public static ReadOnlyUrl GetReferrerUrl(this string url, ReadOnlyUrl requestedUrl)
{
// It may be external, but must not contain script.
if (string.IsNullOrEmpty(url))
{
return(null);
}
var referrerUrl = TryParseUrl(url);
if (referrerUrl != null)
{
if (requestedUrl != null && referrerUrl.ToString().IndexOf(requestedUrl.AbsolutePath) != -1)
{
return(null);
}
if (HtmlUtil.ContainsScript(referrerUrl.ToString()))
{
return(null);
}
}
return(referrerUrl);
}
protected override bool IsValid(object value)
{
if (!(value is string || value is string[]))
{
return(true);
}
var s = value as string;
if (s != null)
{
if (s.Length != 0 && HtmlUtil.ContainsScript(s))
{
return(false);
}
}
else
{
var a = value as string[];
foreach (var v in a)
{
if (v.Length != 0 && HtmlUtil.ContainsScript(v))
{
return(false);
}
}
}
return(true);
}
public void TestCleanScriptAndEventTags()
{
const string doubleApostrophes = "This job ad's content contains a two apostrophes. It's getting truncated.";
const string doubleApostrophesWithScript = "This job ad's content contains some <script>alert(0)</script>."
+ " It's getting truncated.";
const string dirty1 = "<a href=\"linkme.com.au\" onClick=\"javascript:alert('hackslol11!!eleven!');\">hahah</a>";
string clean1 = HtmlUtil.CleanScriptAndEventTags(dirty1);
Assert.AreNotEqual(dirty1, clean1);
Assert.IsFalse(HtmlUtil.ContainsScript(clean1));
Assert.AreEqual("<a href=\"linkme.com.au\">hahah</a>", clean1);
const string dirty2 = "<a href=\"linkme.com.au\" onClick='alert(\'hackslol11!!eleven!\');'>hahah</a>";
string clean2 = HtmlUtil.CleanScriptAndEventTags(dirty1);
Assert.AreNotEqual(dirty2, clean2);
Assert.IsFalse(HtmlUtil.ContainsScript(clean2));
Assert.AreEqual("<a href=\"linkme.com.au\">hahah</a>", clean2);
Assert.AreEqual("", HtmlUtil.CleanScriptAndEventTags("<script type=\"text\\javascript\">alert('lolhax');</script>"));
Assert.AreEqual("Valid text with in it.", HtmlUtil.CleanScriptAndEventTags("Valid text with <script type=\"text\\javascript\">alert('lolhax');</script> in it."));
Assert.AreEqual("", HtmlUtil.CleanScriptAndEventTags("<script <a href=\"linkme.com.au\" onclick=\"alert('smrt');\">hahah</a>>alert('This is smarta!');</script>"));
// Bug 7104 - content between apostrophes gets removed.
Assert.AreEqual(doubleApostrophes, HtmlUtil.CleanScriptAndEventTags(doubleApostrophes));
Assert.AreEqual("This job ad's content contains some . It's getting truncated.",
HtmlUtil.CleanScriptAndEventTags(doubleApostrophesWithScript));
}
public void TestContainsScript()
{
Assert.IsFalse(HtmlUtil.ContainsScript("whatever"));
Assert.IsFalse(HtmlUtil.ContainsScript("<html><body>text</body></html>"));
Assert.IsTrue(HtmlUtil.ContainsScript("<html><body><script>text</script></body></html>"));
Assert.IsTrue(HtmlUtil.ContainsScript("<html><body><script >text</script></body></html>"));
Assert.IsTrue(HtmlUtil.ContainsScript("<html><body><script>text</script </body></html>"));
Assert.IsTrue(HtmlUtil.ContainsScript("<html><body><script >text</body></html>"));
// Case 1521 - Microsoft .NET request filtering bypass vulnerability - LinkMe version
TestXss("</XSS/*-*/STYLE=xss:e/**/xpression(alert(document.cookie))>");
TestXss("<XSS STYLE=xss:e/**/xpression(alert(document.cookie))>");
TestXss("<//*-*/XSSSTYLE=xss:e/**/xpression(alert(document.cookie))>");
TestXss("</*-*/X/*-*/S/*-*/S ST/*-*/YLE=xss:e/**/xpression(alert(document.cookie))>");
}
public static ReadOnlyUrl GetRequestedUrl(this string url)
{
// Validate the url.
if (string.IsNullOrEmpty(url))
{
return(null);
}
var requestedUrl = TryParseUrl(url);
if (HtmlUtil.ContainsScript(requestedUrl.ToString()))
{
return(null);
}
return(requestedUrl);
}
private static bool IsAllowedRedirects(this ReadOnlyUrl url)
{
// Check for cases 3032 (open redirects) and 4241 (XSS via links).
return(!HtmlUtil.ContainsScript(url.ToString()) && NavigationManager.IsInternalUrl(url));
}
private static void TestXss(string xss)
{
Assert.IsTrue(HtmlUtil.ContainsScript(xss));
Assert.IsTrue(HtmlUtil.ContainsHtml(xss));
}