert.True(filter.IsCharacterAllowed((char)i));
            }
            for (int i = 0x2C80; i <= Char.MaxValue; i++)
            {
                Assert.False(filter.IsCharacterAllowed((char)i));
            }
        }
        public void Clear()
        {
            // Arrange
            var filter = new CodePointFilter();
            for (int i = 1; i <= Char.MaxValue; i++)
            {
                filter.AllowChar((char)i);
            }

            // Act
            var retVal = filter.Clear();

            // Assert
            Assert.Same(filter, retVal); // returns 'this' instance
            for (int i = 0; i <= Char.MaxValue; i++)
            {
                Assert.False(filter.IsCharacterAllowed((char)i));
            }
        }
        public void ForbidRanges()
        {
            // Arrange
            var filter = new CodePointFilter(new OddCodePointFilter());

            // Act
            var retVal = filter.ForbidRanges(UnicodeRanges.BasicLatin, UnicodeRanges.Specials);

            // Assert
            Assert.Same(filter, retVal); // returns 'this' instance
            for (int i = 0; i <= 0x007F; i++)
            {
                Assert.False(filter.IsCharacterAllowed((char)i));
            }
            for (int i = 0x0080; i <= 0xFFEF; i++)
            {
                Assert.Equal((i % 2) == 1, filter.IsCharacterAllowed((char)i));
            }
            for (int i = 0xFFF0; i <= Char.MaxValue; i++)
            {
                Assert.False(filter.IsCharacterAllowed((char)i));
            }
        }
        public void ForbidChars_String()
        {
            // Arrange
            var filter = new CodePointFilter(UnicodeRanges.BasicLatin);

            // Act
            var retVal = filter.ForbidChars("xz");

            // Assert
            Assert.Same(filter, retVal); // returns 'this' instance
            Assert.True(filter.IsCharacterAllowed('w'));
            Assert.False(filter.IsCharacterAllowed('x'));
            Assert.True(filter.IsCharacterAllowed('y'));
            Assert.False(filter.IsCharacterAllowed('z'));
        }
Exemple #25
0
 // We pass a (known bad) value of 1 for 'max output chars per input char',
 // which also tests that the code behaves properly even if the original
 // estimate is incorrect.
 public CustomUnicodeEncoderBase(CodePointFilter filter)
     : base(filter, maxOutputCharsPerInputChar: 1)
 {
 }
        public void GetAllowedCodePoints()
        {
            // Arrange
            var expected = Enumerable.Range(UnicodeRanges.BasicLatin.FirstCodePoint, UnicodeRanges.BasicLatin.RangeSize)
                .Concat(Enumerable.Range(UnicodeRanges.Specials.FirstCodePoint, UnicodeRanges.Specials.RangeSize))
                .Except(new int[] { 'x' })
                .OrderBy(i => i)
                .ToArray();

            var filter = new CodePointFilter(UnicodeRanges.BasicLatin, UnicodeRanges.Specials);
            filter.ForbidChar('x');

            // Act
            var retVal = filter.GetAllowedCodePoints().OrderBy(i => i).ToArray();

            // Assert
            Assert.Equal<int>(expected, retVal);
        }
 internal HtmlUnicodeEncoder(CodePointFilter filter)
     : base(filter, MaxOutputCharsPerInputChar)
 {
 }
 internal JavaScriptStringUnicodeEncoder(CodePointFilter filter)
     : base(filter, MaxOutputCharsPerInputChar)
 {
     // The only interesting characters above and beyond what the base encoder
     // already covers are the solidus and reverse solidus.
     ForbidCharacter('\\');
     ForbidCharacter('/');
 }
        public void AllowChar()
        {
            // Arrange
            var filter = new CodePointFilter();

            // Act
            var retVal = filter.AllowChar('\u0100');

            // Assert
            Assert.Same(filter, retVal); // returns 'this' instance
            Assert.True(filter.IsCharacterAllowed('\u0100'));
            Assert.False(filter.IsCharacterAllowed('\u0101'));
        }
Exemple #30
0
 internal HtmlUnicodeEncoder(CodePointFilter filter)
     : base(filter, MaxOutputCharsPerInputChar)
 {
 }
            internal UrlUnicodeEncoder(CodePointFilter filter)
                : base(filter, MaxOutputCharsPerInputChar)
            {
                // Per RFC 3987, Sec. 2.2, we want encodings that are safe for
                // four particular components: 'isegment', 'ipath-noscheme',
                // 'iquery', and 'ifragment'. The relevant definitions are below.
                //
                //    ipath-noscheme = isegment-nz-nc *( "/" isegment )
                // 
                //    isegment       = *ipchar
                // 
                //    isegment-nz-nc = 1*( iunreserved / pct-encoded / sub-delims
                //                         / "@" )
                //                   ; non-zero-length segment without any colon ":"
                //
                //    ipchar         = iunreserved / pct-encoded / sub-delims / ":"
                //                   / "@"
                // 
                //    iquery         = *( ipchar / iprivate / "/" / "?" )
                // 
                //    ifragment      = *( ipchar / "/" / "?" )
                // 
                //    iunreserved    = ALPHA / DIGIT / "-" / "." / "_" / "~" / ucschar
                // 
                //    ucschar        = %xA0-D7FF / %xF900-FDCF / %xFDF0-FFEF
                //                   / %x10000-1FFFD / %x20000-2FFFD / %x30000-3FFFD
                //                   / %x40000-4FFFD / %x50000-5FFFD / %x60000-6FFFD
                //                   / %x70000-7FFFD / %x80000-8FFFD / %x90000-9FFFD
                //                   / %xA0000-AFFFD / %xB0000-BFFFD / %xC0000-CFFFD
                //                   / %xD0000-DFFFD / %xE1000-EFFFD
                // 
                //    pct-encoded    = "%" HEXDIG HEXDIG
                // 
                //    sub-delims     = "!" / "$" / "&" / "'" / "(" / ")"
                //                   / "*" / "+" / "," / ";" / "="
                //
                // The only common characters between these four components are the
                // intersection of 'isegment-nz-nc' and 'ipchar', which is really
                // just 'isegment-nz-nc' (colons forbidden).
                // 
                // From this list, the base encoder already forbids "&", "'", "+",
                // and we'll additionally forbid "=" since it has special meaning
                // in x-www-form-urlencoded representations.
                //
                // This means that the full list of allowed characters from the
                // Basic Latin set is:
                // ALPHA / DIGIT / "-" / "." / "_" / "~" / "!" / "$" / "(" / ")" / "*" / "," / ";" / "@"

                const string forbiddenChars = @" #%/:=?[\]^`{|}"; // chars from Basic Latin which aren't already disallowed by the base encoder
                foreach (char c in forbiddenChars)
                {
                    ForbidCharacter(c);
                }

                // Specials (U+FFF0 .. U+FFFF) are forbidden by the definition of 'ucschar' above
                for (int i = 0; i < 16; i++)
                {
                    ForbidCharacter((char)(0xFFF0 | i));
                }

                // Supplementary characters are forbidden anyway by the base encoder
            }