public void DoNotClearUrlText()
        {
            var extender = new HtmlEditorExtender();

            extender.EnableSanitization = false;
            var text     = "Please click <a href=\"www.curl.com\">here</a>.";
            var actual   = extender.Decode(text);
            var expected = text;

            Assert.AreEqual(expected, actual);
        }
        public void StripScriptTagWithoutAttributes()
        {
            var extender = new HtmlEditorExtender {
                EnableSanitization = false
            };

            var text   = @" <script>";
            var actual = extender.Decode(text);

            Assert.AreEqual("", actual);
        }
        public void DoNotStripTagsWithAttributeNameStartsWithScript()
        {
            var extender = new HtmlEditorExtender {
                EnableSanitization = false
            };

            var text     = @"<mrow class=""MJX-TeXAtom-ORD""><mstyle displaystyle=""true"" scriptlevel=""0""></mstyle></mrow>";
            var actual   = extender.Decode(text);
            var expected = text;

            Assert.AreEqual(expected, actual);
        }
예제 #4
0
        public void DoNotStripDataEncodedImage()
        {
            using (var html = new HtmlEditorExtender()) {
                html.Sanitizer = new DefaultHtmlSanitizer();

                var decodedText = html.Decode(@"
                    <img src=""data:text/javascript,alert(1)"">
                    <img src=""data:image/png;base64,iVBOReprst"">
                ");

                Assert.True(decodedText.Contains("data:image/png"));
                Assert.False(decodedText.Contains("data:text/javascript"));
            }
        }
예제 #5
0
        public void TestDecode()
        {
            // Arrange
            var editor = new HtmlEditorExtender();

            editor.SanitizerProvider = new HtmlAgilityPackSanitizerProvider();
            var input  = TestContext.DataRow["Input"] as string;
            var output = TestContext.DataRow["Output"] as string;

            // Act
            var result = editor.Decode(input);

            // Assert
            Assert.AreEqual(output, input);
        }
        public void AlwaysHasDefaultWhitelistEements()
        {
            var extender = new HtmlEditorExtender();

            extender.EnableSanitization = true;
            var sanitizerMoq = new Mock <IHtmlSanitizer>();

            sanitizerMoq.Setup(c => c.GetSafeHtmlFragment(It.IsAny <string>(), It.IsAny <Dictionary <string, string[]> >())).Returns((string x, Dictionary <string, string[]> y) => x);
            extender.Sanitizer = sanitizerMoq.Object;

            var text     = "<span>text</span><br />";
            var actual   = extender.Decode(text);
            var expected = text;

            Assert.AreEqual(expected, actual);
        }
예제 #7
0
        public void RemoveInsecureHtml()
        {
            using (var html = new HtmlEditorExtender()) {
                html.EnableSanitization = false;

                // was "Z"
                Assert.AreEqual("A", html.Decode("A<script>Z"));

                // was "<script>Z"
                Assert.AreEqual("", html.Decode("<script>Z"));

                Assert.AreEqual("AZ", html.Decode("A<script attr>...</script attr>Z"));

                // was "Hello world!alert()" - see https://github.com/DevExpress/AjaxControlToolkit/issues/525
                Assert.AreEqual(
                    "Hello world! ",
                    html.Decode("Hello world! <script>alert();</script>")
                    );

                // was "<style</style>" - see https://github.com/DevExpress/AjaxControlToolkit/issues/513
                var issue513html = "<style><!-- body { font-family: Script; } --></style>";
                Assert.AreEqual(issue513html, html.Decode(issue513html));

                // was "<pClick me</a></p>"
                Assert.AreEqual(
                    "<p><a>Click me</a></p>",
                    html.Decode("<p><a href='javascript:alert()'>Click me</a></p>")
                    );

                var comment = "<!-- behavior of expression filter data:text/plain -->";
                Assert.AreEqual(comment, html.Decode(comment));

                Assert.AreEqual(
                    "<p><p><p><p>",
                    html.Decode(
                        "<p style='width: expression(1)'>" +
                        "<p style='position: absolute'>" +
                        "<p style='filter: inherit'>" +
                        "<p style='behavior: url(something.htc)>"
                        )
                    );
            }
        }