private static void EvaluateChildren(
            XDoc script,
            XmlElement node,
            DekiScriptEvalContext context,
            DekiScriptEnv env,
            DekiScriptRuntime runtime,
            out bool scripted,
            ref bool error
            )
        {
            scripted = false;

            // recurse first to evaluate nested script content
            XmlNode child = node.FirstChild;

            while (child != null)
            {
                XmlNode next = child.NextSibling;
                if (child.NodeType == XmlNodeType.Element)
                {
                    bool childScripted;
                    next     = Evaluate(script, (XmlElement)child, context, env, runtime, out childScripted, ref error);
                    scripted = scripted || childScripted;
                }
                child = next;
            }
        }
        //--- Class Methods ---
        public static XmlNode Evaluate(
            XDoc script,
            XmlElement node,
            DekiScriptEvalContext context,
            DekiScriptEnv env,
            DekiScriptRuntime runtime,
            out bool scripted,
            ref bool error
        ) {
            if((context.Mode != DekiScriptEvalMode.Verify) && (context.Mode != DekiScriptEvalMode.EvaluateEditOnly) && (context.Mode != DekiScriptEvalMode.EvaluateSaveOnly)) {
                throw new InvalidOperationException("DekiScript interpreter can only used for save, edit, or verify evaluations.");
            }
            scripted = false;
            XmlNode next = node.NextSibling;
            try {

                // check if element needs to be evaluated
                if(StringUtil.EqualsInvariant(node.NamespaceURI, XDekiScript.ScriptNS)) {
                    scripted = true;

                    // NOTE (steveb): <eval:xyz> nodes are not processed by the interpreter anymore

                } else {
                    XDoc current = script[node];
                    bool hasScriptClass = StringUtil.EqualsInvariant(node.GetAttribute("class"), "script");

                    #region <elem class="script" init="..." if="..." foreach="..." where="..." block="...">
                    // check if element has form <elem class="script" init="..." if="..." foreach="..." where="..." block="...">
                    scripted = node.HasAttribute("init") || node.HasAttribute("if") || node.HasAttribute("foreach") || node.HasAttribute("block");
                    if(context.Mode == DekiScriptEvalMode.Verify) {

                        // check if "block" is present
                        string blockAttr = node.GetAttribute("block");
                        if(!string.IsNullOrEmpty(blockAttr)) {

                            // TODO (steveb): validate script expression

                        }

                        // check if "foreach" is present
                        string foreachAttr = node.GetAttribute("foreach");
                        if(!string.IsNullOrEmpty(foreachAttr)) {

                            // TODO (steveb): validate script expression

                        }

                        // check if "if" is present
                        string ifAttr = node.GetAttribute("if");
                        if(!string.IsNullOrEmpty(ifAttr)) {

                            // TODO (steveb): validate script expression

                        }

                        // check if "init" is present
                        string initAttr = node.GetAttribute("init");
                        if(!string.IsNullOrEmpty(initAttr)) {

                            // TODO (steveb): validate script expression

                        }
                    }
                    #endregion

                    // evaluate child nodes
                    EvaluateChildren(script, node, context, env, runtime, out scripted, ref error);

                    #region evaluate attributes
                    for(int i = 0; i < node.Attributes.Count; ++i) {
                        XmlAttribute attribute = node.Attributes[i];

                        // check if attribute needs to be evaluated
                        if(attribute.NamespaceURI == XDekiScript.ScriptNS) {
                            scripted = true;

                            // NOTE (steveb): eval:xyz="abc" attributes are not processed by the interpreter anymore

                        } else if(StringUtil.StartsWithInvariant(attribute.Value, "{{") && StringUtil.EndsWithInvariant(attribute.Value, "}}")) {
                            scripted = true;

                            // NOTE (steveb): key="{{value}}"
                            string code = attribute.Value.Substring(2, attribute.Value.Length - 4).Trim();

                            // check if script content is substituted
                            bool isPermanentReplacement = false;
                            if(StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SAVE_PATTERN)) {
                                isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
                                code = code.Substring(DekiScriptRuntime.ON_SAVE_PATTERN.Length);
                            } else if(StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SUBST_PATTERN)) {
                                isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
                                code = code.Substring(DekiScriptRuntime.ON_SUBST_PATTERN.Length);
                            } else if(StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_EDIT_PATTERN)) {
                                isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateEditOnly);
                                code = code.Substring(DekiScriptRuntime.ON_EDIT_PATTERN.Length);
                            }

                            // parse expression
                            if((context.Mode == DekiScriptEvalMode.Verify) || isPermanentReplacement) {
                                DekiScriptExpression expression = DekiScriptParser.Parse(ComputeNodeLocation(attribute), code);
                                if(isPermanentReplacement) {
                                    DekiScriptLiteral eval = runtime.Evaluate(expression, DekiScriptEvalMode.EvaluateSafeMode, env);

                                    // determine what the outcome value is
                                    string value = eval.AsString();

                                    // check if we have a value to replace the current attribute with
                                    if((value != null) && !DekiScriptLibrary.ContainsXSSVulnerability(attribute.LocalName, value)) {
                                        attribute.Value = value;
                                    } else {
                                        node.Attributes.RemoveAt(i);
                                        --i;
                                    }
                                }
                            }
                        }
                    }
                    #endregion

                    #region evaluate <span class="script"> or <pre class="script">
                    if(hasScriptClass && (StringUtil.EqualsInvariant(node.LocalName, "pre") || StringUtil.EqualsInvariant(node.LocalName, "span")) && !node.HasAttribute("function")) {

                        // replace the non-breaking space character with space
                        string code = node.InnerText.ReplaceAll("\u00A0", " ", "\u00AD", "").Trim();

                        // check if script content is substituted
                        bool isPermanentReplacement = false;
                        if(StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SAVE_PATTERN)) {
                            isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
                            code = code.Substring(DekiScriptRuntime.ON_SAVE_PATTERN.Length);
                        } else if(StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SUBST_PATTERN)) {
                            isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
                            code = code.Substring(DekiScriptRuntime.ON_SUBST_PATTERN.Length);
                        } else if(StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_EDIT_PATTERN)) {
                            isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateEditOnly);
                            code = code.Substring(DekiScriptRuntime.ON_EDIT_PATTERN.Length);
                        }

                        // parse expression
                        if((context.Mode == DekiScriptEvalMode.Verify) || isPermanentReplacement) {
                            DekiScriptExpression expression = DekiScriptParser.Parse(ComputeNodeLocation(node), code);
                            if(isPermanentReplacement) {
                                DekiScriptLiteral value = runtime.Evaluate(expression, DekiScriptEvalMode.EvaluateSafeMode, env);
                                context.ReplaceNodeWithValue(node, value);
                            }
                            if(!isPermanentReplacement) {
                                scripted = true;
                            }
                        }
                    }
                    #endregion
                }
            } catch(Exception e) {

                // only embed error in verify mode, not in save/edit modes
                if(context.Mode == DekiScriptEvalMode.Verify) {
                    context.InsertExceptionMessageBeforeNode(env, node.ParentNode, node, ComputeNodeLocation(node), e);
                    node.ParentNode.RemoveChild(node);
                }
                error |= true;
            }
            return next;
        }
        private static void EvaluateChildren(
            XDoc script,
            XmlElement node,
            DekiScriptEvalContext context,
            DekiScriptEnv env,
            DekiScriptRuntime runtime,
            out bool scripted,
            ref bool error
        ) {
            scripted = false;

            // recurse first to evaluate nested script content
            XmlNode child = node.FirstChild;
            while(child != null) {
                XmlNode next = child.NextSibling;
                if(child.NodeType == XmlNodeType.Element) {
                    bool childScripted;
                    next = Evaluate(script, (XmlElement)child, context, env, runtime, out childScripted, ref error);
                    scripted = scripted || childScripted;
                }
                child = next;
            }
        }
        //--- Class Methods ---
        public static XmlNode Evaluate(
            XDoc script,
            XmlElement node,
            DekiScriptEvalContext context,
            DekiScriptEnv env,
            DekiScriptRuntime runtime,
            out bool scripted,
            ref bool error
            )
        {
            if ((context.Mode != DekiScriptEvalMode.Verify) && (context.Mode != DekiScriptEvalMode.EvaluateEditOnly) && (context.Mode != DekiScriptEvalMode.EvaluateSaveOnly))
            {
                throw new InvalidOperationException("DekiScript interpreter can only used for save, edit, or verify evaluations.");
            }
            scripted = false;
            XmlNode next = node.NextSibling;

            try {
                // check if element needs to be evaluated
                if (StringUtil.EqualsInvariant(node.NamespaceURI, XDekiScript.ScriptNS))
                {
                    scripted = true;

                    // NOTE (steveb): <eval:xyz> nodes are not processed by the interpreter anymore
                }
                else
                {
                    XDoc current        = script[node];
                    bool hasScriptClass = StringUtil.EqualsInvariant(node.GetAttribute("class"), "script");

                    #region <elem class="script" init="..." if="..." foreach="..." where="..." block="...">
                    // check if element has form <elem class="script" init="..." if="..." foreach="..." where="..." block="...">
                    scripted = node.HasAttribute("init") || node.HasAttribute("if") || node.HasAttribute("foreach") || node.HasAttribute("block");
                    if (context.Mode == DekiScriptEvalMode.Verify)
                    {
                        // check if "block" is present
                        string blockAttr = node.GetAttribute("block");
                        if (!string.IsNullOrEmpty(blockAttr))
                        {
                            // TODO (steveb): validate script expression
                        }

                        // check if "foreach" is present
                        string foreachAttr = node.GetAttribute("foreach");
                        if (!string.IsNullOrEmpty(foreachAttr))
                        {
                            // TODO (steveb): validate script expression
                        }

                        // check if "if" is present
                        string ifAttr = node.GetAttribute("if");
                        if (!string.IsNullOrEmpty(ifAttr))
                        {
                            // TODO (steveb): validate script expression
                        }

                        // check if "init" is present
                        string initAttr = node.GetAttribute("init");
                        if (!string.IsNullOrEmpty(initAttr))
                        {
                            // TODO (steveb): validate script expression
                        }
                    }
                    #endregion

                    // evaluate child nodes
                    EvaluateChildren(script, node, context, env, runtime, out scripted, ref error);

                    #region evaluate attributes
                    for (int i = 0; i < node.Attributes.Count; ++i)
                    {
                        XmlAttribute attribute = node.Attributes[i];

                        // check if attribute needs to be evaluated
                        if (attribute.NamespaceURI == XDekiScript.ScriptNS)
                        {
                            scripted = true;

                            // NOTE (steveb): eval:xyz="abc" attributes are not processed by the interpreter anymore
                        }
                        else if (StringUtil.StartsWithInvariant(attribute.Value, "{{") && StringUtil.EndsWithInvariant(attribute.Value, "}}"))
                        {
                            scripted = true;

                            // NOTE (steveb): key="{{value}}"
                            string code = attribute.Value.Substring(2, attribute.Value.Length - 4).Trim();

                            // check if script content is substituted
                            bool isPermanentReplacement = false;
                            if (StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SAVE_PATTERN))
                            {
                                isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
                                code = code.Substring(DekiScriptRuntime.ON_SAVE_PATTERN.Length);
                            }
                            else if (StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SUBST_PATTERN))
                            {
                                isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
                                code = code.Substring(DekiScriptRuntime.ON_SUBST_PATTERN.Length);
                            }
                            else if (StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_EDIT_PATTERN))
                            {
                                isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateEditOnly);
                                code = code.Substring(DekiScriptRuntime.ON_EDIT_PATTERN.Length);
                            }

                            // parse expression
                            if ((context.Mode == DekiScriptEvalMode.Verify) || isPermanentReplacement)
                            {
                                DekiScriptExpression expression = DekiScriptParser.Parse(ComputeNodeLocation(attribute), code);
                                if (isPermanentReplacement)
                                {
                                    DekiScriptLiteral eval = runtime.Evaluate(expression, DekiScriptEvalMode.EvaluateSafeMode, env);

                                    // determine what the outcome value is
                                    string value = eval.AsString();

                                    // check if we have a value to replace the current attribute with
                                    if ((value != null) && !DekiScriptLibrary.ContainsXSSVulnerability(attribute.LocalName, value))
                                    {
                                        attribute.Value = value;
                                    }
                                    else
                                    {
                                        node.Attributes.RemoveAt(i);
                                        --i;
                                    }
                                }
                            }
                        }
                    }
                    #endregion

                    #region evaluate <span class="script"> or <pre class="script">
                    if (hasScriptClass && (StringUtil.EqualsInvariant(node.LocalName, "pre") || StringUtil.EqualsInvariant(node.LocalName, "span")) && !node.HasAttribute("function"))
                    {
                        // replace the non-breaking space character with space
                        string code = node.InnerText.ReplaceAll("\u00A0", " ", "\u00AD", "").Trim();

                        // check if script content is substituted
                        bool isPermanentReplacement = false;
                        if (StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SAVE_PATTERN))
                        {
                            isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
                            code = code.Substring(DekiScriptRuntime.ON_SAVE_PATTERN.Length);
                        }
                        else if (StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_SUBST_PATTERN))
                        {
                            isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateSaveOnly);
                            code = code.Substring(DekiScriptRuntime.ON_SUBST_PATTERN.Length);
                        }
                        else if (StringUtil.StartsWithInvariantIgnoreCase(code, DekiScriptRuntime.ON_EDIT_PATTERN))
                        {
                            isPermanentReplacement = (context.Mode == DekiScriptEvalMode.EvaluateEditOnly);
                            code = code.Substring(DekiScriptRuntime.ON_EDIT_PATTERN.Length);
                        }

                        // parse expression
                        if ((context.Mode == DekiScriptEvalMode.Verify) || isPermanentReplacement)
                        {
                            DekiScriptExpression expression = DekiScriptParser.Parse(ComputeNodeLocation(node), code);
                            if (isPermanentReplacement)
                            {
                                DekiScriptLiteral value = runtime.Evaluate(expression, DekiScriptEvalMode.EvaluateSafeMode, env);
                                context.ReplaceNodeWithValue(node, value);
                            }
                            if (!isPermanentReplacement)
                            {
                                scripted = true;
                            }
                        }
                    }
                    #endregion
                }
            } catch (Exception e) {
                // only embed error in verify mode, not in save/edit modes
                if (context.Mode == DekiScriptEvalMode.Verify)
                {
                    context.InsertExceptionMessageBeforeNode(env, node.ParentNode, node, ComputeNodeLocation(node), e);
                    node.ParentNode.RemoveChild(node);
                }
                error |= true;
            }
            return(next);
        }
예제 #5
0
        public void EvaluateContent(XDoc script, DekiScriptEnv env, DekiScriptEvalMode mode, out bool scripted) {
            scripted = false;
            switch(mode) {
            case DekiScriptEvalMode.None:
                break;
            case DekiScriptEvalMode.Evaluate:
            case DekiScriptEvalMode.EvaluateSafeMode: {
                var expr = DekiScriptParser.Parse(script);
                try {
                    expr = DekiContext.Current.Instance.ScriptRuntime.Evaluate(expr, mode, env);
                } catch(Exception e) {
                    var error = DekiScriptLibrary.MakeErrorObject(e, env);
                    DekiContext.Current.Instance.ScriptRuntime.LogExceptionInOutput(error);
                    expr = DekiScriptExpression.Constant(DekiScriptLibrary.WebShowError((Hashtable)error.NativeValue));
                }

                // check if outcome is an XML document
                var xml = expr as DekiScriptXml;
                if(xml != null) {

                    // check if outcome is the expected content document
                    if(xml.Value.HasName("content")) {
                        script.Replace(((DekiScriptXml)expr).Value);
                    } else {

                        // remove all contents from existing document and append new document
                        script.RemoveNodes();
                        script.Start("body").Add(xml.Value).End();
                    }
                } else if(expr is DekiScriptString) {   

                    // remove all contents from existing document and append new document
                    script.RemoveNodes();
                    script.Start("body").Value(((DekiScriptString)expr).Value).End();
                } else {

                    // remove all contents from existing document and append new document
                    script.RemoveNodes();
                    script.Start("body").Value(expr.ToString()).End();
                }
            }
                break;
            case DekiScriptEvalMode.EvaluateEditOnly:
            case DekiScriptEvalMode.EvaluateSaveOnly:
            case DekiScriptEvalMode.Verify: {
                DekiScriptEvalContext context = new DekiScriptEvalContext(script, mode, false, DekiContext.Current.Instance.ScriptRuntime.GetMaxOutputSize(mode));

                // add <head> and <tail> sections
                context.AddHeadElements(script);
                context.AddTailElements(script);
                script["head"].RemoveNodes();
                script["tail"].RemoveNodes();

                // evaluate the script
                bool error = false;
                DekiScriptInterpreter.Evaluate(script, (XmlElement)script.Root.AsXmlNode, context, env, DekiContext.Current.Instance.ScriptRuntime, out scripted, ref error);
                if((mode == DekiScriptEvalMode.Verify) || !error) {
                    context.MergeContextIntoDocument(script.AsXmlNode.OwnerDocument);
                }
            }
                break;
            default:
                throw new InvalidOperationException(string.Format("unrecognized evaluation mode '{0}'", mode));
            }
        }