public void XSSLocatorTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<a href=\"'';!--\"<XSS>=&{()}\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = @"<a href=""'';!--"">=&{()}"></a>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void ImageXSS2Test() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG SRC=javascript:alert('XSS')>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<IMG>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public SanitizerService() { this.sanitizer = new HtmlSanitizer(); this.sanitizer.AllowedTags.Clear(); this.sanitizer.AllowedCssProperties.Clear(); }
public ProductDetailsViewModel() { this.sanitizer = new HtmlSanitizer(); this.sanitizer.AllowedTags.Add("iframe"); }
public void RussianTextTest() { // Arrange var s = new HtmlSanitizer(); // Act var htmlFragment = "Тест"; var outputFormatter = new CsQuery.Output.FormatDefault(DomRenderingOptions.RemoveComments | DomRenderingOptions.QuoteAllAttributes, HtmlEncoders.Minimum); var actual = s.Sanitize(htmlFragment, "", outputFormatter); // Assert var expected = htmlFragment; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void DivExpressionXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<DIV STYLE=\"width: expression(alert('XSS'));\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<div></div>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void EmbedTagXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<EMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"></EMBED>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = ""; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void PWithUrlInStyleXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<p STYLE=\"behavior: url(www.ha.ckers.org);\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert // intentionally keep it failing to get notice when reviewing unit tests so can disucss string expected = "<p></p>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void FrameXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = ""; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void ImageMultilineInjectedXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = @"<IMG SRC = "" j a v a s c r i p t : a l e r t ( ' X S S ' ) "" > "; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<img>\n"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void ImageDoubleOpenAngleBracketXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<image src=http://ha.ckers.org/scriptlet.html <"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = ""; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
private void CustomServices(IServiceCollection services) { services.AddSingleton <FFmpegPlaybackSettingsCalculator>(); services.AddSingleton <IPlexSecretStore, PlexSecretStore>(); services.AddSingleton <IPlexTvApiClient, PlexTvApiClient>(); // TODO: does this need to be singleton? services.AddSingleton <ITraktApiClient, TraktApiClient>(); services.AddSingleton <IEntityLocker, EntityLocker>(); services.AddSingleton <ISearchIndex, SearchIndex>(); services.AddSingleton <IFFmpegSegmenterService, FFmpegSegmenterService>(); services.AddSingleton <ITempFilePool, TempFilePool>(); services.AddSingleton <IHlsPlaylistFilter, HlsPlaylistFilter>(); AddChannel <IBackgroundServiceRequest>(services); AddChannel <IPlexBackgroundServiceRequest>(services); AddChannel <IJellyfinBackgroundServiceRequest>(services); AddChannel <IEmbyBackgroundServiceRequest>(services); AddChannel <IFFmpegWorkerRequest>(services); AddChannel <ISubtitleWorkerRequest>(services); services.AddScoped <IFFmpegVersionHealthCheck, FFmpegVersionHealthCheck>(); services.AddScoped <IFFmpegReportsHealthCheck, FFmpegReportsHealthCheck>(); services.AddScoped <IHardwareAccelerationHealthCheck, HardwareAccelerationHealthCheck>(); services.AddScoped <IMovieMetadataHealthCheck, MovieMetadataHealthCheck>(); services.AddScoped <IEpisodeMetadataHealthCheck, EpisodeMetadataHealthCheck>(); services.AddScoped <IZeroDurationHealthCheck, ZeroDurationHealthCheck>(); services.AddScoped <IFileNotFoundHealthCheck, FileNotFoundHealthCheck>(); services.AddScoped <IUnavailableHealthCheck, UnavailableHealthCheck>(); services.AddScoped <IVaapiDriverHealthCheck, VaapiDriverHealthCheck>(); services.AddScoped <IErrorReportsHealthCheck, ErrorReportsHealthCheck>(); services.AddScoped <IHealthCheckService, HealthCheckService>(); services.AddScoped <IChannelRepository, ChannelRepository>(); services.AddScoped <IFFmpegProfileRepository, FFmpegProfileRepository>(); services.AddScoped <IMediaSourceRepository, MediaSourceRepository>(); services.AddScoped <IMediaItemRepository, MediaItemRepository>(); services.AddScoped <IMediaCollectionRepository, MediaCollectionRepository>(); services.AddScoped <IConfigElementRepository, ConfigElementRepository>(); services.AddScoped <ITelevisionRepository, TelevisionRepository>(); services.AddScoped <ISearchRepository, SearchRepository>(); services.AddScoped <IMovieRepository, MovieRepository>(); services.AddScoped <IArtistRepository, ArtistRepository>(); services.AddScoped <IMusicVideoRepository, MusicVideoRepository>(); services.AddScoped <IOtherVideoRepository, OtherVideoRepository>(); services.AddScoped <ISongRepository, SongRepository>(); services.AddScoped <ILibraryRepository, LibraryRepository>(); services.AddScoped <IMetadataRepository, MetadataRepository>(); services.AddScoped <IArtworkRepository, ArtworkRepository>(); services.AddScoped <IFFmpegLocator, FFmpegLocator>(); services.AddScoped <ILocalMetadataProvider, LocalMetadataProvider>(); services.AddScoped <IFallbackMetadataProvider, FallbackMetadataProvider>(); services.AddScoped <ILocalStatisticsProvider, LocalStatisticsProvider>(); services.AddScoped <ILocalSubtitlesProvider, LocalSubtitlesProvider>(); services.AddScoped <IPlayoutBuilder, PlayoutBuilder>(); services.AddScoped <IImageCache, ImageCache>(); services.AddScoped <ILocalFileSystem, LocalFileSystem>(); services.AddScoped <IMovieFolderScanner, MovieFolderScanner>(); services.AddScoped <ITelevisionFolderScanner, TelevisionFolderScanner>(); services.AddScoped <IMusicVideoFolderScanner, MusicVideoFolderScanner>(); services.AddScoped <IOtherVideoFolderScanner, OtherVideoFolderScanner>(); services.AddScoped <ISongFolderScanner, SongFolderScanner>(); services.AddScoped <IPlexMovieLibraryScanner, PlexMovieLibraryScanner>(); services.AddScoped <IPlexTelevisionLibraryScanner, PlexTelevisionLibraryScanner>(); services.AddScoped <IPlexServerApiClient, PlexServerApiClient>(); services.AddScoped <IPlexMovieRepository, PlexMovieRepository>(); services.AddScoped <IPlexTelevisionRepository, PlexTelevisionRepository>(); services.AddScoped <IJellyfinMovieLibraryScanner, JellyfinMovieLibraryScanner>(); services.AddScoped <IJellyfinTelevisionLibraryScanner, JellyfinTelevisionLibraryScanner>(); services.AddScoped <IJellyfinCollectionScanner, JellyfinCollectionScanner>(); services.AddScoped <IJellyfinApiClient, JellyfinApiClient>(); services.AddScoped <IJellyfinPathReplacementService, JellyfinPathReplacementService>(); services.AddScoped <IJellyfinTelevisionRepository, JellyfinTelevisionRepository>(); services.AddScoped <IJellyfinCollectionRepository, JellyfinCollectionRepository>(); services.AddScoped <IJellyfinMovieRepository, JellyfinMovieRepository>(); services.AddScoped <IEmbyApiClient, EmbyApiClient>(); services.AddScoped <IEmbyMovieLibraryScanner, EmbyMovieLibraryScanner>(); services.AddScoped <IEmbyTelevisionLibraryScanner, EmbyTelevisionLibraryScanner>(); services.AddScoped <IEmbyCollectionScanner, EmbyCollectionScanner>(); services.AddScoped <IEmbyPathReplacementService, EmbyPathReplacementService>(); services.AddScoped <IEmbyTelevisionRepository, EmbyTelevisionRepository>(); services.AddScoped <IEmbyCollectionRepository, EmbyCollectionRepository>(); services.AddScoped <IEmbyMovieRepository, EmbyMovieRepository>(); services.AddScoped <IRuntimeInfo, RuntimeInfo>(); services.AddScoped <IPlexPathReplacementService, PlexPathReplacementService>(); services.AddScoped <IFFmpegStreamSelector, FFmpegStreamSelector>(); services.AddScoped <IFFmpegProcessService, FFmpegLibraryProcessService>(); services.AddScoped <FFmpegProcessService>(); services.AddScoped <ISongVideoGenerator, SongVideoGenerator>(); services.AddScoped <HlsSessionWorker>(); services.AddScoped <IGitHubApiClient, GitHubApiClient>(); services.AddScoped <IHtmlSanitizer, HtmlSanitizer>( _ => { var sanitizer = new HtmlSanitizer(); sanitizer.AllowedAttributes.Add("class"); return(sanitizer); }); services.AddScoped <IJellyfinSecretStore, JellyfinSecretStore>(); services.AddScoped <IEmbySecretStore, EmbySecretStore>(); services.AddScoped <IEpisodeNfoReader, EpisodeNfoReader>(); // services.AddTransient(typeof(IRequestHandler<,>), typeof(GetRecentLogEntriesHandler<>)); services.AddHostedService <EndpointValidatorService>(); services.AddHostedService <DatabaseMigratorService>(); services.AddHostedService <CacheCleanerService>(); services.AddHostedService <ResourceExtractorService>(); services.AddHostedService <PlatformSettingsService>(); services.AddHostedService <EmbyService>(); services.AddHostedService <JellyfinService>(); services.AddHostedService <PlexService>(); services.AddHostedService <FFmpegLocatorService>(); services.AddHostedService <WorkerService>(); services.AddHostedService <SchedulerService>(); services.AddHostedService <FFmpegWorkerService>(); services.AddHostedService <SubtitleWorkerService>(); }
private static void FlattenTag(this HtmlSanitizer htmlSanitizer, string tagName) { htmlSanitizer.Tag(tagName).Operation(SanitizerOperation.FlattenTag); }
public void TestHtmlSanitize() { var html = @" <html> <head> this element will be removed </head> <body onload='hack_my_website()'> <script src='Blahblahblah'></script> <link rel='stylesheet' href=Blahblahblah' type='text/css' /> <div src='javascript:script()'> <input onclick='stuff()'></input> <img src='src path'> </div> <div> some text script some text </div> <div class='expression'> <span> <p>some text</p> <textarea>some text</textarea> </span> </div> <table class='table'> <thead> <th></th> </thead> <tbody> <tr> <td></td> </tr> </tbody> <tfoot></tfoot> </table> <p class=MsoNormal><a name='_MailEndCompose'><o:p> </o:p></a></p> <span style='mso-bookmark:_MailEndCompose'></span> <div style ='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm'></div> </body> </html>"; var expectedResult = @" <html> <body> <div> <input> <img src='src path'> </div> <div> </div> <div> <span> <p>some text</p> <textarea>some text</textarea> </span> </div> <table class='table'> <thead> <th></th> </thead> <tbody> <tr> <td></td> </tr> </tbody> <tfoot></tfoot> </table> <p class='MsoNormal'><a name='_MailEndCompose'></a></p> <span style='mso-bookmark:_MailEndCompose'></span> <div style ='border:none;border-top:solid #E1E1E1 1.0pt;padding:3.0pt 0cm 0cm'></div> </body> </html>"; var sanitize = new HtmlSanitizer(); var result = sanitize.Sanitize(html); result = result.Replace("\r", "").Replace("\n", "").Replace("\t", "").Replace("\"", "'").Replace(" ", ""); expectedResult = expectedResult.Replace("\r", "").Replace("\n", "").Replace("\t", "").Replace("\"", "'").Replace(" ", ""); Assert.True(result == expectedResult); }
public static string CleanHtml(string html) { var sanitizer = new HtmlSanitizer(); return(sanitizer.Sanitize(html)); }
public override void Compose(Composition composition) { base.Compose(composition); composition.Register <UmbracoInjectedModule>(); composition.RegisterUnique <IHttpContextAccessor, AspNetHttpContextAccessor>(); // required for hybrid accessors composition.ComposeWebMappingProfiles(); //register the install components //NOTE: i tried to not have these registered if we weren't installing or upgrading but post install when the site restarts //it still needs to use the install controller so we can't do that composition.ComposeInstaller(); // register membership stuff composition.Register(factory => Core.Security.MembershipProviderExtensions.GetMembersMembershipProvider()); composition.Register(factory => Roles.Enabled ? Roles.Provider : new MembersRoleProvider(factory.GetInstance <IMemberService>())); composition.Register <MembershipHelper>(Lifetime.Request); composition.Register <IPublishedMemberCache>(factory => factory.GetInstance <UmbracoContext>().PublishedSnapshot.Members); // register accessors for cultures composition.RegisterUnique <IDefaultCultureAccessor, DefaultCultureAccessor>(); composition.RegisterUnique <IVariationContextAccessor, HybridVariationContextAccessor>(); // register the http context and umbraco context accessors // we *should* use the HttpContextUmbracoContextAccessor, however there are cases when // we have no http context, eg when booting Umbraco or in background threads, so instead // let's use an hybrid accessor that can fall back to a ThreadStatic context. composition.RegisterUnique <IUmbracoContextAccessor, HybridUmbracoContextAccessor>(); // register the umbraco context factory composition.RegisterUnique <IUmbracoContextFactory, UmbracoContextFactory>(); // register a per-request HttpContextBase object // is per-request so only one wrapper is created per request composition.Register <HttpContextBase>(factory => new HttpContextWrapper(factory.GetInstance <IHttpContextAccessor>().HttpContext), Lifetime.Request); // register the published snapshot accessor - the "current" published snapshot is in the umbraco context composition.RegisterUnique <IPublishedSnapshotAccessor, UmbracoContextPublishedSnapshotAccessor>(); // we should stop injecting UmbracoContext and always inject IUmbracoContextAccessor, however at the moment // there are tons of places (controllers...) which require UmbracoContext in their ctor - so let's register // a way to inject the UmbracoContext - DO NOT register this as Lifetime.Request since LI will dispose the context // in it's own way but we don't want that to happen, we manage its lifetime ourselves. composition.Register(factory => factory.GetInstance <IUmbracoContextAccessor>().UmbracoContext); composition.RegisterUnique <IUmbracoTreeSearcherFields, UmbracoTreeSearcherFields>(); composition.Register <IPublishedContentQuery>(factory => { var umbCtx = factory.GetInstance <IUmbracoContextAccessor>(); return(new PublishedContentQuery(umbCtx.UmbracoContext.PublishedSnapshot, factory.GetInstance <IVariationContextAccessor>())); }, Lifetime.Request); composition.Register <ITagQuery, TagQuery>(Lifetime.Request); composition.RegisterUnique <ITemplateRenderer, TemplateRenderer>(); composition.RegisterUnique <IMacroRenderer, MacroRenderer>(); composition.RegisterUnique <IUmbracoComponentRenderer, UmbracoComponentRenderer>(); composition.RegisterUnique <HtmlLocalLinkParser>(); composition.RegisterUnique <HtmlUrlParser>(); composition.RegisterUnique <HtmlImageSourceParser>(); composition.RegisterUnique <RichTextEditorPastedImages>(); composition.RegisterUnique <PropertyEditors.ValueConverters.BlockEditorConverter>(); // register the umbraco helper - this is Transient! very important! // also, if not level.Run, we cannot really use the helper (during upgrade...) // so inject a "void" helper (not exactly pretty but...) if (composition.RuntimeState.Level == RuntimeLevel.Run) { composition.Register <UmbracoHelper>(factory => { var umbCtx = factory.GetInstance <UmbracoContext>(); return(new UmbracoHelper(umbCtx.IsFrontEndUmbracoRequest ? umbCtx.PublishedRequest?.PublishedContent : null, factory.GetInstance <ITagQuery>(), factory.GetInstance <ICultureDictionaryFactory>(), factory.GetInstance <IUmbracoComponentRenderer>(), factory.GetInstance <IPublishedContentQuery>(), factory.GetInstance <MembershipHelper>())); }); } else { composition.Register(_ => new UmbracoHelper()); } // register distributed cache composition.RegisterUnique(f => new DistributedCache()); composition.RegisterUnique <RoutableDocumentFilter>(); // replace some services composition.RegisterUnique <IEventMessagesFactory, DefaultEventMessagesFactory>(); composition.RegisterUnique <IEventMessagesAccessor, HybridEventMessagesAccessor>(); composition.RegisterUnique <ITreeService, TreeService>(); composition.RegisterUnique <ISectionService, SectionService>(); composition.RegisterUnique <IDashboardService, DashboardService>(); composition.RegisterUnique <IIconService, IconService>(); composition.Register <IHtmlSanitizer>(_ => { var sanitizer = new HtmlSanitizer(); sanitizer.AllowedAttributes.UnionWith(Umbraco.Core.Constants.SvgSanitizer.Attributes); sanitizer.AllowedCssProperties.UnionWith(Umbraco.Core.Constants.SvgSanitizer.Attributes); sanitizer.AllowedTags.UnionWith(Umbraco.Core.Constants.SvgSanitizer.Tags); return(sanitizer); }, Lifetime.Singleton); composition.RegisterUnique <IExamineManager>(factory => ExamineManager.Instance); // configure the container for web composition.ConfigureForWeb(); composition .ComposeUmbracoControllers(GetType().Assembly) .SetDefaultRenderMvcController <RenderMvcController>(); // default controller for template views composition.SearchableTrees() .Add(() => composition.TypeLoader.GetTypes <ISearchableTree>()); composition.Register <UmbracoTreeSearcher>(Lifetime.Request); composition.EditorValidators() .Add(() => composition.TypeLoader.GetTypes <IEditorValidator>()); composition.TourFilters(); composition.RegisterUnique <UmbracoFeatures>(); composition.Actions() .Add(() => composition.TypeLoader.GetTypes <IAction>()); //we need to eagerly scan controller types since they will need to be routed composition.WithCollectionBuilder <SurfaceControllerTypeCollectionBuilder>() .Add(composition.TypeLoader.GetSurfaceControllers()); var umbracoApiControllerTypes = composition.TypeLoader.GetUmbracoApiControllers().ToList(); composition.WithCollectionBuilder <UmbracoApiControllerTypeCollectionBuilder>() .Add(umbracoApiControllerTypes); // both TinyMceValueConverter (in Core) and RteMacroRenderingValueConverter (in Web) will be // discovered when CoreBootManager configures the converters. We HAVE to remove one of them // here because there cannot be two converters for one property editor - and we want the full // RteMacroRenderingValueConverter that converts macros, etc. So remove TinyMceValueConverter. // (the limited one, defined in Core, is there for tests) - same for others composition.PropertyValueConverters() .Remove <TinyMceValueConverter>() .Remove <TextStringValueConverter>() .Remove <MarkdownEditorValueConverter>(); // add all known factories, devs can then modify this list on application // startup either by binding to events or in their own global.asax composition.FilteredControllerFactory() .Append <RenderControllerFactory>(); composition.UrlProviders() .Append <AliasUrlProvider>() .Append <DefaultUrlProvider>(); composition.MediaUrlProviders() .Append <DefaultMediaUrlProvider>(); composition.RegisterUnique <IImageUrlGenerator, ImageProcessorImageUrlGenerator>(); composition.RegisterUnique <IContentLastChanceFinder, ContentFinderByConfigured404>(); composition.ContentFinders() // all built-in finders in the correct order, // devs can then modify this list on application startup .Append <ContentFinderByPageIdQuery>() .Append <ContentFinderByUrl>() .Append <ContentFinderByIdPath>() //.Append<ContentFinderByUrlAndTemplate>() // disabled, this is an odd finder .Append <ContentFinderByUrlAlias>(); //only append ContentFinderByRedirectUrl if RedirectUrlTracking is not disabled if (composition.Configs.Settings().WebRouting.DisableRedirectUrlTracking == false) { composition.ContentFinders().Append <ContentFinderByRedirectUrl>(); } composition.RegisterUnique <ISiteDomainHelper, SiteDomainHelper>(); composition.RegisterUnique <ICultureDictionaryFactory, DefaultCultureDictionaryFactory>(); // register *all* checks, except those marked [HideFromTypeFinder] of course composition.HealthChecks() .Add(() => composition.TypeLoader.GetTypes <HealthCheck.HealthCheck>()); composition.WithCollectionBuilder <HealthCheckNotificationMethodCollectionBuilder>() .Add(() => composition.TypeLoader.GetTypes <HealthCheck.NotificationMethods.IHealthCheckNotificationMethod>()); // auto-register views composition.RegisterAuto(typeof(UmbracoViewPage <>)); // register published router composition.RegisterUnique <IPublishedRouter, PublishedRouter>(); composition.Register(_ => Current.Configs.Settings().WebRouting); // register preview SignalR hub composition.RegisterUnique(_ => GlobalHost.ConnectionManager.GetHubContext <PreviewHub>()); // register properties fallback composition.RegisterUnique <IPublishedValueFallback, PublishedValueFallback>(); // register known content apps composition.ContentApps() .Append <ListViewContentAppFactory>() .Append <ContentEditorContentAppFactory>() .Append <ContentInfoContentAppFactory>() .Append <ContentTypeDesignContentAppFactory>() .Append <ContentTypeListViewContentAppFactory>() .Append <ContentTypePermissionsContentAppFactory>() .Append <ContentTypeTemplatesContentAppFactory>(); // register back office sections in the order we want them rendered composition.Sections() .Append <ContentSection>() .Append <MediaSection>() .Append <SettingsSection>() .Append <PackagesSection>() .Append <UsersSection>() .Append <MembersSection>() .Append <FormsSection>() .Append <TranslationSection>(); // register core CMS dashboards and 3rd party types - will be ordered by weight attribute & merged with package.manifest dashboards composition.Dashboards() .Add(composition.TypeLoader.GetTypes <IDashboard>()); // register back office trees // the collection builder only accepts types inheriting from TreeControllerBase // and will filter out those that are not attributed with TreeAttribute composition.Trees() .AddTreeControllers(umbracoApiControllerTypes.Where(x => typeof(TreeControllerBase).IsAssignableFrom(x))); // register OEmbed providers - no type scanning - all explicit opt-in of adding types // note: IEmbedProvider is not IDiscoverable - think about it if going for type scanning composition.OEmbedProviders() .Append <YouTube>() .Append <Twitter>() .Append <Vimeo>() .Append <DailyMotion>() .Append <Flickr>() .Append <Slideshare>() .Append <Kickstarter>() .Append <GettyImages>() .Append <Ted>() .Append <Soundcloud>() .Append <Issuu>() .Append <Hulu>() .Append <Giphy>(); // replace with web implementation composition.RegisterUnique <IPublishedSnapshotRebuilder, Migrations.PostMigrations.PublishedSnapshotRebuilder>(); }
public void Sanitize(HtmlSanitizer sanitizer) { Email = sanitizer.Sanitize(Email); Password = sanitizer.Sanitize(Password); }
public static HtmlString Sanitize(this string html) { // Run it through Markdown first var md = new Markdown(); html = md.Transform(html); // Add links to URLs that aren't "properly" linked in a markdown way var regex = new Regex(@"(^|\s|>|;)(https?|ftp)(:\/\/[-A-Z0-9+&@#\/%?=~_|\[\]\(\)!:,\.;]*[-A-Z0-9+&@#\/%=~_|\[\]])($|\W)", RegexOptions.IgnoreCase | RegexOptions.Compiled); var linkedHtml = regex.Replace(html, "$1<a href=\"$2$3\">$2$3</a>$4").Replace("href=\"www", "href=\"http://www"); var scriptRegex = new Regex("<script.*?</script>", RegexOptions.Singleline | RegexOptions.IgnoreCase); var scriptRegexMatches = scriptRegex.Matches(linkedHtml); for (var i = 0; i < scriptRegexMatches.Count; i++) { linkedHtml = linkedHtml.Replace(scriptRegexMatches[i].Value, $"<pre>{HttpContext.Current.Server.HtmlEncode(scriptRegexMatches[i].Value)}</pre>"); } html = linkedHtml; // Linkify images if they are shown as resized versions (only relevant for new Markdown comments) var doc = new HtmlDocument(); doc.LoadHtml(html); var root = doc.DocumentNode; if (root != null) { var images = root.SelectNodes("//img"); if (images != null) { foreach (var image in images) { var src = image.GetAttributeValue("src", ""); var orgSrc = src.Replace("rs/", ""); if (src == orgSrc || image.ParentNode.Name == "a") { continue; } var a = doc.CreateElement("a"); a.SetAttributeValue("href", orgSrc); a.SetAttributeValue("target", "_blank"); a.AppendChild(image.Clone()); image.ParentNode.ReplaceChild(a, image); } } // Any links not going to an "approved" domain need to be marked as nofollow var links = root.SelectNodes("//a"); if (links != null) { foreach (var link in links) { if (link.Attributes["href"] != null && (SpamChecker.CountValidLinks(link.Attributes["href"].Value, 0) == 0)) { if (link.Attributes["rel"] != null) { link.Attributes.Remove("rel"); } link.Attributes.Add("rel", "noopener"); } } } // Remove styles from all elements var elementsWithStyleAttribute = root.SelectNodes("//@style"); if (elementsWithStyleAttribute != null) { foreach (var element in elementsWithStyleAttribute) { element.Attributes.Remove("style"); } } using (var writer = new StringWriter()) { doc.Save(writer); html = writer.ToString(); } } var sanitizer = new HtmlSanitizer(); var sanitized = sanitizer.Sanitize(html); return(new HtmlString(sanitized)); }
public void ImageNullBreaksUpXSSTest2() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = ""; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public QuestionHandler(Database database, MarkdownPipeline markdownPipeline, NotificationBuilder notificationBuilder, HtmlSanitizer htmlSanitizer) { this.database = database; this.markdownPipeline = markdownPipeline; this.notificationBuilder = notificationBuilder; sanitizer = htmlSanitizer; }
public void ImageInputXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<input type=\"image\">"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public static string SanitizeDoc(this HtmlSanitizer htmlSanitizer, IHtmlDocument doc) { return(doc.Body.ChildNodes.ToHtml(Sanitizer.OutputFormatter)); }
public Sanitizer(SanitizerOptions options) { this.options = options; htmlSanitizer = new HtmlSanitizer(); ConfigureHtmlSanitizer(); }
public CommentViewModel() { this.sanitizer = new HtmlSanitizer(); }
public void DivBackgroundImageWithUnicodedXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = @"<DIV STYLE=""background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028\0027\0058\0053\0053\0027\0029'\0029"">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<div></div>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public HtmlSanitizerActionFilterImpl(HtmlSanitizer htmlSanitizer) { _htmlSanitizer = htmlSanitizer; }
public void AnchorTagStyleExpressionXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "exp/*<A STYLE='no\\xss:noxss(\"*//*\");xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "exp/*<a></a>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public BlogsController(BlogsContext blogsContext) { _blogsContext = blogsContext; _htmlSanitizer = new HtmlSanitizer(); }
public void XmlNamespaceXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<HTML xmlns:xss> <?import namespace=\"xss\" implementation=\"http://ha.ckers.org/xss.htc\"> <xss:xss>XSS</xss:xss></HTML>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = ""; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public static string SanitizeHtmlInString(string source) { StringCollection sc = new StringCollection(); string temp = source; // get rid of unnecessary tag spans (comments and title) sc.Add(@"<!--(w|W)+?-->"); sc.Add(@"<title>(w|W)+?</title>"); // Get rid of classes and styles sc.Add(@"s?class=w+"); sc.Add(@"s+style='[^']+'"); // Get rid of unnecessary tags sc.Add(@"<(meta|link|/?o:|/?style|/?std|/?head|/?html|body|/?body)[^>]*?>"); // Get rid of empty paragraph tags sc.Add(@"(<[^>]+>)+ (</w+>)+"); // remove bizarre v: element attached to <img> tag sc.Add(@"s+v:w+=""[^""]+"""); // remove extra lines sc.Add(@"(nr){2,}"); foreach (string s in sc) { source = Regex.Replace(source, s, "", RegexOptions.IgnoreCase); } if (String.IsNullOrWhiteSpace(source)) { Logging.LogError("Following string could not be stripped of Word HTML: " + temp); return("Invalid HTML in Source String"); } var sanitizer = new HtmlSanitizer(); sanitizer.Tag("h1").RemoveEmpty(); sanitizer.Tag("h2").RemoveEmpty(); sanitizer.Tag("h3").RemoveEmpty(); sanitizer.Tag("h4").RemoveEmpty(); sanitizer.Tag("h5").RemoveEmpty(); sanitizer.Tag("strong").RemoveEmpty(); sanitizer.Tag("b").Rename("strong").RemoveEmpty(); sanitizer.Tag("i").RemoveEmpty(); sanitizer.Tag("em"); sanitizer.Tag("br"); sanitizer.Tag("p").RemoveEmpty(); sanitizer.Tag("div").NoAttributes(SanitizerOperation.FlattenTag); sanitizer.Tag("span").RemoveEmpty(); sanitizer.Tag("ul"); sanitizer.Tag("ol"); sanitizer.Tag("li"); sanitizer.Tag("a").SetAttribute("rel", "nofollow") .CheckAttribute("href", HtmlSanitizerCheckType.Url) .RemoveEmpty(); string cleanHtml = sanitizer.Sanitize(source); if (!String.IsNullOrWhiteSpace(cleanHtml)) { return(cleanHtml.Trim()); } //Logging.LogError("Following string could not be sanitized: " + source); return("Invalid HTML in Source String"); }
public void AutoLinkTest() { var sanitizer = new HtmlSanitizer(); var autolink = new AutoLink(); sanitizer.PostProcessNode += (s, e) => { var text = e.Node as IDomText; if (text != null) { var autolinked = autolink.Link(text.NodeValue); if (autolinked != text.NodeValue) foreach (var node in CQ.Create(autolinked)) e.ReplacementNodes.Add(node); } }; var html = @"<div>Click here: http://example.com/.</div>"; Assert.That(sanitizer.Sanitize(html), Is.EqualTo(@"<div>Click here: <a href=""http://example.com/"">http://example.com/</a>.</div>").IgnoreCase); Assert.That(sanitizer.Sanitize("Check out www.google.com."), Is.EqualTo(@"Check out <a href=""http://www.google.com"">www.google.com</a>.").IgnoreCase); }
public string SanitizeHTML(string html) { HtmlSanitizer htmlSanitizer = new HtmlSanitizer(); return(htmlSanitizer.Sanitize(html)); }
public void ImageHexEncodeXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG SRC=javascript:alert('XSS')>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<img>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public ReceptiController(IReceptRepo receptRepo, IHostingEnvironment hostingEnvironment) { _receptRepo = receptRepo; _hostingEnvironment = hostingEnvironment; _htmlSanitizer = new HtmlSanitizer(); }
public void ImageEmbeddedCarriageReturnXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG SRC=\"jav
ascript:alert('XSS');\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<img>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public HtmlSanitizerService(HtmlSanitizer htmlSanitizer) { this.htmlSanitizer = htmlSanitizer; }
public void ImageNullBreaksUpXSSTest1() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG SRC=java\0script:alert(\"XSS\")>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<img>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public List <string> GenerateCodeList(bool extractfiles, Dictionary <string, List <string> > checkClassNamesDic, string path, LanguageEnum lan, LanAttributes prop, string namespaceMapping) { StringBuilder codeBuilder = new StringBuilder(); List <string> codeList = new List <string>(); //goes for lan c# and java StringBuilder cSharpUsings = new StringBuilder() { Capacity = 0, Length = 0 }; cSharpUsings.AppendLine("using System;"); cSharpUsings.AppendLine("using System.Collections.Generic;"); StringBuilder javaUsings = new StringBuilder() { Capacity = 0, Length = 0 }; javaUsings.AppendLine("import java.util.Date;"); javaUsings.AppendLine("import java.util.ArrayList;"); ///Meaning that we have chosen Datacontracts and DataMembers switch (prop) { case LanAttributes.None: break; case LanAttributes.DataContract: cSharpUsings.AppendLine("using System.Runtime.Serialization;"); break; case LanAttributes.Json: cSharpUsings.AppendLine("using Newtonsoft.Json;"); break; } string lanClassDef = string.Empty; string lanbracesStart = string.Empty; string lanBrracesEnd = string.Empty; switch (lan) { case LanguageEnum.CSharp: //using for C# class lanClassDef = " public class"; lanbracesStart = " {"; lanBrracesEnd = " }"; break; case LanguageEnum.PHP: //using for PHP class lanClassDef = " class"; lanbracesStart = " {"; lanBrracesEnd = " }"; break; case LanguageEnum.Java: //using for jAVA class lanClassDef = " public class"; lanbracesStart = " {"; lanBrracesEnd = " }"; break; } foreach (KeyValuePair <string, List <string> > codeClassItem in checkClassNamesDic) { switch (lan) { case LanguageEnum.CSharp: //using for C# class codeBuilder.AppendLine(cSharpUsings.ToString()); break; case LanguageEnum.PHP: break; case LanguageEnum.Java: //using for jAVA class codeBuilder.AppendLine(javaUsings.ToString()); break; } switch (lan) { case LanguageEnum.CSharp: //using for C# class if (!string.IsNullOrEmpty(namespaceMapping)) { codeBuilder.AppendLine("namespace " + namespaceMapping + "\n{"); } break; case LanguageEnum.PHP: break; case LanguageEnum.Java: if (!string.IsNullOrEmpty(namespaceMapping)) { codeBuilder.AppendLine("package " + namespaceMapping + ";"); } break; } switch (prop) { case LanAttributes.None: break; case LanAttributes.DataContract: codeBuilder.AppendLine(" [DataContract]"); break; case LanAttributes.Json: break; } codeBuilder.AppendLine(lanClassDef + " " + codeClassItem.Key); codeBuilder.AppendLine(lanbracesStart); codeClassItem.Value.ForEach(delegate(string props) { codeBuilder.AppendLine(" " + props); }); codeBuilder.AppendLine(lanBrracesEnd); switch (lan) { case LanguageEnum.CSharp: //using for C# class if (!string.IsNullOrEmpty(namespaceMapping)) { codeBuilder.AppendLine("\n}"); } break; } var sanitizer = new HtmlSanitizer(); var sanitized = sanitizer.Sanitize(codeBuilder.ToString()); codeList.Add(sanitized); //we need the class to get it from angularjs in the filter and represent it in the accordian codeBuilder.Length = 0; codeBuilder.Capacity = 0; if (extractfiles) { if (!Directory.Exists(path)) { Directory.CreateDirectory(path); } using (TextWriter writer = File.CreateText(path + @"\" + codeClassItem.Key)) { writer.Write(codeBuilder); codeBuilder.Length = 0; } } } return(codeList); }
public void ImageSpaceAndMetaCharXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG SRC=\"  javascript:alert('XSS');\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<img>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void TestForStyleTagWithEmptyValue() { const string html = "<html><head></head><body><style><!-- #some-id div.SomeSection {} --></style><div id=\"some-id\"><div class=\"SomeSection\">text</div></div></body></html>"; HtmlSanitizer.Sanitize(html, false); }
public void DivJavascriptEscapingXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<div style=\"\";alert('XSS');//\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<div></div>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public AppsHelper(ApplicationDbContextFactory contextFactory, CurrencyNameTable currencies, RateFetcher rateFetcher, HtmlSanitizer htmlSanitizer) { _ContextFactory = contextFactory; _Currencies = currencies; _RateFetcher = rateFetcher; _HtmlSanitizer = htmlSanitizer; }
public void BRJavascriptIncludeXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<BR SIZE=\"&{alert('XSS')}\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<BR>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
/// <summary> /// Configure the renderer and sanitizer /// </summary> public MarkdownRenderer() { LoaderContext.RegisterSingletonInstance(this); m_mdpipeline = new MarkdownPipelineBuilder().Build(); m_sanitizer = new HtmlSanitizer(); }
public void ImageWithVBScriptXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG SRC='vbscript:msgbox(\"XSS\")'>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<img>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void Sanitize(HtmlSanitizer sanitizer) { Email = sanitizer.Sanitize(Email); }
public void ImageWithLivescriptXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG SRC=\"Livescript:[code]\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<img>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public ScrapedObj GetUrls(ScrapeRequest model) { // ScrapingBrowser Browser = new ScrapingBrowser(); // Browser.AllowAutoRedirect = true; // Browser has settings you can access in setup // Browser.AllowMetaRedirect = true; // WebPage PageResult = Browser.NavigateToPage(new Uri(model.Website)); // ScrapeRequest model var webClient = new WebClient(); var htmlString = webClient.DownloadString(model.Website); //sanitize the downloaded html String var sanitizer = new HtmlSanitizer(); string sanitizedString = sanitizer.Sanitize(htmlString, model.Website, null); var htmlDocument = new HtmlDocument(); htmlDocument.LoadHtml(sanitizedString); var htmlBody = htmlDocument.DocumentNode.SelectSingleNode("//body"); string rx2 = @"[^.?!]*(?<=[.?\s!])" + model.SearchingFor + @"(?=[\s.?!])[^.?!]*[.?!]"; List <string> matches3 = new List <string>(); List <string> matches4 = new List <string>(); try{ foreach (Match match3 in Regex.Matches(htmlBody.InnerText, rx2, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(5))) { matches3.Add(Regex.Replace(match3.Value, @"[^\w\s\.?,!@-]", "", RegexOptions.None, TimeSpan.FromSeconds(.5))); } foreach (Match match4 in Regex.Matches(htmlBody.InnerHtml, rx2, RegexOptions.IgnoreCase, TimeSpan.FromSeconds(5))) { //matches4.Add(match4.Value); matches4.Add(Regex.Replace(match4.Value, @"[^\w\s\.?,!@-]", "", RegexOptions.None, TimeSpan.FromSeconds(.5))); } } catch (RegexMatchTimeoutException) { } ScrapedObj sO = new ScrapedObj(); sO.ScrappedThing = matches3; //dumbHrefs List <string> listOfHrefs = new List <string>(); // //Match m; string HRefPattern = "href\\s*=\\s*(?:[\"'](?<1>[^\"']*)[\"']|(?<1>\\S+))"; try { foreach (Match href in Regex.Matches(htmlBody.InnerHtml, HRefPattern, RegexOptions.IgnoreCase | RegexOptions.Compiled, TimeSpan.FromSeconds(1))) { listOfHrefs.Add(href.Value); } } catch (RegexMatchTimeoutException) { } Console.Beep(); // SpeechSynthesizer synth = new SpeechSynthesizer(); // // Configure the audio output. // synth.SetOutputToDefaultAudioDevice(); // // Speak a string. // synth.Speak("This example demonstrates a basic use of Speech Synthesizer"); // Install-Package ScrapySharp using ScrapySharp.Network; using HtmlAgilityPack; using ScrapySharp.Extensions // dotnet add package ScrapySharp --version 3.0.0 Console.Beep(659, 125); Console.Beep(659, 125); Thread.Sleep(125); Console.Beep(659, 125); Thread.Sleep(167); Console.Beep(523, 125); Console.Beep(659, 125); Thread.Sleep(125); Console.Beep(784, 125); Thread.Sleep(375); Console.Beep(392, 125); Thread.Sleep(375); Console.Beep(523, 125); Thread.Sleep(250); Console.Beep(392, 125); Thread.Sleep(250); Console.Beep(330, 125); Thread.Sleep(250); Console.Beep(440, 125); Thread.Sleep(125); Console.Beep(494, 125); Thread.Sleep(125); Console.Beep(466, 125); Thread.Sleep(42); Console.Beep(440, 125); Thread.Sleep(125); Console.Beep(392, 125); Thread.Sleep(125); Console.Beep(659, 125); Thread.Sleep(125); Console.Beep(784, 125); Thread.Sleep(125); Console.Beep(880, 125); Thread.Sleep(125); Console.Beep(698, 125); Console.Beep(784, 125); Thread.Sleep(125); Console.Beep(659, 125); Thread.Sleep(125); Console.Beep(523, 125); Thread.Sleep(125); Console.Beep(587, 125); Console.Beep(494, 125); Thread.Sleep(125); Console.Beep(523, 125); Thread.Sleep(250); Console.Beep(392, 125); Thread.Sleep(250); Console.Beep(330, 125); Thread.Sleep(250); Console.Beep(440, 125); Thread.Sleep(125); Console.Beep(494, 125); Thread.Sleep(125); Console.Beep(466, 125); Thread.Sleep(42); Console.Beep(440, 125); Thread.Sleep(125); Console.Beep(392, 125); Thread.Sleep(125); Console.Beep(659, 125); Thread.Sleep(125); Console.Beep(784, 125); Thread.Sleep(125); Console.Beep(880, 125); Thread.Sleep(125); Console.Beep(698, 125); Console.Beep(784, 125); Thread.Sleep(125); Console.Beep(659, 125); Thread.Sleep(125); Console.Beep(523, 125); Thread.Sleep(125); Console.Beep(587, 125); Console.Beep(494, 125); Thread.Sleep(375); Console.Beep(784, 125); Console.Beep(740, 125); Console.Beep(698, 125); Thread.Sleep(42); Console.Beep(622, 125); Thread.Sleep(125); Console.Beep(659, 125); Thread.Sleep(167); Console.Beep(415, 125); Console.Beep(440, 125); Console.Beep(523, 125); Thread.Sleep(125); Console.Beep(440, 125); Console.Beep(523, 125); Console.Beep(587, 125); Thread.Sleep(250); Console.Beep(784, 125); Console.Beep(740, 125); Console.Beep(698, 125); Thread.Sleep(42); Console.Beep(622, 125); Thread.Sleep(125); Console.Beep(659, 125); Thread.Sleep(167); Console.Beep(698, 125); Thread.Sleep(125); Console.Beep(698, 125); Console.Beep(698, 125); Thread.Sleep(625); Console.Beep(784, 125); Console.Beep(740, 125); Console.Beep(698, 125); Thread.Sleep(42); Console.Beep(622, 125); Thread.Sleep(125); Console.Beep(659, 125); Thread.Sleep(167); Console.Beep(415, 125); Console.Beep(440, 125); Console.Beep(523, 125); Thread.Sleep(125); Console.Beep(440, 125); Console.Beep(523, 125); Console.Beep(587, 125); Thread.Sleep(250); Console.Beep(622, 125); Thread.Sleep(250); Console.Beep(587, 125); Thread.Sleep(250); Console.Beep(523, 125); Thread.Sleep(1125); Console.Beep(784, 125); Console.Beep(740, 125); Console.Beep(698, 125); Thread.Sleep(42); Console.Beep(622, 125); Thread.Sleep(125); Console.Beep(659, 125); Thread.Sleep(167); Console.Beep(415, 125); Console.Beep(440, 125); Console.Beep(523, 125); Thread.Sleep(125); Console.Beep(440, 125); Console.Beep(523, 125); Console.Beep(587, 125); Thread.Sleep(250); Console.Beep(784, 125); Console.Beep(740, 125); Console.Beep(698, 125); Thread.Sleep(42); Console.Beep(622, 125); Thread.Sleep(125); Console.Beep(659, 125); Thread.Sleep(167); Console.Beep(698, 125); Thread.Sleep(125); Console.Beep(698, 125); Console.Beep(698, 125); Thread.Sleep(625); Console.Beep(784, 125); Console.Beep(740, 125); Console.Beep(698, 125); Thread.Sleep(42); Console.Beep(622, 125); Thread.Sleep(125); Console.Beep(659, 125); Thread.Sleep(167); Console.Beep(415, 125); Console.Beep(440, 125); Console.Beep(523, 125); Thread.Sleep(125); Console.Beep(440, 125); Console.Beep(523, 125); Console.Beep(587, 125); Thread.Sleep(250); Console.Beep(622, 125); Thread.Sleep(250); Console.Beep(587, 125); Thread.Sleep(250); Console.Beep(523, 125); return(sO); }
public void TDXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<table><tbody><tr><td></td></tr></tbody></table>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
private string SanitizeMessage(string message) { var sanitizer = new HtmlSanitizer(); return(sanitizer.Sanitize(message)); }
public void DivBackgroundImageWithExtraCharactersXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<div></div>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public HtmlService() { this.htmlSanitizer = new HtmlSanitizer(); this.htmlSanitizer.AllowedAttributes.Add("class"); }
public void ImageStyleExpressionXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<IMG>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
protected void AppendMessage(bool incoming, Message msg) { string iconPath = null; string from = null; JID fromJid = null; if (msg.From == null) { from = m_Account.UserDisplayName; fromJid = m_Account.Jid; } else { if (this is MucHandler) { // FIXME: Abstract this... var participant = ((MucHandler)this).Room.Participants[msg.From]; if (participant != null) { fromJid = (!String.IsNullOrEmpty(participant.RealJID)) ? participant.RealJID : participant.NickJID; from = participant.Nick; } else { fromJid = msg.From; from = msg.From.Resource; } } else if (this is ChatHandler && ((ChatHandler)this).IsMucMessage) { fromJid = msg.From; from = msg.From.Resource; } else { fromJid = msg.From; from = m_Account.GetDisplayName(msg.From); } } foreach (XmlNode child in msg) { if (child.NamespaceURI == Namespace.ChatStates) { TypingState state = TypingState.None; if (child.LocalName == "active") { state = TypingState.Active; } else if (child.LocalName == "composing") { state = TypingState.Composing; } else if (child.LocalName == "paused") { state = TypingState.Paused; } else if (child.LocalName == "inactive") { state = TypingState.Inactive; } else if (child.LocalName == "gone") { state = TypingState.Gone; } else { Console.WriteLine(String.Format("Unknown chatstate from {0}: {1}", from, child.LocalName)); } var typingContent = new ChatContentTyping(m_Account, fromJid, from, null, state); OnNewContent(typingContent); } } if (msg.Body != null || msg.Html != null) { string body = null; if (!String.IsNullOrEmpty(msg.Html)) { body = HtmlSanitizer.Sanitize(msg.Html, true); } else { body = Util.EscapeHtml(msg.Body); body = Util.Linkify(body); body = body.Replace(" ", " "); body = body.Replace("\t", " "); body = body.Replace("\r\n", "<br/>"); body = body.Replace("\n", "<br/>"); } var guiService = ServiceManager.Get <GuiService>(); foreach (var formatter in guiService.MessageDisplayFormatters) { if (formatter.SupportsMessage(body, msg)) { body = formatter.FormatMessage(body, msg); if (formatter.StopAfter) { break; } } } DateTime date = DateTime.Now; var nsmgr = new XmlNamespaceManager(msg.OwnerDocument.NameTable); nsmgr.AddNamespace("delay", "jabber:x:delay"); var delay = (XmlElement)msg.SelectSingleNode("delay:x", nsmgr); if (delay != null) { string stamp = delay.GetAttribute("stamp"); // CCYYMMDDThh:mm:ss date = DateTime.ParseExact(stamp, @"yyyyMMdd\THH:mm:ss", null).ToLocalTime(); } var content = new ChatContentMessage(m_Account, fromJid, from, msg.To, date); content.IsOutgoing = !incoming; content.MessageHtml = body; OnNewContent(content); } }
public void BaseTagXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<BASE HREF=\"javascript:alert('XSS');//\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = ""; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public BugInputModel() { this.sanitizer = new HtmlSanitizer(); }
public void EmbedSVGXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = ""; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void PostProcessTest() { var sanitizer = new HtmlSanitizer(); sanitizer.PostProcessNode += (s, e) => { if (e.Node is IDomElement) { e.Node.AddClass("test"); e.Node.AppendChild(CsQuery.CQ.Create("<b>Test</b>").FirstElement()); } }; var html = @"<div>Hallo</div>"; var sanitized = sanitizer.Sanitize(html); Assert.That(sanitized, Is.EqualTo(@"<div class=""test"">Hallo<b>Test</b></div>").IgnoreCase); }
public void XmlWithCDataXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<XML ID=I><X><C><![CDATA[<IMG SRC=\"javas]]><![CDATA[cript:alert('XSS');\">]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<SPAN></SPAN>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public TwitchChatNotificationHandler(INotifierMediatorService notifierMediatorService, IMapper mapper, IOptions <TwitchConfig> config, HtmlSanitizer sanitizer, TwitchAPI twitchApiClient, IHubContext <TwitchHub> twitchHub) { _notifierMediatorService = notifierMediatorService; _mapper = mapper; _sanitizer = sanitizer; _twitchApiClient = twitchApiClient; _twitchHub = twitchHub; _config = config.Value; }