public void AnchorTagContentReplaceXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<A HREF=\"http://www.gohttp://www.google.com/ogle.com/\">XSS</A>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<A HREF=\"http://www.gohttp://www.google.com/ogle.com/\">XSS</A>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void shoulddeserializewhitelistfromexistingxmlfile()
{
// Arrange
string whitelistFile = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "Unit", "Text", "whitelist.xml");
ApplicationSettings settings = new ApplicationSettings();
settings.HtmlElementWhiteListPath = whitelistFile;
string htmlFragment = "<test href=\"http://www.google.com\">link</test> <blah id=\"myid\" class=\"class1 class2\">somediv</blah><a href=\"test\">test</a>";
// Act
MarkupSanitizer sanitizer = new MarkupSanitizer(settings);
sanitizer.SetWhiteListCacheKey("ShouldDeserializeWhiteListFromExistingXmlFile");
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<test href=\"http://www.google.com\">link</test> <blah id=\"myid\" class=\"class1 class2\">somediv</blah>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void GenerateTestXmlFile()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
using (FileStream stream = new FileStream("test.xml", FileMode.Create, FileAccess.Write))
{
//XmlSerializer serializer = new XmlSerializer(typeof(HtmlWhiteList));
//serializer.Serialize(stream, MarkupSanitizer._htmlWhiteList);
XmlSerializer serializer = new XmlSerializer(typeof(HtmlWhiteList));
List<HtmlElement> list = new List<HtmlElement>();
list.Add(new HtmlElement("blah", new string[] { "id", "class" }));
list.Add(new HtmlElement("test", new string[] { "href" }));
HtmlWhiteList whiteList = new HtmlWhiteList();
whiteList.ElementWhiteList = list;
serializer.Serialize(stream, whiteList);
}
}
public void AnchorTagUSASCIIEncodingXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=¼script¾alert(¢XSS¢)¼/script¾\">XSS</A>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<A HREF=\"http://www.codeplex.com?url=&#188;&#190;alert(&#162;XSS&#162;)&#188;/&#190;\">XSS</A>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void AnchorTagNonAlphaNonDigitXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>\">XSS</A>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<A HREF=\"http://www.codeplex.com?url=&lt;/XSS SRC=\">\">XSS</A>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void DivNonAlphaNonDigit3XSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<Div style=\"background-color: http://www.codeplex.com?url=<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>\">";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<Div style=\"background-color: http://www.codeplex.com?url=&lt;/SRC=\">\"></Div>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void XmlWithCDataXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<XML ID=I><X><C><![CDATA[<IMG SRC=\"javas]]><![CDATA[cript:alert('XSS');\">]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<SPAN></SPAN>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void AnchorTagDownlevelHiddenBlockXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->\">XSS</A>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<A HREF=\"http://www.codeplex.com?url=&lt;!--[if gte IE 4]&gt;&lt;&gt;alert(&#39;XSS&#39;);&lt;/&gt;&lt;![endif]--&gt;\">XSS</A>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void DivJavascriptEscapingXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<div style=\"\";alert('XSS');//\">";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<div style=\"\"></div>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void DivBackgroundImageWithUnicodedXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<DIV STYLE=\"background-image:�075�072�06C�028&#39;�06a�061�076�061�073�063�072�069�070�074�03a�061�06c�065�072�074�028.1027�058.1053�053�027�029&#39;�029\"></div>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void DivExpressionXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<DIV STYLE=\"width: expression(alert('XSS'));\">";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<DIV STYLE=\"width:(alert(&#39;XSS&#39;));\"></Div>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void AnchorTagMixedEncodingXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = @"<A HREF=""h
tt p://6	6.000146.0x7.147/"">XSS</A>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<A HREF=\"h
tt	p://6&amp;#9;6.000146.0x7.147/\">XSS</A>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void BGSoundXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<BGSOUND SRC=\"javascript:alert('XSS');\">";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void AnchorTagJavascriptLinkLocationXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<A HREF=\"javascript:document.location='http://www.google.com/'\">XSS</A>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<A HREF=\":document.location=&#39;http://www.google.com/&#39;\">XSS</A>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void AnchorTagIPVersesHostnameXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<A HREF=\"http://66.102.7.147/\">XSS</A>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<A HREF=\"http://66.102.7.147/\">XSS</A>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void XSSLocatorTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<a href=\"'';!--\"<XSS>=&{()}\">";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<a href=\"&#39;&#39;;!--\"></a>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void XmlWithEmbeddedScriptXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<XML SRC=\"xsstest.xml\" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<SPAN></SPAN>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void XmlWithCommentObfuscationXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<XML ID=\"xss\"><I><B><IMG SRC=\"javas<!-- -->cript:alert('XSS')\"></B></I></XML><SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"></SPAN>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<SPAN></SPAN>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void BRJavascriptIncludeXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<BR SIZE=\"&{alert('XSS')}\">";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<BR>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void AnchorTagNoQuotesXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>\">XSS</A>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<A HREF=\"http://www.codeplex.com?url=&lt;&gt;a=/XSS/alert(a.source)&lt;/&gt;\">XSS</A>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void DivBackgroundImageXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<DIV STYLE=\"background-image: url(:alert(&#39;XSS&#39;))\"></div>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void AnchorTagOctalEncodingXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<A HREF=\"http://0102.0146.0007.00000223/\">XSS</A>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<A HREF=\"http://0102.0146.0007.00000223/\">XSS</A>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void DivExtraneousOpenBracketsXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<Div style=\"background-color: http://www.codeplex.com?url=<<SCRIPT>alert(\"XSS\");//<</SCRIPT>\">";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<Div style=\"background-color: http://www.codeplex.com?url=&lt;&lt;&gt;alert(\"></Div>\">";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void AnchorTagProtocolResolutionScriptXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=<SCRIPT SRC=//ha.ckers.org/.j>\">XSS</A>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<A HREF=\"http://www.codeplex.com?url=&lt;SRC=//ha.ckers.org/.j&gt;\">XSS</A>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void DivHtmlQuotesEncapsulation7XSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<Div style=\"background-color: http://www.codeplex.com?url=<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>\">";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<Div style=\"background-color: http://www.codeplex.com?url=&lt;&gt;document.write(\"></div>PT SRC=\"http://ha.ckers.org/xss.js\">\">";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void AnchorTagProtocolResolutionXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<A HREF=\"//www.google.com/\">XSS</A>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<A HREF=\"//www.google.com/\">XSS</A>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void DivNoClosingScriptTagsXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<Div style=\"background-color: http://www.codeplex.com?url=<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>\">";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<Div style=\"background-color: http://www.codeplex.com?url=&lt;SRC=http://ha.ckers.org/xss.js?&lt;B&gt;\"></Div>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
public void AnchorTagStyleExpressionXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "exp/*<A STYLE='no\\xss:noxss(\"*//*\");xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "exp/*<a></a>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
/// <summary>
/// Strips a lot of unsafe Javascript/Html/CSS from the markup, if the feature is enabled.
/// </summary>
private string RemoveHarmfulTags(string html)
{
if (_applicationSettings.UseHtmlWhiteList)
{
MarkupSanitizer sanitizer = new MarkupSanitizer(_applicationSettings, true, false, true);
return sanitizer.SanitizeHtml(html);
}
else
{
return html;
}
}
public void AnchorTagUrlEncodingXSSTest()
{
// Arrange
MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
// Act
string htmlFragment = "<A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\">XSS</A>";
string actual = sanitizer.SanitizeHtml(htmlFragment);
// Assert
string expected = "<A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\">XSS</A>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
}
