public void ImgTagShouldSanitizeCorrectly() { var str = "<img src=\"http://joinrpg.ru/a.png\" />"; var sanitizer = new HtmlSanitizer(); sanitizer.WhiteListMode = true; sanitizer.Tag("img").AllowAttributes("src"); sanitizer.Sanitize(str).ShouldBe("<img src=\"http://joinrpg.ru/a.png\">"); }
private static FeedComment ToFeedComment(Comment comment) { return(new FeedComment(comment.UserID) { Id = comment.ID.ToString(), Description = HtmlSanitizer.Sanitize(comment.Content), Date = comment.Datetime }); }
public static string SanitizeHtml(this string text) { if (string.IsNullOrWhiteSpace(text)) { return(text); } return(HtmlSanitizer.Sanitize(text)); }
private static FeedComment ToFeedComment(ProjectComment comment) { return(new FeedComment(comment.Comment.CreateBy) { Id = comment.Comment.ID.ToString(), Description = HtmlSanitizer.Sanitize(comment.Comment.Content), Date = comment.Comment.CreateOn }); }
public RedirectToRouteResult modifyProc(Credit credit) { var sanitizer = new HtmlSanitizer(); credit.contents = sanitizer.Sanitize(credit.contents); credit.uptId = System.Web.HttpContext.Current.User.Identity.Name; creditService.updateCredit(credit); return(RedirectToAction("list")); }
private static FeedComment ToFeedComment(EventComment comment) { return(new FeedComment(new Guid(comment.Creator)) { Id = comment.Id.ToString(CultureInfo.InvariantCulture), Description = HtmlSanitizer.Sanitize(comment.Comment), Date = comment.Date }); }
// GET: blogs/search public async Task <IActionResult> search(string term) { if (term == null) { return(Redirect("/blogs")); } var _sanitize = new HtmlSanitizer(); term = _sanitize.Sanitize(UtilityBLL.ReplaceHyphinWithSpace(term)); /* ***************************************/ // Process Page Meta & BreaCrumb /* ***************************************/ var _meta = PageMeta.returnPageMeta(new PageQuery() { controller = ControllerContext.ActionDescriptor.ControllerName, index = ControllerContext.ActionDescriptor.ActionName, pagenumber = 1, matchterm = term }); if (Jugnoon.Settings.Configs.GeneralSettings.store_searches) { //********************************************* // User Search Tracking Script //******************************************** if (!TagsBLL.Validate_Tags(term.Trim()) && !term.Trim().Contains("@")) { // check if tag doesn't exist var count_tags = await TagsBLL.Count(_context, new TagEntity() { type = TagsBLL.Types.General, tag_type = TagsBLL.TagType.UserSearches, isenabled = EnabledTypes.Enabled }); if (count_tags == 0) { TagsBLL.Add(_context, term.Trim(), TagsBLL.Types.General, 0, TagsBLL.TagType.UserSearches, EnabledTypes.Enabled, term.Trim()); } } } /* List Initialization */ var ListEntity = new BlogListViewModel() { QueryOptions = new BlogEntity() { term = term, }, BreadItems = _meta.BreadItems }; return(View(ListEntity)); }
public async Task Handle(ChatNotification notification, CancellationToken cancellationToken) { if ( notification.ChatMessage.Message.Trim().StartsWith("!") || _config.IgnoredUsers.Any(iu => iu.Equals(notification.ChatMessage.Username, StringComparison.InvariantCultureIgnoreCase)) ) { return; } var sanitizedHtml = System.Net.WebUtility.HtmlDecode(_sanitizer.Sanitize(notification.ChatMessage.Message)); var emotes = _mapper.Map <IEnumerable <EmoteDto> >(notification.ChatMessage.EmoteSet.Emotes); var userTypes = UserTypes.None; if (notification.ChatMessage.IsBroadcaster) { userTypes |= UserTypes.Broadcaster; } if (notification.ChatMessage.IsModerator) { userTypes |= UserTypes.Moderator; } if (notification.ChatMessage.IsSubscriber) { userTypes |= UserTypes.Subscriber; } if (notification.ChatMessage.IsVip) { userTypes |= UserTypes.Vip; } if (_config.TeamMembers.Any(tm => tm.Id.Equals(notification.ChatMessage.UserId, StringComparison.InvariantCultureIgnoreCase))) { userTypes |= UserTypes.TeamMember; } var data = new ChatMessageData { MessageId = notification.ChatMessage.Id, UserId = notification.ChatMessage.UserId, UserName = notification.ChatMessage.Username, DisplayName = notification.ChatMessage.DisplayName, Message = sanitizedHtml, TeamName = _config.TeamName, TeamShoutoutEnabled = _config.TeamShoutoutEnabled, EmoteDetails = emotes.ToArray(), UserTypes = userTypes }; var bcn = new BasicChatNotification(data); await Task.Run(() => _notifierMediatorService.Notify(bcn), cancellationToken); // _notifierMediatorService.Notify(bcn); // await _twitchHub.Clients.All.SendAsync("ReceiveChatMessage", data, uo, cancellationToken: cancellationToken); }
public void Add(Comment comment) { var sanitizer = new HtmlSanitizer(); if (comment.Text != null) { comment.Text = sanitizer.Sanitize(comment.Text.Replace("\n", "<br />")); } if (comment.Author != null) { comment.Author = sanitizer.Sanitize(comment.Author.Replace("\n", "<br />")); } this.cacheService.Remove("AllCommentsCache" + comment.PostId); this.cacheService.Remove("AllCommentsCacheCount" + comment.PostId); this.comments.Add(comment); this.comments.SaveChanges(); }
public static string WhitewashMarkup(string markup) { if (!string.IsNullOrWhiteSpace(markup)) { var sanitizer = new HtmlSanitizer(allowedTags: new string[] { string.Empty }); markup = sanitizer.Sanitize(markup); } return(markup); }
public static string SanitizeReduceMarkup(string markup) { if (!string.IsNullOrWhiteSpace(markup)) { var sanitizer = new HtmlSanitizer(allowedTags: new string[] { "b", "i", "u", "em", "strong", "q" }); markup = sanitizer.Sanitize(markup); } return(markup); }
static public String getRutaXSS3() { string ruta = "<a href=\"/Articulos/Index/\"onmouseover=\"alert(1234567890)\">INICIO/onmouseover=alert(1234567890)</a>"; var sanitizer = new HtmlSanitizer(); string rutaSaneada = sanitizer.Sanitize(ruta); return(rutaSaneada); // return new HtmlSanitizer().Sanitize("<a href=\"/Articulos/Index/\"onmouseover=\"alert(1234567890)\">INICIO/onmouseover=alert(1234567890)</a>"); }
public RedirectToRouteResult modifyProc(Business business) { HttpFileCollectionBase multipartRequest = Request.Files; var sanitizer = new HtmlSanitizer(); business.contents = sanitizer.Sanitize(business.contents); business.uptId = System.Web.HttpContext.Current.User.Identity.Name; businessService.updateBusiness(multipartRequest, business); return(RedirectToAction("list")); }
public RedirectToRouteResult modifyProc(General general) { HttpFileCollectionBase multipartRequest = Request.Files; var sanitizer = new HtmlSanitizer(); general.contents = sanitizer.Sanitize(general.contents); general.uptId = System.Web.HttpContext.Current.User.Identity.Name; generalService.updateGeneral(multipartRequest, general); return(RedirectToAction("list")); }
public static string SanitizeText(this string text) { var htmlSanitizer = new HtmlSanitizer(); htmlSanitizer.KeepChildNodes = true; htmlSanitizer.AllowDataAttributes = true; return(htmlSanitizer.Sanitize(text)); }
public async Task <IActionResult> Post([FromBody] BlogPostRequest blogPostRequest) { var authorId = new Guid(HttpContext.User.FindFirst("authorId").Value); blogPostRequest.Title = _sanitizer.Sanitize(blogPostRequest.Title); // Post value: <div onload=alert('xss')>Title</div> blogPostRequest.Text = _sanitizer.Sanitize(blogPostRequest.Text); // Post value: <script type="text/javascript">alert('text')</script> var blogPost = blogPostRequest.CreateBlogPost(authorId); await _ctx.BlogPosts.AddAsync(blogPost); await _ctx.SaveChangesAsync(); var blogPostResponse = BlogPostResponse.FromBlogPost( _blogPostProtector.Protect(blogPost.Id.ToString()), blogPost, true ); return(CreatedAtAction(nameof(Get), new { id = _blogPostProtector.Protect(blogPost.Id.ToString()) }, blogPostResponse)); }
public static string SanitizeHtmlData(string htmlData) { var sanitizer = new HtmlSanitizer(); sanitizer.AllowedTags.Remove("iframe"); sanitizer.AllowedTags.Remove("img"); var sanitized = sanitizer.Sanitize(htmlData); return(sanitized); }
public RedirectToRouteResult registerProc(Product product) { var sanitizer = new HtmlSanitizer(); product.contents = sanitizer.Sanitize(product.contents); product.regId = System.Web.HttpContext.Current.User.Identity.Name; productService.insertProduct(product); return(RedirectToAction("list")); }
public async Task <IActionResult> CreateAsync([FromBody] Post body) { var sanitizer = new HtmlSanitizer(); body.Content = sanitizer.Sanitize(body.Content); _db.Posts.Add(body); await _db.SaveChangesAsync(); return(new OkObjectResult(body)); }
public IBlogPostData ConvertMarkdownToHtml(IBlogPostData data) { var title = data.Title; var content = data.Content; var contentAsHtml = MarkdigConverter.ConvertToHtml(content); var sanitizedHtml = _sanitizer.Sanitize(contentAsHtml); var result = new BlogPostData(title, sanitizedHtml); return(result); }
public async Task Replace(string id, ArticleChange model) { var article = await articleRepository.GetById(id); if (article is null) { throw new ArgumentException($"Article with id {id} not found."); } if (article.Title != model.Title) { article.Slug = new SlugHelper().GenerateSlug(model.Title); } var sanitizer = new HtmlSanitizer(); model.Body.Blocks = model.Body.Blocks.Select(block => { if (block.Data.Text != null) { block.Data.Text = sanitizer.Sanitize(block.Data.Text); } if (block.Data.Caption != null) { block.Data.Caption = sanitizer.Sanitize(block.Data.Caption); } return(block); }).ToList(); article.Title = model.Title; article.Lead = model.Lead; article.Body = model.Body; article.Cover = model.Cover; article.Author = model.Author; article.Tags = model.Tags; if (model.Schedule != DateTime.MinValue) { article.Schedule = model.Schedule; } await articleRepository.Replace(article); }
public void Add(Post post) { var sanitizer = new HtmlSanitizer(); if (post.Text != null) { post.Text = sanitizer.Sanitize(post.Text.Replace("\n", "<br />")); } if (post.Author != null) { post.Author = sanitizer.Sanitize(post.Author.Replace("\n", "<br />")); } this.cacheService.Remove("AllPostsCache" + post.ForumId); this.cacheService.Remove("AllPostsCacheCount" + post.ForumId); this.posts.Add(post); this.posts.SaveChanges(); }
protected void SetHtml(string txt, string html) { if (string.IsNullOrEmpty(html)) { return; } _dictionary[txt] = HtmlSanitizer.Sanitize(html); }
public async Task <IActionResult> Create(AdminControllerCreateViewModel viewModel) { if (ModelState.IsValid == false) { viewModel.Departments = await LoadDepartmentSelectList(); return(View(viewModel)); } // insert application var vacancyModel = new VacancyBaseModel { JobTitle = _htmlSanitizer.Sanitize(viewModel.Vacancy.JobTitle), JobDescription = _htmlSanitizer.Sanitize(viewModel.Vacancy.JobDescription), SalaryMin = (int)viewModel.Vacancy.SalaryMin, SalaryMax = (int)viewModel.Vacancy.SalaryMax, DepartmentId = (int)viewModel.Department, ContractType = _htmlSanitizer.Sanitize(viewModel.Vacancy.ContractType), StartDate = viewModel.Vacancy.StartDate, EndDate = viewModel.Vacancy.EndDate, Published = viewModel.Vacancy.Published }; var questionModels = new List <VacancyQuestionBaseModel>(); foreach (var question in viewModel.Questions) { questionModels.Add(new VacancyQuestionBaseModel { Question = _htmlSanitizer.Sanitize(question.Question), IsRequired = question.IsRequired, MinLength = question.MinLength, MaxLength = question.MaxLength, DisplayOrder = question.DisplayOrder }); } var vacancyId = await _vacancyCrud.Insert(vacancyModel, questionModels); return(Redirect($"/admin/details/{vacancyId}")); }
public IActionResult ShowPage(int PageID, string returnUrl) { var docpage = Documentation.Pages.FirstOrDefault(x => x.DocPageID == PageID); var sanitizer = new HtmlSanitizer(); sanitizer.AllowedAttributes.Add("class"); if (docpage.GroupID == 0) { var model = new ShowPublicPageViewModel { Name = docpage.Name, returnUrl = returnUrl, Files = Files.DocumentationFiles.Where(x => x.DocPageId == PageID).ToList(), DocPageID = PageID, HtmlDataText = sanitizer.Sanitize(CommonMark.CommonMarkConverter.Convert(docpage.Data ?? @"### No content ")), Date = docpage.Date.ToShortDateString() }; return(View("ShowPublicDocPage", model)); } else { var List = new List <TaskModel>(); foreach (var item in Documentation.Tasks.Where(x => x.DocPageID == PageID).ToList()) { List.Add(new TaskModel() { Task = item, User = Users.UsersData.FirstOrDefault(x => x.Id == item.UserID) }); } var model = new ShowPrivatePageViewModel { Name = docpage.Name, returnUrl = returnUrl, Files = Files.DocumentationFiles.Where(x => x.DocPageId == PageID).ToList(), DocPageID = PageID, HtmlDataText = sanitizer.Sanitize(CommonMark.CommonMarkConverter.Convert(docpage.Data ?? @"### No content ")), Date = docpage.Date.ToShortDateString(), GroupID = docpage.GroupID, Tasks = List }; return(View("ShowPrivateDocPage", model)); } }
/// <summary> /// Returns a string with any html removed /// </summary> /// <param name="s">The string to check</param> /// <returns>The sanitized string</returns> public static string StripHtml(this string s) { if (string.IsNullOrEmpty(s)) { return(s); } var htmlSanitizer = new HtmlSanitizer(); return(htmlSanitizer.Sanitize(s)); }
static void Clean(string name, string pathDirty, string pathClean) { string html = File.ReadAllText(pathDirty + name); HtmlSanitizer sanitizer = new HtmlSanitizer(); sanitizer.AllowedTags.Remove("img"); string cleanHtml = sanitizer.Sanitize(html); File.WriteAllText(pathClean + name, cleanHtml); }
public RedirectToRouteResult modifyProc(News news) { HttpFileCollectionBase multipartRequest = Request.Files; news.uptId = System.Web.HttpContext.Current.User.Identity.Name; var sanitizer = new HtmlSanitizer(); news.contents = sanitizer.Sanitize(news.contents); newsService.updateNews(multipartRequest, news); return(RedirectToAction("list", (RouteValueDictionary)Session["searchMap"])); }
public string RemoveHtmlXss(string html) { if (string.IsNullOrEmpty(html)) { return(""); } var _htmlSanitizer = new HtmlSanitizer(); return(_htmlSanitizer.Sanitize(html, null)); }
public string Run(String jobId) { Logger.DebugFormat("Sanitize HTML for {0}", jobId); string html = File.ReadAllText(_filePath); var sanitizer = new HtmlSanitizer(); var sanitized = sanitizer.Sanitize(html); File.WriteAllText(_filePath, sanitized); Logger.DebugFormat("Sanitize HTML for {0} done!", jobId); return(_filePath); }
public void XSSLocatorTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<a href=\"'';!--\"<XSS>=&{()}\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = @"<a href=""'';!--"">=&{()}"></a>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void ImageXSS2Test() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG SRC=javascript:alert('XSS')>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<IMG>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void DivBackgroundImageWithUnicodedXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = @"<DIV STYLE=""background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028\0027\0058\0053\0053\0027\0029'\0029"">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<div></div>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void ImageMultilineInjectedXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = @"<IMG SRC = "" j a v a s c r i p t : a l e r t ( ' X S S ' ) "" > "; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<img>\n"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void TDXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<table><tbody><tr><td></td></tr></tbody></table>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void EmbedSVGXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = ""; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void XmlWithCDataXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<XML ID=I><X><C><![CDATA[<IMG SRC=\"javas]]><![CDATA[cript:alert('XSS');\">]]></C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<SPAN></SPAN>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void ImageStyleExpressionXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<IMG>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void BaseTagXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<BASE HREF=\"javascript:alert('XSS');//\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = ""; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void ImageInputXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<input type=\"image\">"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void BRJavascriptIncludeXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<BR SIZE=\"&{alert('XSS')}\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<BR>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void ImageDoubleOpenAngleBracketXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<image src=http://ha.ckers.org/scriptlet.html <"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = ""; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void DivJavascriptEscapingXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<div style=\"\";alert('XSS');//\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<div></div>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void ImageSpaceAndMetaCharXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG SRC=\"  javascript:alert('XSS');\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<img>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void ImageNullBreaksUpXSSTest2() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = ""; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void ImageNullBreaksUpXSSTest1() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG SRC=java\0script:alert(\"XSS\")>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<img>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void DivBackgroundImageWithExtraCharactersXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<div></div>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void PWithUrlInStyleXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<p STYLE=\"behavior: url(www.ha.ckers.org);\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert // intentionally keep it failing to get notice when reviewing unit tests so can disucss string expected = "<p></p>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void DivExpressionXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<DIV STYLE=\"width: expression(alert('XSS'));\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<div></div>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void ImageWithVBScriptXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG SRC='vbscript:msgbox(\"XSS\")'>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<img>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void AnchorTagStyleExpressionXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "exp/*<A STYLE='no\\xss:noxss(\"*//*\");xss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "exp/*<a></a>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void PostProcessTest() { var sanitizer = new HtmlSanitizer(); sanitizer.PostProcessNode += (s, e) => { if (e.Node is IDomElement) { e.Node.AddClass("test"); e.Node.AppendChild(CsQuery.CQ.Create("<b>Test</b>").FirstElement()); } }; var html = @"<div>Hallo</div>"; var sanitized = sanitizer.Sanitize(html); Assert.That(sanitized, Is.EqualTo(@"<div class=""test"">Hallo<b>Test</b></div>").IgnoreCase); }
public void EmbedTagXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<EMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"></EMBED>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = ""; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void AutoLinkTest() { var sanitizer = new HtmlSanitizer(); var autolink = new AutoLink(); sanitizer.PostProcessNode += (s, e) => { var text = e.Node as IDomText; if (text != null) { var autolinked = autolink.Link(text.NodeValue); if (autolinked != text.NodeValue) foreach (var node in CQ.Create(autolinked)) e.ReplacementNodes.Add(node); } }; var html = @"<div>Click here: http://example.com/.</div>"; Assert.That(sanitizer.Sanitize(html), Is.EqualTo(@"<div>Click here: <a href=""http://example.com/"">http://example.com/</a>.</div>").IgnoreCase); Assert.That(sanitizer.Sanitize("Check out www.google.com."), Is.EqualTo(@"Check out <a href=""http://www.google.com"">www.google.com</a>.").IgnoreCase); }
public void XmlNamespaceXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<HTML xmlns:xss> <?import namespace=\"xss\" implementation=\"http://ha.ckers.org/xss.htc\"> <xss:xss>XSS</xss:xss></HTML>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = ""; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void FrameXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = ""; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void ImageWithLivescriptXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG SRC=\"Livescript:[code]\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<img>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void ImageEmbeddedCarriageReturnXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG SRC=\"jav
ascript:alert('XSS');\">"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<img>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void ImageHexEncodeXSSTest() { // Arrange var sanitizer = new HtmlSanitizer(); // Act string htmlFragment = "<IMG SRC=javascript:alert('XSS')>"; string actual = sanitizer.Sanitize(htmlFragment); // Assert string expected = "<img>"; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }
public void RussianTextTest() { // Arrange var s = new HtmlSanitizer(); // Act var htmlFragment = "Тест"; var outputFormatter = new CsQuery.Output.FormatDefault(DomRenderingOptions.RemoveComments | DomRenderingOptions.QuoteAllAttributes, HtmlEncoders.Minimum); var actual = s.Sanitize(htmlFragment, "", outputFormatter); // Assert var expected = htmlFragment; Assert.That(actual, Is.EqualTo(expected).IgnoreCase); }