public void DatabaseUpgradeAfter(int ixVersionFrom, int ixVersionTo, CDatabaseUpgradeApi apiUpgrade)
{
if (ixVersionFrom <= DB_CHANGE_VERSION_MESSAGES_HTML_SANITIZE)
{
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
var selectQuery = this.api.Database.NewSelectQuery(ExtendedEventEntity.GetPluginTableName(this.api.Database));
selectQuery.AddSelect("ixExtendedEvent, sMessage");
selectQuery.AddWhere("sEventType <> @sEventType");
selectQuery.SetParamString("@sEventType", "commit");
var ds = selectQuery.GetDataSet();
if (ds.Tables[0] != null && ds.Tables[0].Rows.Count > 0)
{
foreach (DataRow row in ds.Tables[0].Rows)
{
var sMessage = row["sMessage"] as string;
if (!String.IsNullOrEmpty(sMessage))
{
sMessage = sanitizer.Sanitize(sMessage);
var ixExtendedEvent = Convert.ToInt32(row["ixExtendedEvent"]);
var updateQuery = this.api.Database.NewUpdateQuery(ExtendedEventEntity.GetPluginTableName(this.api.Database));
updateQuery.UpdateString("sMessage", sMessage);
updateQuery.AddWhere("ixExtendedEvent = @ixExtendedEvent");
updateQuery.SetParamInt("@ixExtendedEvent", ixExtendedEvent);
updateQuery.Execute();
}
}
}
}
}
public static string RemoveHtmlTags(this string text, bool keepTextFormatingTags = false, bool keepHyperlinkTags = false)
{
if (string.IsNullOrWhiteSpace(text))
{
return(string.Empty);
}
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
if (keepTextFormatingTags)
{
// allow these tags and remove everything else
sanitizer.Tag("strong");
sanitizer.Tag("b").Rename("strong");
sanitizer.Tag("i");
sanitizer.Tag("u");
sanitizer.Tag("br");
}
if (keepHyperlinkTags)
{
// allow urls
sanitizer.Tag("a").SetAttribute("target", "_blank")
.SetAttribute("rel", "nofollow")
.CheckAttribute("href", HtmlSanitizerCheckType.Url)
.RemoveEmpty();
}
// For some reason, the Vereyon.Web nuget is not sanitizing <p> <blockquote> tags. so
// I'm renaming them to <div> and santizing the html again - rename then remove.
sanitizer.Tag("p").Rename("div");
sanitizer.Tag("blockquote").Rename("div");
string sanitizedHtmlExceptPTag = sanitizer.Sanitize(Regex.Unescape(text));
return(HttpUtility.HtmlDecode(sanitizer.Sanitize(sanitizedHtmlExceptPTag)));
}
private static HtmlSanitizer InitHtml5Sanitizer()
{
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
sanitizer.Tag("img").AllowAttributes("src");
sanitizer.Tag("hr");
sanitizer.Tag("blockquote");
sanitizer.Tag("s");
sanitizer.Tag("pre");
sanitizer.Tag("code");
return(sanitizer);
}
public void Sanitizer_ImageWithBase64DataHtmlXssUri_RemovesTag()
{
// Arrange
var html = @"<img src=""data:text/html,<script>alert('hi');</script>"" alt=""Red dot"" />";
var expectedHtml = String.Empty;
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
// Act
var actualHtml = sanitizer.Sanitize(html);
// Assert
Assert.AreEqual(expectedHtml, actualHtml);
}
public void Sanitizer_ImageWithBase64DataUri_PreservesTag()
{
// Arrange
var html = @"<img src=""data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg=="" alt=""Red dot"">";
var expectedHtml = @"<img src=""data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAAUAAAAFCAYAAACNbyblAAAAHElEQVQI12P4//8/w38GIAXDIBKE0DHxgljNBAAO9TXL0Y4OHwAAAABJRU5ErkJggg=="" alt=""Red dot"">";
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
// Act
var actualHtml = sanitizer.Sanitize(html);
// Assert
Assert.AreEqual(expectedHtml, actualHtml);
}
public void Sanitizer_HtmlScriptTag_RemovesTagAndContent()
{
// Arrange
var html = @"Hello <script>alert('world')</script>";
var expectedHtml = @"Hello ";
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
// Act
var actualHtml = sanitizer.Sanitize(html);
// Assert
Assert.AreEqual(expectedHtml, actualHtml);
}
public void Sanitizer_UnknownHtmlTag_FlattensTagAndPreservesContent()
{
// Arrange
var html = @"Custom <x>tag</x>";
var expectedHtml = @"Custom tag";
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
// Act
var actualHtml = sanitizer.Sanitize(html);
// Assert
Assert.AreEqual(expectedHtml, actualHtml);
}
public void Sanitizer_ComplexReleaseNoteWithImg_RemoveOnlyClassAttribute()
{
// Arrange
var html = @"<p>This is a test release note</p><p><img alt src=""https://releasenotes/data/trunk/1481719514715/database.png"" rel=""g1481719514715"" class=""cboxElement""></p>";
var expectedHtml = @"<p>This is a test release note</p><p><img alt="""" src=""https://releasenotes/data/trunk/1481719514715/database.png"" rel=""g1481719514715""></p>";
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
// Act
var actualHtml = sanitizer.Sanitize(html);
// Assert
Assert.AreEqual(expectedHtml, actualHtml);
}
public void Sanitizer_ParaWithClassAttribute_AllowClassAttribute()
{
// Arrange
var html = @"<p class=""class1 class2"">text</p>";
var expectedHtml = @"<p class=""class1 class2"">text</p>";
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
// Act
var actualHtml = sanitizer.Sanitize(html);
// Assert
Assert.AreEqual(expectedHtml, actualHtml);
}
public void Sanitizer_AnchorWithClassAttribute_AllowClassAttribute()
{
// Arrange
var html = @"<a href=""http://example.org/"" class=""class1"">Link</a>";
var expectedHtml = @"<a href=""http://example.org/"" class=""class1"" target=""_blank"" rel=""nofollow"">Link</a>";
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
// Act
var actualHtml = sanitizer.Sanitize(html);
// Assert
Assert.AreEqual(expectedHtml, actualHtml);
}
public void Sanitizer_ImgTag_AllowTagWithSrcAttribute()
{
// Arrange
var html = @"<img src=""https://releasenotes/data/trunk/1481719514715/database.png"">";
var expectedHtml = @"<img src=""https://releasenotes/data/trunk/1481719514715/database.png"">";
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
// Act
var actualHtml = sanitizer.Sanitize(html);
// Assert
Assert.AreEqual(expectedHtml, actualHtml);
}
public void Sanitizer_ImageSourceWithBasicUri_ImageSourceUriEncoded()
{
// Arrange
var html = @"<img src=""https://server/Installer Logging Tools - Oracle VM VirtualBox.png"" alt="""" />";
var expectedHtml = @"<img src=""https://server/Installer%20Logging%20Tools%20-%20Oracle%20VM%20VirtualBox.png"" alt="""">";
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
// Act
var actualHtml = sanitizer.Sanitize(html);
// Assert
Assert.AreEqual(expectedHtml, actualHtml);
}
private string SanitizeMessage(string sEventType, string sMessage)
{
if (String.IsNullOrEmpty(sMessage))
{
return(sMessage);
}
switch (sEventType)
{
case "commit":
case "none":
return(sMessage);
default:
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
return(sanitizer.Sanitize(sMessage));
}
}
private static HtmlSanitizer InitHtml5Sanitizer()
{
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
sanitizer.Tag("img").AllowAttributes("src");
sanitizer.Tag("hr");
//This is temporary changes to be upstreamed into HtmlRuleSanitizer
sanitizer.Tag("ol")
.AllowAttributes("start")
.AllowAttributes("type")
.AllowAttributes("reversed");
sanitizer.Tag("li")
.AllowAttributes("value");
//end of
sanitizer.Tag("blockquote");
sanitizer.Tag("s");
sanitizer.Tag("pre");
sanitizer.Tag("code");
return(sanitizer);
}
private static HtmlSanitizer InitHtml5Sanitizer()
{
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
sanitizer.Tag("img")
.CheckAttributeUrl("src")
.AllowAttributes("height")
.AllowAttributes("width")
.AllowAttributes("alt");
sanitizer
.Tag("iframe")
.SanitizeAttributes("src", AllowWhiteListedIframeDomains.Default)
.AllowAttributes("height")
.AllowAttributes("width")
.AllowAttributes("frameborder");
sanitizer.Tag("hr");
sanitizer.Tag("blockquote");
sanitizer.Tag("s");
sanitizer.Tag("pre");
sanitizer.Tag("code");
return(sanitizer);
}
public CPseudoBugEvent[] PseudoBugEvents(CBug bug, CBugEvent[] rgBugEvent)
{
int ixBug = bug.ixBug;
var sanitizer = HtmlSanitizer.SimpleHtml5Sanitizer();
var query = ExtendedEventEntity.QueryEvents(this.api.Database, ixBug);
var events = new List <CPseudoBugEvent>();
foreach (var entity in query)
{
string sMessage = entity.sMessage;
string sTitle = "";
switch (entity.sEventType)
{
case "commit":
sTitle = $"Revision {entity.sCommitRevision} commited";
sMessage = HttpUtility.HtmlEncode(sMessage);
sMessage = sMessage.Replace("\n", "<br>\n");
break;
case "build-success":
sTitle = $"Build {entity.sBuildName} successful";
sMessage = sanitizer.Sanitize(sMessage);
break;
case "build-failure":
sTitle = $"Build {entity.sBuildName} failed";
sMessage = sanitizer.Sanitize(sMessage);
break;
case "releasenote":
sTitle = $"Releasenotes message";
sMessage = sanitizer.Sanitize(sMessage);
break;
case "deployment":
sTitle = $"Deployed";
sMessage = sanitizer.Sanitize(sMessage);
break;
default:
sMessage = HttpUtility.HtmlEncode(sMessage);
break;
}
if (entity.ixPerson == 0 && !String.IsNullOrEmpty(entity.sPersonName))
{
sTitle += " by " + HttpUtility.HtmlEncode(entity.sPersonName);
}
else if (entity.ixPerson > 0)
{
sTitle += " by";
}
var sChanges = new StringBuilder();
if (!String.IsNullOrEmpty(entity.sModuleName))
{
sChanges.Append(HttpUtility.HtmlEncode(entity.sModuleName));
}
if (!String.IsNullOrEmpty(entity.sBranchName))
{
if (sChanges.Length > 0)
{
sChanges.Append(": ");
}
sChanges.Append(HttpUtility.HtmlEncode(entity.sBranchName));
}
if (!String.IsNullOrEmpty(entity.sExternalUrl))
{
sChanges.Append($@" <a href=""{HttpUtility.HtmlAttributeEncode(entity.sExternalUrl)}"">View details</a>");
}
var sHtml = this.api.UI.BugEvent(entity.dtEventUtc, entity.ixPerson, sTitle, sMessage, sChanges.ToString(), $"fbee-event fbee-{entity.sEventType}");
var evt = new CPseudoBugEvent(entity.dtEventUtc, sHtml);
events.Add(evt);
}
return(events.ToArray());
}
