Exemple #1
0
        public void WhitelistFalse()
        {
            string input = @"<html>
<body>
    <h1>Heading</h1>
    <p>Some comments<span></span></p>
    <script type=""text/javascript"">I'm illegal for sure</script>
    <p><a href=""http://www.vereyon.com/"">Nofollow legal link</a> and here's another one: <a href=""javascript:alert('test')"">Obviously I'm illegal</a></p>
</body>
</html>";

            // The script tag is going to be preserved because we are not running on the white list.
            // The second link is going to be dropped due to an invalid href attribute value.
            string expected = @"<html>
<body>
    <h1>Heading</h1>
    <p>Some comments</p>
    <script type=""text/javascript"">I&#39;m illegal for sure</script>
    <p><a href=""http://www.vereyon.com/"" target=""_blank"" rel=""nofollow"">Nofollow legal link</a> and here&#39;s another one: Obviously I&#39;m illegal</p>
</body>
</html>";

            var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();

            sanitizer.WhiteListMode = false;

            var output = sanitizer.Sanitize(input);

            Assert.Equal(expected, output);
        }
Exemple #2
0
        public void SimpleNoCssTest()
        {
            string input    = @"<p class=""illegal"">Test content</p>Outside tag";
            string expected = @"<p>Test content</p>Outside tag";

            var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
            var result    = sanitizer.Sanitize(input);

            Assert.Equal(expected, result);
        }
Exemple #3
0
        public void CapitalizedHtml()
        {
            var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();

            string input    = @"<p><SPAN ID=""1234abc"">Test</SPAN></p>";
            string expected = @"<p><span>Test</span></p>";

            var output = sanitizer.Sanitize(input);

            Assert.Equal(expected, output);
        }
Exemple #4
0
        public void DirtyAttributesTest()
        {
            var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();

            string input    = @"<p><span onclick=""alert('test')"">Test</span></p>";
            string expected = @"<p><span>Test</span></p>";

            var output = sanitizer.Sanitize(input);

            Assert.Equal(expected, output);
        }
Exemple #5
0
        public void SimpleWhitelistCssTest()
        {
            string input = @"<p class=""illegal"">Test content</p>Outside tag";

            var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();

            sanitizer.AllowCss("illegal");
            var result = sanitizer.Sanitize(input);

            Assert.Equal(input, result);
        }
Exemple #6
0
        public void AllowCommentsTest()
        {
            var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();

            sanitizer.RemoveComments = false;

            string input    = @"Test <!-- No comment --> Test";
            string expected = @"Test <!-- No comment --> Test";

            var output = sanitizer.Sanitize(input);

            Assert.Equal(expected, output);
        }
Exemple #7
0
        public void BreakoutSrcCheck()
        {
            string input, result, expected;

            var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();

            sanitizer.Tag("img").CheckAttributeUrl("src");

            input    = @"<IMG SRC =# onmouseover=""alert('xxs')"">";
            expected = @"";
            result   = sanitizer.Sanitize(input);
            Assert.Equal(expected, result);
        }
Exemple #8
0
        public void EmbeddedTab()
        {
            string input, result, expected;

            var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();

            sanitizer.Tag("img");

            input    = @"<IMG SRC=""jav ascript:alert('XSS'); "">";
            expected = @"<img>";
            result   = sanitizer.Sanitize(input);
            Assert.Equal(expected, result);
        }
Exemple #9
0
        public void EscapeCharactersTest()
        {
            var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();

            sanitizer.RemoveComments = false;

            // The extra greater than characters are going to get lost because the tags are malformed.
            // I would say this is sort of to be expected.
            string input    = @"<<p>"">&lt;test<</p>"" test";
            string expected = @"&lt;<p>&quot;&gt;&lt;test&lt;</p>&quot; test";

            var output = sanitizer.Sanitize(input);

            Assert.Equal(expected, output);
        }
Exemple #10
0
        public void SimpleSanitizerTests()
        {
            var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();

            string input    = @"<h1>Heading</h1>
<p onclick=""alert('gotcha!')"">Some comments<span></span></p>
<script type=""text/javascript"">I'm illegal for sure</script>
<p><a href=""http://www.vereyon.com/"">Nofollow legal link</a> and here's another one: <a href=""javascript:alert('test')"">Obviously I'm illegal</a></p>";
            string expected = @"<h1>Heading</h1>
<p>Some comments</p>

<p><a href=""http://www.vereyon.com/"" target=""_blank"" rel=""nofollow"">Nofollow legal link</a> and here&#39;s another one: Obviously I&#39;m illegal</p>";

            var output = sanitizer.Sanitize(input);

            Assert.Equal(expected, output);
        }
Exemple #11
0
        public void UnclosedTagsTest()
        {
            var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();

            string input    = @"<div><strong>Not properly closed</div>";
            string expected = @"<strong>Not properly closed</strong>";

            var output = sanitizer.Sanitize(input);

            Assert.Equal(expected, output);

            // Also test with an unclosed tag at the end.
            input    = @"<div>The next tag is not properly closed<strong></div>";
            expected = @"The next tag is not properly closed";

            output = sanitizer.Sanitize(input);
            Assert.Equal(expected, output);
        }