public void AnchorTagContentReplaceXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<A HREF=\"http://www.gohttp://www.google.com/ogle.com/\">XSS</A>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<A HREF=\"http&#x3A;&#x2F;&#x2F;www&#x2E;gohttp&#x3A;&#x2F;&#x2F;www&#x2E;google&#x2E;com&#x2F;ogle&#x2E;com&#x2F;\">XSS</A>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 2
0
		public void shoulddeserializewhitelistfromexistingxmlfile()
		{
			// Arrange
			string whitelistFile = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "Unit", "Text", "whitelist.xml");
			ApplicationSettings settings = new ApplicationSettings();
			settings.HtmlElementWhiteListPath = whitelistFile;

			string htmlFragment = "<test href=\"http://www.google.com\">link</test> <blah id=\"myid\" class=\"class1 class2\">somediv</blah><a href=\"test\">test</a>";

			// Act
			MarkupSanitizer sanitizer = new MarkupSanitizer(settings);
			sanitizer.SetWhiteListCacheKey("ShouldDeserializeWhiteListFromExistingXmlFile");
			string actual = sanitizer.SanitizeHtml(htmlFragment);

			// Assert
			string expected = "<test href=\"http&#x3A;&#x2F;&#x2F;www&#x2E;google&#x2E;com\">link</test> <blah id=\"myid\" class=\"class1&#x20;class2\">somediv</blah>";
			Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
		}
Esempio n. 3
0
		public void GenerateTestXmlFile()
		{
			// Arrange
			MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

			using (FileStream stream = new FileStream("test.xml", FileMode.Create, FileAccess.Write))
			{
				//XmlSerializer serializer = new XmlSerializer(typeof(HtmlWhiteList));
				//serializer.Serialize(stream, MarkupSanitizer._htmlWhiteList);

				XmlSerializer serializer = new XmlSerializer(typeof(HtmlWhiteList));

				List<HtmlElement> list = new List<HtmlElement>();
				list.Add(new HtmlElement("blah", new string[] { "id", "class" }));
				list.Add(new HtmlElement("test", new string[] { "href" }));

				HtmlWhiteList whiteList = new HtmlWhiteList();
				whiteList.ElementWhiteList = list;

				serializer.Serialize(stream, whiteList);
			}
		}
        public void AnchorTagUSASCIIEncodingXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=¼script¾alert(¢XSS¢)¼/script¾\">XSS</A>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<A HREF=\"http&#x3A;&#x2F;&#x2F;www&#x2E;codeplex&#x2E;com&#x3F;url&#x3D;&#x26;&#x23;188&#x3B;&#x26;&#x23;190&#x3B;alert&#x28;&#x26;&#x23;162&#x3B;XSS&#x26;&#x23;162&#x3B;&#x29;&#x26;&#x23;188&#x3B;&#x2F;&#x26;&#x23;190&#x3B;\">XSS</A>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
        public void AnchorTagNonAlphaNonDigitXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>\">XSS</A>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<A HREF=\"http&#x3A;&#x2F;&#x2F;www&#x2E;codeplex&#x2E;com&#x3F;url&#x3D;&#x26;lt&#x3B;&#x2F;XSS&#x20;SRC&#x3D;\">\">XSS</A>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
        public void DivNonAlphaNonDigit3XSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<Div style=\"background-color: http://www.codeplex.com?url=<SCRIPT/SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>\">";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<Div style=\"background&#x2D;color&#x3A;&#x20;http&#x3A;&#x2F;&#x2F;www&#x2E;codeplex&#x2E;com&#x3F;url&#x3D;&#x26;lt&#x3B;&#x2F;SRC&#x3D;\">\"></Div>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
        public void XmlWithCDataXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<XML ID=I><X><C><![CDATA[<IMG SRC=\"javas]]><![CDATA[cript:alert('XSS');\">]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<SPAN></SPAN>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
        public void AnchorTagDownlevelHiddenBlockXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=<!--[if gte IE 4]><SCRIPT>alert('XSS');</SCRIPT><![endif]-->\">XSS</A>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<A HREF=\"http&#x3A;&#x2F;&#x2F;www&#x2E;codeplex&#x2E;com&#x3F;url&#x3D;&#x26;lt&#x3B;&#x21;&#x2D;&#x2D;&#x5B;if&#x20;gte&#x20;IE&#x20;4&#x5D;&#x26;gt&#x3B;&#x26;lt&#x3B;&#x26;gt&#x3B;alert&#x28;&#x26;&#x23;39&#x3B;XSS&#x26;&#x23;39&#x3B;&#x29;&#x3B;&#x26;lt&#x3B;&#x2F;&#x26;gt&#x3B;&#x26;lt&#x3B;&#x21;&#x5B;endif&#x5D;&#x2D;&#x2D;&#x26;gt&#x3B;\">XSS</A>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
        public void DivJavascriptEscapingXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<div style=\"\";alert('XSS');//\">";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<div style=\"\"></div>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 10
0
        public void DivBackgroundImageWithUnicodedXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<DIV STYLE=\"background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029\">";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<DIV STYLE=\"background&#x2D;image&#x3A;&#xfffd;075&#xfffd;072&#xfffd;06C&#xfffd;028&#x26;&#x23;39&#x3B;&#xfffd;06a&#xfffd;061&#xfffd;076&#xfffd;061&#xfffd;073&#xfffd;063&#xfffd;072&#xfffd;069&#xfffd;070&#xfffd;074&#xfffd;03a&#xfffd;061&#xfffd;06c&#xfffd;065&#xfffd;072&#xfffd;074&#xfffd;028&#x2E;1027&#xfffd;058&#x2E;1053&#xfffd;053&#xfffd;027&#xfffd;029&#x26;&#x23;39&#x3B;&#xfffd;029\"></div>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 11
0
        public void DivExpressionXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<DIV STYLE=\"width: expression(alert('XSS'));\">";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<DIV STYLE=\"width&#x3A;&#x28;alert&#x28;&#x26;&#x23;39&#x3B;XSS&#x26;&#x23;39&#x3B;&#x29;&#x29;&#x3B;\"></Div>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 12
0
        public void AnchorTagMixedEncodingXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = @"<A HREF=""h
            tt	p://6&#9;6.000146.0x7.147/"">XSS</A>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<A HREF=\"h&#x0D;&#x0A;tt&#x09;p&#x3A;&#x2F;&#x2F;6&#x26;amp&#x3B;&#x23;9&#x3B;6&#x2E;000146&#x2E;0x7&#x2E;147&#x2F;\">XSS</A>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 13
0
        public void BGSoundXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<BGSOUND SRC=\"javascript:alert('XSS');\">";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 14
0
        public void AnchorTagJavascriptLinkLocationXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<A HREF=\"javascript:document.location='http://www.google.com/'\">XSS</A>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<A HREF=\"&#x3A;document&#x2E;location&#x3D;&#x26;&#x23;39&#x3B;http&#x3A;&#x2F;&#x2F;www&#x2E;google&#x2E;com&#x2F;&#x26;&#x23;39&#x3B;\">XSS</A>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 15
0
        public void AnchorTagIPVersesHostnameXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<A HREF=\"http://66.102.7.147/\">XSS</A>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<A HREF=\"http&#x3A;&#x2F;&#x2F;66&#x2E;102&#x2E;7&#x2E;147&#x2F;\">XSS</A>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 16
0
        public void XSSLocatorTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<a href=\"'';!--\"<XSS>=&{()}\">";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<a href=\"&#x26;&#x23;39&#x3B;&#x26;&#x23;39&#x3B;&#x3B;&#x21;&#x2D;&#x2D;\"></a>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 17
0
        public void XmlWithEmbeddedScriptXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<XML SRC=\"xsstest.xml\" ID=I></XML><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<SPAN></SPAN>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 18
0
        public void XmlWithCommentObfuscationXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<XML ID=\"xss\"><I><B>&lt;IMG SRC=\"javas<!-- -->cript:alert('XSS')\"&gt;</B></I></XML><SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"></SPAN>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<SPAN></SPAN>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 19
0
        public void BRJavascriptIncludeXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<BR SIZE=\"&{alert('XSS')}\">";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<BR>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 20
0
        public void AnchorTagNoQuotesXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=<SCRIPT>a=/XSS/alert(a.source)</SCRIPT>\">XSS</A>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<A HREF=\"http&#x3A;&#x2F;&#x2F;www&#x2E;codeplex&#x2E;com&#x3F;url&#x3D;&#x26;lt&#x3B;&#x26;gt&#x3B;a&#x3D;&#x2F;XSS&#x2F;alert&#x28;a&#x2E;source&#x29;&#x26;lt&#x3B;&#x2F;&#x26;gt&#x3B;\">XSS</A>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 21
0
        public void DivBackgroundImageXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<DIV STYLE=\"background&#x2D;image&#x3A;&#x20;url&#x28;&#x3A;alert&#x28;&#x26;&#x23;39&#x3B;XSS&#x26;&#x23;39&#x3B;&#x29;&#x29;\"></div>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 22
0
        public void AnchorTagOctalEncodingXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<A HREF=\"http://0102.0146.0007.00000223/\">XSS</A>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<A HREF=\"http&#x3A;&#x2F;&#x2F;0102&#x2E;0146&#x2E;0007&#x2E;00000223&#x2F;\">XSS</A>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 23
0
        public void DivExtraneousOpenBracketsXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<Div style=\"background-color: http://www.codeplex.com?url=<<SCRIPT>alert(\"XSS\");//<</SCRIPT>\">";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<Div style=\"background&#x2D;color&#x3A;&#x20;http&#x3A;&#x2F;&#x2F;www&#x2E;codeplex&#x2E;com&#x3F;url&#x3D;&#x26;lt&#x3B;&#x26;lt&#x3B;&#x26;gt&#x3B;alert&#x28;\"></Div>\">";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 24
0
        public void AnchorTagProtocolResolutionScriptXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<A HREF=\"http://www.codeplex.com?url=<SCRIPT SRC=//ha.ckers.org/.j>\">XSS</A>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<A HREF=\"http&#x3A;&#x2F;&#x2F;www&#x2E;codeplex&#x2E;com&#x3F;url&#x3D;&#x26;lt&#x3B;SRC&#x3D;&#x2F;&#x2F;ha&#x2E;ckers&#x2E;org&#x2F;&#x2E;j&#x26;gt&#x3B;\">XSS</A>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 25
0
        public void DivHtmlQuotesEncapsulation7XSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<Div style=\"background-color: http://www.codeplex.com?url=<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>\">";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<Div style=\"background&#x2D;color&#x3A;&#x20;http&#x3A;&#x2F;&#x2F;www&#x2E;codeplex&#x2E;com&#x3F;url&#x3D;&#x26;lt&#x3B;&#x26;gt&#x3B;document&#x2E;write&#x28;\"></div>PT SRC=\"http://ha.ckers.org/xss.js\">\">";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 26
0
        public void AnchorTagProtocolResolutionXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<A HREF=\"//www.google.com/\">XSS</A>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<A HREF=\"&#x2F;&#x2F;www&#x2E;google&#x2E;com&#x2F;\">XSS</A>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 27
0
        public void DivNoClosingScriptTagsXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<Div style=\"background-color: http://www.codeplex.com?url=<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>\">";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<Div style=\"background&#x2D;color&#x3A;&#x20;http&#x3A;&#x2F;&#x2F;www&#x2E;codeplex&#x2E;com&#x3F;url&#x3D;&#x26;lt&#x3B;SRC&#x3D;http&#x3A;&#x2F;&#x2F;ha&#x2E;ckers&#x2E;org&#x2F;xss&#x2E;js&#x3F;&#x26;lt&#x3B;B&#x26;gt&#x3B;\"></Div>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 28
0
        public void AnchorTagStyleExpressionXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "exp/*<A STYLE='no\\xss:noxss(\"*//*\");xss:&#101;x&#x2F;*XSS*//*/*/pression(alert(\"XSS\"))'>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "exp/*<a></a>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }
Esempio n. 29
0
		/// <summary>
		/// Strips a lot of unsafe Javascript/Html/CSS from the markup, if the feature is enabled.
		/// </summary>
		private string RemoveHarmfulTags(string html)
		{
			if (_applicationSettings.UseHtmlWhiteList)
			{
				MarkupSanitizer sanitizer = new MarkupSanitizer(_applicationSettings, true, false, true);
				return sanitizer.SanitizeHtml(html);
			}
			else
			{
				return html;
			}
		}
Esempio n. 30
0
        public void AnchorTagUrlEncodingXSSTest()
        {
            // Arrange
            MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);

            // Act
            string htmlFragment = "<A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\">XSS</A>";
            string actual = sanitizer.SanitizeHtml(htmlFragment);

            // Assert
            string expected = "<A HREF=\"http&#x3A;&#x2F;&#x2F;&#x25;77&#x25;77&#x25;77&#x25;2E&#x25;67&#x25;6F&#x25;6F&#x25;67&#x25;6C&#x25;65&#x25;2E&#x25;63&#x25;6F&#x25;6D\">XSS</A>";
            Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
        }