public void TestCleanScriptAndEventTags() { const string doubleApostrophes = "This job ad's content contains a two apostrophes. It's getting truncated."; const string doubleApostrophesWithScript = "This job ad's content contains some <script>alert(0)</script>." + " It's getting truncated."; const string dirty1 = "<a href=\"linkme.com.au\" onClick=\"javascript:alert('hackslol11!!eleven!');\">hahah</a>"; string clean1 = HtmlUtil.CleanScriptAndEventTags(dirty1); Assert.AreNotEqual(dirty1, clean1); Assert.IsFalse(HtmlUtil.ContainsScript(clean1)); Assert.AreEqual("<a href=\"linkme.com.au\">hahah</a>", clean1); const string dirty2 = "<a href=\"linkme.com.au\" onClick='alert(\'hackslol11!!eleven!\');'>hahah</a>"; string clean2 = HtmlUtil.CleanScriptAndEventTags(dirty1); Assert.AreNotEqual(dirty2, clean2); Assert.IsFalse(HtmlUtil.ContainsScript(clean2)); Assert.AreEqual("<a href=\"linkme.com.au\">hahah</a>", clean2); Assert.AreEqual("", HtmlUtil.CleanScriptAndEventTags("<script type=\"text\\javascript\">alert('lolhax');</script>")); Assert.AreEqual("Valid text with in it.", HtmlUtil.CleanScriptAndEventTags("Valid text with <script type=\"text\\javascript\">alert('lolhax');</script> in it.")); Assert.AreEqual("", HtmlUtil.CleanScriptAndEventTags("<script <a href=\"linkme.com.au\" onclick=\"alert('smrt');\">hahah</a>>alert('This is smarta!');</script>")); // Bug 7104 - content between apostrophes gets removed. Assert.AreEqual(doubleApostrophes, HtmlUtil.CleanScriptAndEventTags(doubleApostrophes)); Assert.AreEqual("This job ad's content contains some . It's getting truncated.", HtmlUtil.CleanScriptAndEventTags(doubleApostrophesWithScript)); }
private JobAd GetJobAd(XmlNode jobAdNode, JobAdStatus?status) { JobAdElement jobAd; try { using (var reader = new StringReader(jobAdNode.OuterXml)) { jobAd = (JobAdElement)Serializer.Deserialize(reader); } } catch (Exception) { return(null); } if (jobAd != null) { // Strip out script tags, and remove onX="Y" attributes from content. jobAd.Content = HtmlUtil.CleanScriptAndEventTags(jobAd.Content); if (jobAd.Content != null) { jobAd.Content = jobAd.Content.Replace("\n", "\r\n").Replace("\r\r\n", "\r\n"); } // PositionTitle is now optional. No point in storing the same text twice. if (jobAd.PositionTitle == jobAd.Title) { jobAd.PositionTitle = null; } // Override the status if needed. if (status != null) { jobAd.Status = status; } } return(jobAd.Map(_industriesQuery, _locationQuery)); }