public static ReadOnlyUrl GetReferrerUrl(this string url, ReadOnlyUrl requestedUrl) { // It may be external, but must not contain script. if (string.IsNullOrEmpty(url)) { return(null); } var referrerUrl = TryParseUrl(url); if (referrerUrl != null) { if (requestedUrl != null && referrerUrl.ToString().IndexOf(requestedUrl.AbsolutePath) != -1) { return(null); } if (HtmlUtil.ContainsScript(referrerUrl.ToString())) { return(null); } } return(referrerUrl); }
protected override bool IsValid(object value) { if (!(value is string || value is string[])) { return(true); } var s = value as string; if (s != null) { if (s.Length != 0 && HtmlUtil.ContainsScript(s)) { return(false); } } else { var a = value as string[]; foreach (var v in a) { if (v.Length != 0 && HtmlUtil.ContainsScript(v)) { return(false); } } } return(true); }
public void TestCleanScriptAndEventTags() { const string doubleApostrophes = "This job ad's content contains a two apostrophes. It's getting truncated."; const string doubleApostrophesWithScript = "This job ad's content contains some <script>alert(0)</script>." + " It's getting truncated."; const string dirty1 = "<a href=\"linkme.com.au\" onClick=\"javascript:alert('hackslol11!!eleven!');\">hahah</a>"; string clean1 = HtmlUtil.CleanScriptAndEventTags(dirty1); Assert.AreNotEqual(dirty1, clean1); Assert.IsFalse(HtmlUtil.ContainsScript(clean1)); Assert.AreEqual("<a href=\"linkme.com.au\">hahah</a>", clean1); const string dirty2 = "<a href=\"linkme.com.au\" onClick='alert(\'hackslol11!!eleven!\');'>hahah</a>"; string clean2 = HtmlUtil.CleanScriptAndEventTags(dirty1); Assert.AreNotEqual(dirty2, clean2); Assert.IsFalse(HtmlUtil.ContainsScript(clean2)); Assert.AreEqual("<a href=\"linkme.com.au\">hahah</a>", clean2); Assert.AreEqual("", HtmlUtil.CleanScriptAndEventTags("<script type=\"text\\javascript\">alert('lolhax');</script>")); Assert.AreEqual("Valid text with in it.", HtmlUtil.CleanScriptAndEventTags("Valid text with <script type=\"text\\javascript\">alert('lolhax');</script> in it.")); Assert.AreEqual("", HtmlUtil.CleanScriptAndEventTags("<script <a href=\"linkme.com.au\" onclick=\"alert('smrt');\">hahah</a>>alert('This is smarta!');</script>")); // Bug 7104 - content between apostrophes gets removed. Assert.AreEqual(doubleApostrophes, HtmlUtil.CleanScriptAndEventTags(doubleApostrophes)); Assert.AreEqual("This job ad's content contains some . It's getting truncated.", HtmlUtil.CleanScriptAndEventTags(doubleApostrophesWithScript)); }
public void TestContainsScript() { Assert.IsFalse(HtmlUtil.ContainsScript("whatever")); Assert.IsFalse(HtmlUtil.ContainsScript("<html><body>text</body></html>")); Assert.IsTrue(HtmlUtil.ContainsScript("<html><body><script>text</script></body></html>")); Assert.IsTrue(HtmlUtil.ContainsScript("<html><body><script >text</script></body></html>")); Assert.IsTrue(HtmlUtil.ContainsScript("<html><body><script>text</script </body></html>")); Assert.IsTrue(HtmlUtil.ContainsScript("<html><body><script >text</body></html>")); // Case 1521 - Microsoft .NET request filtering bypass vulnerability - LinkMe version TestXss("</XSS/*-*/STYLE=xss:e/**/xpression(alert(document.cookie))>"); TestXss("<XSS STYLE=xss:e/**/xpression(alert(document.cookie))>"); TestXss("<//*-*/XSSSTYLE=xss:e/**/xpression(alert(document.cookie))>"); TestXss("</*-*/X/*-*/S/*-*/S ST/*-*/YLE=xss:e/**/xpression(alert(document.cookie))>"); }
public static ReadOnlyUrl GetRequestedUrl(this string url) { // Validate the url. if (string.IsNullOrEmpty(url)) { return(null); } var requestedUrl = TryParseUrl(url); if (HtmlUtil.ContainsScript(requestedUrl.ToString())) { return(null); } return(requestedUrl); }
private static bool IsAllowedRedirects(this ReadOnlyUrl url) { // Check for cases 3032 (open redirects) and 4241 (XSS via links). return(!HtmlUtil.ContainsScript(url.ToString()) && NavigationManager.IsInternalUrl(url)); }
private static void TestXss(string xss) { Assert.IsTrue(HtmlUtil.ContainsScript(xss)); Assert.IsTrue(HtmlUtil.ContainsHtml(xss)); }