public void WhitelistFalse() { string input = @"<html> <body> <h1>Heading</h1> <p>Some comments<span></span></p> <script type=""text/javascript"">I'm illegal for sure</script> <p><a href=""http://www.vereyon.com/"">Nofollow legal link</a> and here's another one: <a href=""javascript:alert('test')"">Obviously I'm illegal</a></p> </body> </html>"; // The script tag is going to be preserved because we are not running on the white list. // The second link is going to be dropped due to an invalid href attribute value. string expected = @"<html> <body> <h1>Heading</h1> <p>Some comments</p> <script type=""text/javascript"">I'm illegal for sure</script> <p><a href=""http://www.vereyon.com/"" target=""_blank"" rel=""nofollow"">Nofollow legal link</a> and here's another one: Obviously I'm illegal</p> </body> </html>"; var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer(); sanitizer.WhiteListMode = false; var output = sanitizer.Sanitize(input); Assert.Equal(expected, output); }
public void SimpleNoCssTest() { string input = @"<p class=""illegal"">Test content</p>Outside tag"; string expected = @"<p>Test content</p>Outside tag"; var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer(); var result = sanitizer.Sanitize(input); Assert.Equal(expected, result); }
public void CapitalizedHtml() { var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer(); string input = @"<p><SPAN ID=""1234abc"">Test</SPAN></p>"; string expected = @"<p><span>Test</span></p>"; var output = sanitizer.Sanitize(input); Assert.Equal(expected, output); }
public void DirtyAttributesTest() { var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer(); string input = @"<p><span onclick=""alert('test')"">Test</span></p>"; string expected = @"<p><span>Test</span></p>"; var output = sanitizer.Sanitize(input); Assert.Equal(expected, output); }
public void SimpleWhitelistCssTest() { string input = @"<p class=""illegal"">Test content</p>Outside tag"; var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer(); sanitizer.AllowCss("illegal"); var result = sanitizer.Sanitize(input); Assert.Equal(input, result); }
public void AllowCommentsTest() { var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer(); sanitizer.RemoveComments = false; string input = @"Test <!-- No comment --> Test"; string expected = @"Test <!-- No comment --> Test"; var output = sanitizer.Sanitize(input); Assert.Equal(expected, output); }
public void BreakoutSrcCheck() { string input, result, expected; var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer(); sanitizer.Tag("img").CheckAttributeUrl("src"); input = @"<IMG SRC =# onmouseover=""alert('xxs')"">"; expected = @""; result = sanitizer.Sanitize(input); Assert.Equal(expected, result); }
public void EmbeddedTab() { string input, result, expected; var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer(); sanitizer.Tag("img"); input = @"<IMG SRC=""jav ascript:alert('XSS'); "">"; expected = @"<img>"; result = sanitizer.Sanitize(input); Assert.Equal(expected, result); }
public void EscapeCharactersTest() { var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer(); sanitizer.RemoveComments = false; // The extra greater than characters are going to get lost because the tags are malformed. // I would say this is sort of to be expected. string input = @"<<p>""><test<</p>"" test"; string expected = @"<<p>"><test<</p>" test"; var output = sanitizer.Sanitize(input); Assert.Equal(expected, output); }
public void SimpleSanitizerTests() { var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer(); string input = @"<h1>Heading</h1> <p onclick=""alert('gotcha!')"">Some comments<span></span></p> <script type=""text/javascript"">I'm illegal for sure</script> <p><a href=""http://www.vereyon.com/"">Nofollow legal link</a> and here's another one: <a href=""javascript:alert('test')"">Obviously I'm illegal</a></p>"; string expected = @"<h1>Heading</h1> <p>Some comments</p> <p><a href=""http://www.vereyon.com/"" target=""_blank"" rel=""nofollow"">Nofollow legal link</a> and here's another one: Obviously I'm illegal</p>"; var output = sanitizer.Sanitize(input); Assert.Equal(expected, output); }
public void UnclosedTagsTest() { var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer(); string input = @"<div><strong>Not properly closed</div>"; string expected = @"<strong>Not properly closed</strong>"; var output = sanitizer.Sanitize(input); Assert.Equal(expected, output); // Also test with an unclosed tag at the end. input = @"<div>The next tag is not properly closed<strong></div>"; expected = @"The next tag is not properly closed"; output = sanitizer.Sanitize(input); Assert.Equal(expected, output); }