public virtual void TestCleanJavascriptHref() { String h = "<A HREF=\"javascript:document.location='http://www.google.com/'\">XSS</A>"; String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(h, Whitelist.Relaxed()); NUnit.Framework.Assert.AreEqual("<a>XSS</a>", cleanHtml); }
public virtual void TestDropsUnknownTags() { String h = "<p><custom foo=true>Test</custom></p>"; String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(h, Whitelist.Relaxed()); NUnit.Framework.Assert.AreEqual("<p>Test</p>", cleanHtml); }
public virtual void TestDropImageScript() { String h = "<IMG SRC=\"javascript:alert('XSS')\">"; String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(h, Whitelist.Relaxed()); NUnit.Framework.Assert.AreEqual("<img>", cleanHtml); }
public virtual void TestDropScript() { String h = "<SCRIPT SRC=//ha.ckers.org/.j><SCRIPT>alert(/XSS/.source)</SCRIPT>"; String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(h, Whitelist.Relaxed()); NUnit.Framework.Assert.AreEqual("", cleanHtml); }
public virtual void TestDropXmlProc() { String h = "<?import namespace=\"xss\"><p>Hello</p>"; String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(h, Whitelist.Relaxed()); NUnit.Framework.Assert.AreEqual("<p>Hello</p>", cleanHtml); }
public virtual void TestDropComments() { String h = "<p>Hello<!-- no --></p>"; String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(h, Whitelist.Relaxed()); NUnit.Framework.Assert.AreEqual("<p>Hello</p>", cleanHtml); }
public virtual void TestRelaxed() { String h = "<h1>Head</h1><table><tr><td>One<td>Two</td></tr></table>"; String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(h, Whitelist.Relaxed()); NUnit.Framework.Assert.AreEqual("<h1>Head</h1><table><tbody><tr><td>One</td><td>Two</td></tr></tbody></table>" , TextUtil.StripNewlines(cleanHtml)); }
public virtual void TestScriptTagInWhiteList() { Whitelist whitelist = Whitelist.Relaxed(); whitelist.AddTags("script"); NUnit.Framework.Assert.IsTrue(iText.StyledXmlParser.Jsoup.Jsoup.IsValid("Hello<script>alert('Doh')</script>World !" , whitelist)); }
public virtual void TestCleanAnchorProtocol() { String validAnchor = "<a href=\"#valid\">Valid anchor</a>"; String invalidAnchor = "<a href=\"#anchor with spaces\">Invalid anchor</a>"; // A Whitelist that does not allow anchors will strip them out. String cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(validAnchor, Whitelist.Relaxed()); NUnit.Framework.Assert.AreEqual("<a>Valid anchor</a>", cleanHtml); cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(invalidAnchor, Whitelist.Relaxed()); NUnit.Framework.Assert.AreEqual("<a>Invalid anchor</a>", cleanHtml); // A Whitelist that allows them will keep them. Whitelist relaxedWithAnchor = Whitelist.Relaxed().AddProtocols("a", "href", "#"); cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(validAnchor, relaxedWithAnchor); NUnit.Framework.Assert.AreEqual(validAnchor, cleanHtml); // An invalid anchor is never valid. cleanHtml = iText.StyledXmlParser.Jsoup.Jsoup.Clean(invalidAnchor, relaxedWithAnchor); NUnit.Framework.Assert.AreEqual("<a>Invalid anchor</a>", cleanHtml); }
public virtual void SupplyOutputSettings() { // test that one can override the default document output settings OutputSettings os = new OutputSettings(); os.PrettyPrint(false); os.EscapeMode(Entities.EscapeMode.extended); os.Charset("ascii"); String html = "<div><p>ℬ</p></div>"; String customOut = iText.StyledXmlParser.Jsoup.Jsoup.Clean(html, "http://foo.com/", Whitelist.Relaxed(), os ); String defaultOut = iText.StyledXmlParser.Jsoup.Jsoup.Clean(html, "http://foo.com/", Whitelist.Relaxed()); NUnit.Framework.Assert.AreNotSame(defaultOut, customOut); NUnit.Framework.Assert.AreEqual("<div><p>ℬ</p></div>", customOut); NUnit.Framework.Assert.AreEqual("<div>\n" + " <p>ℬ</p>\n" + "</div>", defaultOut); os.Charset("ASCII"); os.EscapeMode(Entities.EscapeMode.@base); String customOut2 = iText.StyledXmlParser.Jsoup.Jsoup.Clean(html, "http://foo.com/", Whitelist.Relaxed(), os); NUnit.Framework.Assert.AreEqual("<div><p>ℬ</p></div>", customOut2); }