public void Init(HttpApplication httpApplication)
{
httpApplication.BeginRequest += (o, e) =>
{
_filter = new ResponseFilter(httpApplication.Response.Filter, httpApplication.Response.ContentEncoding);
httpApplication.Response.Filter = _filter;
};
httpApplication.EndRequest += (o, e) =>
{
// Only 'text/html' content type of response supported as yet
if (!httpApplication.Context.Response.ContentType.StartsWith("text/html"))
{
return;
}
// TODO: Add support of 'application/json' and 'text/xml' MIME types
var responseText = _filter.Response;
var xssResponseValidator = new HtmlResponseValidator();
RequestValidationParam dangerousParam;
if (httpApplication.Context.Items.Contains("Irv.Engine.TaintfulParams") &&
!xssResponseValidator.IsValidHtmlResponseString(
(List <RequestValidationParam>)httpApplication.Context.Items["Irv.Engine.TaintfulParams"],
responseText,
out dangerousParam))
{
throw new HttpRequestValidationException(
string.Format(
_requestValidationErrorMessage, dangerousParam.Source,
string.Format("{0}=\"{1}\"...", dangerousParam.CollectionKey, dangerousParam.Value.Length > 15 ? dangerousParam.Value.Substring(0, 15) : dangerousParam.Value)));
}
};
}
private void TestScriptRunner(string testName)
{
var scriptLines = File.ReadAllLines(string.Format("{0}.testscript", testName));
var templateBuilder = new StringBuilder();
var currentScriptLine = 0;
do
{
if (scriptLines[currentScriptLine] != string.Empty)
{
templateBuilder.AppendLine(scriptLines[currentScriptLine]);
}
} while (scriptLines[++currentScriptLine] != "<!--End-of-template-->");
currentScriptLine++;
var responseTemplate = templateBuilder.ToString();
var paramList = new List <string>();
while (currentScriptLine < scriptLines.Length)
{
if (scriptLines[currentScriptLine].Length == 0)
{
if (paramList.Count > 0)
{
// ReSharper disable CoVariantArrayConversion
var responseText = string.Format(responseTemplate, paramList.ToArray());
// ReSharper restore CoVariantArrayConversion
var validator = new HtmlResponseValidator();
var taintfulParams =
paramList.Select(param => new RequestValidationParam("Irv.Tests", "None", param)).ToList();
RequestValidationParam dangerousParam;
var validationResult = validator.IsValidHtmlResponseString(taintfulParams, responseText,
out dangerousParam);
if (validationResult)
{
TestContext.WriteLine("Test {0} failed on param(s): {{ {1} }}", testName,
string.Join("} {", paramList));
}
Assert.IsFalse(validationResult);
paramList.Clear();
}
}
else
{
paramList.Add(HttpUtility.UrlDecode(scriptLines[currentScriptLine]));
}
currentScriptLine++;
}
}
