Exemplo n.º 1
0
        public void invalid_a_hrefs_should_be_filtered()
        {
            var scanner = new AntiSamy();

            /*
             * remove non-allowed hrefs
             */

            var input = @"<div>
                                <a href='mysite.com/image.jpg' /> <!-- to be allowed --!>
                                <a href='mysite.com/some_relative_path' /> <!-- to be allowed --!>
                                <a href='mysite.com/some_relative_path/level2' /> <!-- to be allowed --!>
                                Some description 
                                <a href='hackers.com/xss.js' />
                                <a href='abc.com' />
                                another description
                             </div>";

            AntiySamyResult result = scanner.Scan(input, TestPolicy);

            // safe - allowed url pattern in the antisamy1.xml
            result.CleanHtml.Should().Contain("<div");
            result.CleanHtml.Should().Contain("Some description");
            result.CleanHtml.Should().Contain("another description");
            result.CleanHtml.Should().Contain("mysite.com/image.jpg");
            result.CleanHtml.Should().Contain("mysite.com/some_relative_path");
            result.CleanHtml.Should().Contain("mysite.com/some_relative_path/level2");

            // non safe
            result.CleanHtml.Should().NotContain("hackers.com/xss.js");
            result.CleanHtml.Should().NotContain("abc.com");
        }
Exemplo n.º 2
0
        public void TestDoesNotBlowUpWithAllPolicies([ValueSource("AllPolicyFilePaths")] string policyFile)
        {
            const string html = "<a onblur=\"try {parent.deselectBloggerImageGracefully();}" + "catch(e) {}\""
                                + "href=\"http://www.charityadvantage.com/ChildrensmuseumEaston/images/BookswithBill.jpg\"><img" + "style=\"FLOAT: right; MARGIN: 0px 0px 10px 10px; WIDTH: 150px; CURSOR:"
                                + "hand; HEIGHT: 100px\" alt=\"\"" + "src=\"http://www.charityadvantage.com/ChildrensmuseumEaston/images/BookswithBill.jpg\""
                                + "border=\"0\" /></a><br />Poor Bill, couldn't make it to the Museum's <span" + "class=\"blsp-spelling-corrected\" id=\"SPELLING_ERROR_0\">story time</span>"
                                + "today, he was so busy shoveling! Well, we sure missed you Bill! So since" + "ou were busy moving snow we read books about snow. We found a clue in one"
                                + "book which revealed a snowplow at the end of the story - we wish it had" + "driven to your driveway Bill. We also read a story which shared fourteen"
                                + "<em>Names For Snow. </em>We'll catch up with you next week....wonder which" + "hat Bill will wear?<br />Jane";

            Policy testPolicy = null;
            string result     = null;

            try
            {
                testPolicy = Policy.GetInstance(policyFile);
                result     = new AntiSamy().Scan(html, testPolicy).GetCleanHtml();
            }
            catch
            {
                // To comply with try/catch
            }

            testPolicy.Should().NotBeNull();
            result.Should().NotBeNull();
        }
Exemplo n.º 3
0
        public void invalid_tags_should_be_removed()
        {
            var scanner = new AntiSamy();

            /*
             * remove iframe, object, embed, frame, frameset
             */

            var input = @"<div>
                                Some description 
                                <iframe src='hackers.com/xss' />
                                <object data='hackers.com/xss' />
                                <embed />
                                <frame />
                                <frameset />
                             </div>";

            AntiySamyResult result = scanner.Scan(input, TestPolicy);

            //safe
            result.CleanHtml.Should().Contain("<div");
            result.CleanHtml.Should().Contain("Some description");

            // non safe
            result.CleanHtml.Should().NotContain("<iframe");
            result.CleanHtml.Should().NotContain("<object");
            result.CleanHtml.Should().NotContain("<embed");
            result.CleanHtml.Should().NotContain("<frame");
            result.CleanHtml.Should().NotContain("<frameset");
        }
Exemplo n.º 4
0
        public void Test_dom_good_result()
        {
            var html = "<div align=\"right\">html</div>";

            AntiySamyResult result = new AntiSamy().Scan(html, TestPolicy);

            result.ErrorMessages.Count().Should().Be(0);
        }
Exemplo n.º 5
0
        public void TestDomBadResult()
        {
            var badHtml = "<div align=\"foo\">badhtml</div>";

            AntiySamyResult result = new AntiSamy().Scan(badHtml, TestPolicy);

            result.ErrorMessages.Count().Should().BeGreaterThan(0);
        }
Exemplo n.º 6
0
        public void allow_any_src_in_img_tag()
        {
            var scanner = new AntiSamy();

            /*
             * remove non-allowed hrefs
             */

            var input = "Size Table: ;<p><img src=\"/Assets/ProductImages/chartlar/image.jpg\" width=\"456\" height=\"197\" alt=\"\" /></p> ; Lorem ipsum";

            AntiySamyResult result = scanner.Scan(input, GetPolicy("antisamy-mysite.xml"));

            result.CleanHtml.Should().Be(input);
        }
Exemplo n.º 7
0
        public void TestDoesNotBlowUpShortScriptTagWithAllPolicies([ValueSource("AllPolicyFilePaths")] string policyFile)
        {
            Policy testPolicy = null;
            string result     = null;

            try
            {
                testPolicy = Policy.GetInstance(policyFile);
                result     = new AntiSamy().Scan("<script src=\"<. \">\"></script>", testPolicy).GetCleanHtml();
            }
            catch
            {
                // To comply with try/catch
            }

            testPolicy.Should().NotBeNull();
            result.Should().NotBeNull();
        }
Exemplo n.º 8
0
        public void TestDoesNotBlowUpOnEmptyTableWithAllPolicies([ValueSource("AllPolicyFilePaths")] string policyFile)
        {
            Policy testPolicy = null;
            string result     = null;

            try
            {
                testPolicy = Policy.GetInstance(policyFile);
                result     = new AntiSamy().Scan("<table><tr><td></td></tr></table>", testPolicy).GetCleanHtml();
            }
            catch
            {
                // To comply with try/catch
            }

            testPolicy.Should().NotBeNull();
            result.Should().NotBeNull();
        }
Exemplo n.º 9
0
        public void invalid_img_urls_should_be_filtered()
        {
            var scanner = new AntiSamy();

            /*
             * remove non-allowed image srcs
             */

            var input = @"<div>
                                <img src='mysite.com/image.jpg' /> <!-- to be allowed --!>
                                Some description 
                                <img src='hackers.com/xss.js' />
                             </div>";

            AntiySamyResult result = scanner.Scan(input, TestPolicy);

            // safe - allowed url pattern in the antisamy1.xml
            result.CleanHtml.Should().Contain("Some description");
            result.CleanHtml.Should().Contain("<div");
            result.CleanHtml.Should().Contain("mysite.com/image.jpg");

            // non safe
            result.CleanHtml.Should().NotContain("hackers.com/xss.js");
        }
Exemplo n.º 10
0
        public void script_references_should_be_removed_by_default()
        {
            var scanner = new AntiSamy();

            /*
             * remove non-allowed hrefs
             */

            var input = @"<script type='text/javascript' src='hackers.com/xss.js' />
                          <script>alert('XSS !!!');</script>
                          <div>
                                Some description                                
                                <script type='text/javascript' src='hackers.com/xss.js' />
                          </div>";

            AntiySamyResult result = scanner.Scan(input, TestPolicy);

            //safe
            result.CleanHtml.Should().Contain("<div");
            result.CleanHtml.Should().Contain("Some description");

            // non safe
            result.CleanHtml.Should().NotContain("<script");
        }
Exemplo n.º 11
0
 public void SetUp()
 {
     antisamy = new AntiSamy();
     policy   = Policy.GetInstance(TestConstants.DEFAULT_POLICY_PATH);
 }