public virtual void TestCleanJavascriptHref()
{
String h = "<A HREF=\"javascript:document.location='http://www.google.com/'\">XSS</A>";
String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(h, Whitelist.Relaxed());
NUnit.Framework.Assert.AreEqual("<a>XSS</a>", cleanHtml);
}
public virtual void TestDropsUnknownTags()
{
String h = "<p><custom foo=true>Test</custom></p>";
String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(h, Whitelist.Relaxed());
NUnit.Framework.Assert.AreEqual("<p>Test</p>", cleanHtml);
}
public virtual void TestDropImageScript()
{
String h = "<IMG SRC=\"javascript:alert('XSS')\">";
String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(h, Whitelist.Relaxed());
NUnit.Framework.Assert.AreEqual("<img>", cleanHtml);
}
public virtual void TestDropScript()
{
String h = "<SCRIPT SRC=//ha.ckers.org/.j><SCRIPT>alert(/XSS/.source)</SCRIPT>";
String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(h, Whitelist.Relaxed());
NUnit.Framework.Assert.AreEqual("", cleanHtml);
}
public virtual void TestDropXmlProc()
{
String h = "<?import namespace=\"xss\"><p>Hello</p>";
String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(h, Whitelist.Relaxed());
NUnit.Framework.Assert.AreEqual("<p>Hello</p>", cleanHtml);
}
public virtual void TestDropComments()
{
String h = "<p>Hello<!-- no --></p>";
String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(h, Whitelist.Relaxed());
NUnit.Framework.Assert.AreEqual("<p>Hello</p>", cleanHtml);
}
public virtual void TestRelaxed()
{
String h = "<h1>Head</h1><table><tr><td>One<td>Two</td></tr></table>";
String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(h, Whitelist.Relaxed());
NUnit.Framework.Assert.AreEqual("<h1>Head</h1><table><tbody><tr><td>One</td><td>Two</td></tr></tbody></table>"
, TextUtil.StripNewlines(cleanHtml));
}
public virtual void TestScriptTagInWhiteList()
{
Whitelist whitelist = Whitelist.Relaxed();
whitelist.AddTags("script");
NUnit.Framework.Assert.IsTrue(iText.StyledXmlParser.Jsoup.Jsoup.IsValid("Hello<script>alert('Doh')</script>World !"
, whitelist));
}
public virtual void TestCleanAnchorProtocol()
{
String validAnchor = "<a href=\"#valid\">Valid anchor</a>";
String invalidAnchor = "<a href=\"#anchor with spaces\">Invalid anchor</a>";
// A Whitelist that does not allow anchors will strip them out.
String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(validAnchor, Whitelist.Relaxed());
NUnit.Framework.Assert.AreEqual("<a>Valid anchor</a>", cleanHtml);
cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(invalidAnchor, Whitelist.Relaxed());
NUnit.Framework.Assert.AreEqual("<a>Invalid anchor</a>", cleanHtml);
// A Whitelist that allows them will keep them.
Whitelist relaxedWithAnchor = Whitelist.Relaxed().AddProtocols("a", "href", "#");
cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(validAnchor, relaxedWithAnchor);
NUnit.Framework.Assert.AreEqual(validAnchor, cleanHtml);
// An invalid anchor is never valid.
cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(invalidAnchor, relaxedWithAnchor);
NUnit.Framework.Assert.AreEqual("<a>Invalid anchor</a>", cleanHtml);
}
public virtual void SupplyOutputSettings()
{
// test that one can override the default document output settings
OutputSettings os = new OutputSettings();
os.PrettyPrint(false);
os.EscapeMode(Entities.EscapeMode.extended);
os.Charset("ascii");
String html = "<div><p>ℬ</p></div>";
String customOut = iText.StyledXmlParser.Jsoup.Jsoup.Clean(html, "http://foo.com/", Whitelist.Relaxed(), os
);
String defaultOut = iText.StyledXmlParser.Jsoup.Jsoup.Clean(html, "http://foo.com/", Whitelist.Relaxed());
NUnit.Framework.Assert.AreNotSame(defaultOut, customOut);
NUnit.Framework.Assert.AreEqual("<div><p>ℬ</p></div>", customOut);
NUnit.Framework.Assert.AreEqual("<div>\n" + " <p>ℬ</p>\n" + "</div>", defaultOut);
os.Charset("ASCII");
os.EscapeMode(Entities.EscapeMode.@base);
String customOut2 = iText.StyledXmlParser.Jsoup.Jsoup.Clean(html, "http://foo.com/", Whitelist.Relaxed(),
os);
NUnit.Framework.Assert.AreEqual("<div><p>ℬ</p></div>", customOut2);
}
