JacksonBruce/AntiSamy.NET
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Much more tests are implemented.

Browse Source
This commit is contained in:
Caner Patır
2018-05-07 10:32:06 +03:00
parent f2fb200f1b
commit 18a7897bf5
8 changed files with 325 additions and 125 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
AntiSamy.NET.v3.ncrunchsolution Normal file
View File

@@ -0,0 +1,6 @@
<SolutionConfiguration>
<Settings>
<AllowParallelTestExecution>True</AllowParallelTestExecution>
<SolutionConfigured>True</SolutionConfigured>
</Settings>
</SolutionConfiguration>

8
src/AntiSamy/AntiSamy.cs
View File

@@ -2,24 +2,20 @@
{
public class AntiSamy
{
public string InputEncoding { get; } = AntiSamyDomScanner.DefaultEncodingAlgorithm;
public string OutputEncoding { get; } = AntiSamyDomScanner.DefaultEncodingAlgorithm;
public virtual AntiySamyResult Scan(string taintedHtml, string filename)
{
Policy policy = Policy.FromFile(filename);
var antiSamy = new AntiSamyDomScanner(policy);
return antiSamy.Scan(taintedHtml, InputEncoding, OutputEncoding);
return antiSamy.Scan(taintedHtml);
}
public virtual AntiySamyResult Scan(string taintedHtml, Policy policy)
{
var antiSamy = new AntiSamyDomScanner(policy);
return antiSamy.Scan(taintedHtml, InputEncoding, OutputEncoding);
return antiSamy.Scan(taintedHtml);
}
}

2
src/AntiSamy/AntiSamy.csproj
View File

@@ -4,6 +4,8 @@
<TargetFramework>netstandard2.0</TargetFramework>
<GeneratePackageOnBuild>true</GeneratePackageOnBuild>
<Authors>Caner Patır</Authors>
<Version>1.0.1</Version>
<FileVersion>1.0.1.0</FileVersion>
</PropertyGroup>
<ItemGroup>

9
src/AntiSamy/AntiSamyDomScanner.cs
View File

@@ -1,5 +1,6 @@
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Text.RegularExpressions;
@@ -11,8 +12,6 @@ namespace AntiSamy
{
public sealed class AntiSamyDomScanner
{
public const string DefaultEncodingAlgorithm = "UTF-8";
private readonly List<string> _errorMessages = new List<string>();
private readonly Policy _policy;
@@ -21,7 +20,7 @@ namespace AntiSamy
public AntiSamyDomScanner(Policy policy) => _policy = policy;
public AntiySamyResult Scan(string html, string inputEncoding, string outputEncoding)
public AntiySamyResult Scan(string html)
{
if (html == null)
{
@@ -174,7 +173,7 @@ namespace AntiSamy
else
{
if ("style".Equals(name.ToLower()) && allowwdAttr != null)
if ("style".Equals(name.ToLower()))
{
ScanCss(node, parentNode, maxinputsize, true);
}
@@ -336,7 +335,7 @@ namespace AntiSamy
cssResult = styleScanner.ScanStyleSheet(node.FirstChild.InnerHtml, maxinputsize, fromStyleAttribute);
node.FirstChild.InnerHtml = cssResult.CleanHtml;
}
if (cssResult != null)
if (cssResult != null && cssResult.ErrorMessages.Any())
_errorMessages.AddRange(cssResult.ErrorMessages);
}
catch (ParseException e)

6
src/AntiSamy/CssScanner.cs
View File

@@ -58,7 +58,7 @@ namespace AntiSamy
throw new ScanException("An error occured while scanning css", exception);
}
return new AntiySamyResult(start, cleanStyleSheet, _errors);
return new AntiySamyResult(start, !string.IsNullOrEmpty(cleanStyleSheet) ? cleanStyleSheet.Trim() : cleanStyleSheet, _errors);
}
private string CleanDummyWrapper(string result)
@@ -176,13 +176,13 @@ namespace AntiSamy
private void ValidateValue(CssProperty allowedCssProperty, ICssProperty cssProperty, string value, List<Tuple<ICssProperty, string>> removeStyles)
{
if (!allowedCssProperty.AllowedLiterals.Any(lit => lit.Equals(value, StringComparison.OrdinalIgnoreCase)))
if (allowedCssProperty.AllowedLiterals.Any() && !allowedCssProperty.AllowedLiterals.Any(lit => lit.Equals(value, StringComparison.OrdinalIgnoreCase)))
{
removeStyles.Add(new Tuple<ICssProperty, string>(cssProperty, $"\"{value}\" is not allowed literal"));
return;
}
if (!allowedCssProperty.AllowedRegExps.Any(regex => new Regex(regex).IsMatch(value)))
if (allowedCssProperty.AllowedRegExps.Any() && !allowedCssProperty.AllowedRegExps.Any(regex => new Regex(regex).IsMatch(value)))
{
removeStyles.Add(new Tuple<ICssProperty, string>(cssProperty, $"\"{value}\" is not allowed literal by regex"));
return;

368
test/AntiSamy.Tests/AntiSamyTests.cs
View File

@@ -1,18 +1,15 @@
using FluentAssertions;
using System;
using System.Collections.Generic;
using System.IO;
using System.Linq;
using System.Text;
using System.Text.RegularExpressions;
using FluentAssertions;
using Xunit;
namespace AntiSamy.Tests
{
public class AntiSamyTests
public class AntiSamyTests : TestBase
{
private static readonly String[] BASE64_BAD_XML_STRINGS = new String[]{
private static readonly string[] BASE64_BAD_XML_STRINGS = new string[]{
// first string is
// "<a - href=\"http://www.owasp.org\">click here</a>"
"PGEgLSBocmVmPSJodHRwOi8vd3d3Lm93YXNwLm9yZyI+Y2xpY2sgaGVyZTwvYT4=",
@@ -33,44 +30,38 @@ namespace AntiSamy.Tests
};
private AntiSamy _sut = new AntiSamy();
Policy policy = GetPolicy("antisamy.xml");
private static Policy GetPolicy(string fileName)
{
string currentDir = Directory.GetCurrentDirectory();
return Policy.FromFile(Path.Combine(currentDir, $@"resources\{fileName}"));
}
[Fact]
public void scriptAttacks()
{
_sut.Scan("test<script>alert(document.cookie)</script>", policy).CleanHtml.Contains("script").Should().BeFalse();
_sut.Scan("test<script>alert(document.cookie)</script>", TestPolicy).CleanHtml.Contains("script").Should().BeFalse();
_sut.Scan("<<<><<script src=http://fake-evil.ru/test.js>", policy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<<<><<script src=http://fake-evil.ru/test.js>", TestPolicy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<script<script src=http://fake-evil.ru/test.js>>", policy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<script<script src=http://fake-evil.ru/test.js>>", TestPolicy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", policy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", TestPolicy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>", policy).CleanHtml.Contains("onload").Should().BeFalse();
_sut.Scan("<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>", TestPolicy).CleanHtml.Contains("onload").Should().BeFalse();
_sut.Scan("<BODY ONLOAD=alert('XSS')>", policy).CleanHtml.Contains("alert").Should().BeFalse();
_sut.Scan("<BODY ONLOAD=alert('XSS')>", TestPolicy).CleanHtml.Contains("alert").Should().BeFalse();
_sut.Scan("<iframe src=http://ha.ckers.org/scriptlet.html <", policy).CleanHtml.Contains("<iframe").Should().BeFalse();
_sut.Scan("<iframe src=http://ha.ckers.org/scriptlet.html <", TestPolicy).CleanHtml.Contains("<iframe").Should().BeFalse();
_sut.Scan("<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">", policy).CleanHtml.Contains("src").Should().BeFalse();
_sut.Scan("<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">", TestPolicy).CleanHtml.Contains("src").Should().BeFalse();
_sut.Scan("<a onblur=\"alert(secret)\" href=\"http://www.google.com\">Google</a>", policy);
_sut.Scan("<a onblur=\"alert(secret)\" href=\"http://www.google.com\">Google</a>", TestPolicy);
}
[Fact]
public void imgAttacks()
{
_sut.Scan("<img src=\"http://www.myspace.com/img.gif\"/>", policy).CleanHtml.Contains("<img").Should().BeTrue();
_sut.Scan("<img src=\"http://www.myspace.com/img.gif\"/>", TestPolicy).CleanHtml.Contains("<img").Should().BeTrue();
_sut.Scan("<img src=javascript:alert(document.cookie)>", policy).CleanHtml.Contains("<img").Should().BeFalse();
_sut.Scan("<img src=javascript:alert(document.cookie)>", TestPolicy).CleanHtml.Contains("<img").Should().BeFalse();
_sut.Scan("<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>", policy)
_sut.Scan("<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>", TestPolicy)
.CleanHtml.Contains("<img").Should().BeFalse();
@@ -78,112 +69,110 @@ namespace AntiSamy.Tests
// .CleanHtml.Contains("<img").Should().BeFalse();
_sut.Scan("<IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">", policy).CleanHtml.Contains("alert").Should().BeFalse();
_sut.Scan("<IMG SRC=\"jav&#x0D;ascript:alert('XSS');\">", TestPolicy).CleanHtml.Contains("alert").Should().BeFalse();
string s = _sut.Scan("<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>", policy).CleanHtml;
string s = _sut.Scan("<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>", TestPolicy).CleanHtml;
(s.Length == 0 || s.Contains("&amp;")).Should().BeTrue();
_sut.Scan("<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>", policy);
_sut.Scan("<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>", TestPolicy);
_sut.Scan("<IMG SRC=\"javascript:alert('XSS')\"", policy).CleanHtml.Contains("javascript").Should().BeFalse();
_sut.Scan("<IMG SRC=\"javascript:alert('XSS')\"", TestPolicy).CleanHtml.Contains("javascript").Should().BeFalse();
_sut.Scan("<IMG LOWSRC=\"javascript:alert('XSS')\">", policy).CleanHtml.Contains("javascript").Should().BeFalse();
_sut.Scan("<IMG LOWSRC=\"javascript:alert('XSS')\">", TestPolicy).CleanHtml.Contains("javascript").Should().BeFalse();
_sut.Scan("<BGSOUND SRC=\"javascript:alert('XSS');\">", policy).CleanHtml.Contains("javascript").Should().BeFalse();
_sut.Scan("<BGSOUND SRC=\"javascript:alert('XSS');\">", TestPolicy).CleanHtml.Contains("javascript").Should().BeFalse();
}
[Fact]
public void hrefAttacks()
{
_sut.Scan("<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">", policy).CleanHtml.Contains("href").Should().BeFalse();
_sut.Scan("<LINK REL=\"stylesheet\" HREF=\"javascript:alert('XSS');\">", TestPolicy).CleanHtml.Contains("href").Should().BeFalse();
_sut.Scan("<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">", policy).CleanHtml.Contains("href").Should().BeFalse();
_sut.Scan("<LINK REL=\"stylesheet\" HREF=\"http://ha.ckers.org/xss.css\">", TestPolicy).CleanHtml.Contains("href").Should().BeFalse();
_sut.Scan("<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>", policy).CleanHtml.Contains("ha.ckers.org").Should().BeFalse();
_sut.Scan("<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>", TestPolicy).CleanHtml.Contains("ha.ckers.org").Should().BeFalse();
_sut.Scan("<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>", policy).CleanHtml.Contains("ha.ckers.org").Should().BeFalse();
_sut.Scan("<STYLE>BODY{-moz-binding:url(\"http://ha.ckers.org/xssmoz.xml#xss\")}</STYLE>", TestPolicy).CleanHtml.Contains("ha.ckers.org").Should().BeFalse();
_sut.Scan("<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS", policy).CleanHtml.Contains("javascript").Should().BeFalse();
_sut.Scan("<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE><UL><LI>XSS", TestPolicy).CleanHtml.Contains("javascript").Should().BeFalse();
_sut.Scan("<IMG SRC='vbscript:msgbox(\"XSS\")'>", policy).CleanHtml.Contains("vbscript").Should().BeFalse();
_sut.Scan("<IMG SRC='vbscript:msgbox(\"XSS\")'>", TestPolicy).CleanHtml.Contains("vbscript").Should().BeFalse();
_sut.Scan("<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">", policy).CleanHtml.Contains("<meta").Should().BeFalse();
_sut.Scan("<META HTTP-EQUIV=\"refresh\" CONTENT=\"0; URL=http://;URL=javascript:alert('XSS');\">", TestPolicy).CleanHtml.Contains("<meta").Should().BeFalse();
_sut.Scan("<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">", policy).CleanHtml.Contains("<meta").Should().BeFalse();
_sut.Scan("<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=javascript:alert('XSS');\">", TestPolicy).CleanHtml.Contains("<meta").Should().BeFalse();
_sut.Scan("<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\">", policy).CleanHtml.Contains("<meta").Should().BeFalse();
_sut.Scan("<META HTTP-EQUIV=\"refresh\" CONTENT=\"0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K\">", TestPolicy).CleanHtml.Contains("<meta").Should().BeFalse();
_sut.Scan("<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>", policy).CleanHtml.Contains("javascript").Should().BeFalse();
_sut.Scan("<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>", TestPolicy).CleanHtml.Contains("javascript").Should().BeFalse();
_sut.Scan("<TABLE BACKGROUND=\"javascript:alert('XSS')\">", policy).CleanHtml.Contains("background").Should().BeFalse();
_sut.Scan("<TABLE BACKGROUND=\"javascript:alert('XSS')\">", TestPolicy).CleanHtml.Contains("background").Should().BeFalse();
_sut.Scan("<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">", policy).CleanHtml.Contains("background").Should().BeFalse();
_sut.Scan("<TABLE><TD BACKGROUND=\"javascript:alert('XSS')\">", TestPolicy).CleanHtml.Contains("background").Should().BeFalse();
_sut.Scan("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">", policy).CleanHtml.Contains("javascript").Should().BeFalse();
_sut.Scan("<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">", TestPolicy).CleanHtml.Contains("javascript").Should().BeFalse();
_sut.Scan("<DIV STYLE=\"width: expression(alert('XSS'));\">", policy).CleanHtml.Contains("alert").Should().BeFalse();
_sut.Scan("<DIV STYLE=\"width: expression(alert('XSS'));\">", TestPolicy).CleanHtml.Contains("alert").Should().BeFalse();
_sut.Scan("<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">", policy).CleanHtml.Contains("alert").Should().BeFalse();
_sut.Scan("<IMG STYLE=\"xss:expr/*XSS*/ession(alert('XSS'))\">", TestPolicy).CleanHtml.Contains("alert").Should().BeFalse();
_sut.Scan("<STYLE>@im\\port'\\ja\\vasc\\ript:alert(\"XSS\")';</STYLE>", policy).CleanHtml.Contains("ript:alert").Should().BeFalse();
_sut.Scan("<STYLE>@im\\port'\\ja\\vasc\\ript:alert(\"XSS\")';</STYLE>", TestPolicy).CleanHtml.Contains("ript:alert").Should().BeFalse();
_sut.Scan("<BASE HREF=\"javascript:alert('XSS');//\">", policy).CleanHtml.Contains("javascript").Should().BeFalse();
_sut.Scan("<BASE HREF=\"javascript:alert('XSS');//\">", TestPolicy).CleanHtml.Contains("javascript").Should().BeFalse();
_sut.Scan("<BaSe hReF=\"http://arbitrary.com/\">", policy).CleanHtml.Contains("<base").Should().BeFalse();
_sut.Scan("<BaSe hReF=\"http://arbitrary.com/\">", TestPolicy).CleanHtml.Contains("<base").Should().BeFalse();
_sut.Scan("<OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT>", policy).CleanHtml.Contains("<object").Should().BeFalse();
_sut.Scan("<OBJECT TYPE=\"text/x-scriptlet\" DATA=\"http://ha.ckers.org/scriptlet.html\"></OBJECT>", TestPolicy).CleanHtml.Contains("<object").Should().BeFalse();
_sut.Scan("<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>", policy).CleanHtml.Contains("jaascript").Should().BeFalse();
_sut.Scan("<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>", TestPolicy).CleanHtml.Contains("jaascript").Should().BeFalse();
_sut.Scan("<EMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"></EMBED>", policy).CleanHtml.Contains("<embed").Should().BeFalse();
_sut.Scan("<EMBED SRC=\"http://ha.ckers.org/xss.swf\" AllowScriptAccess=\"always\"></EMBED>", TestPolicy).CleanHtml.Contains("<embed").Should().BeFalse();
_sut.Scan("<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED>", policy).CleanHtml.Contains("<embed").Should().BeFalse();
_sut.Scan("<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED>", TestPolicy).CleanHtml.Contains("<embed").Should().BeFalse();
_sut.Scan("<SCRIPT a=\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", policy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<SCRIPT a=\">\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", TestPolicy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<SCRIPT a=\">\" '' SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", policy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<SCRIPT a=\">\" '' SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", TestPolicy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<SCRIPT a=`>` SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", policy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<SCRIPT a=`>` SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", TestPolicy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<SCRIPT a=\">'>\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", policy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<SCRIPT a=\">'>\" SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", TestPolicy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", policy).CleanHtml.Contains("script").Should().BeFalse();
_sut.Scan("<SCRIPT>document.write(\"<SCRI\");</SCRIPT>PT SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>", TestPolicy).CleanHtml.Contains("script").Should().BeFalse();
_sut.Scan("<SCRIPT SRC=http://ha.ckers.org/xss.js", policy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<SCRIPT SRC=http://ha.ckers.org/xss.js", TestPolicy).CleanHtml.Contains("<script").Should().BeFalse();
_sut.Scan("<div/style=&#92&#45&#92&#109&#111&#92&#122&#92&#45&#98&#92&#105&#92&#110&#100&#92&#105&#110&#92&#103:&#92&#117&#114&#108&#40&#47&#47&#98&#117&#115&#105&#110&#101&#115&#115&#92&#105&#92&#110&#102&#111&#46&#99&#111&#46&#117&#107&#92&#47&#108&#97&#98&#115&#92&#47&#120&#98&#108&#92&#47&#120&#98&#108&#92&#46&#120&#109&#108&#92&#35&#120&#115&#115&#41&>", policy).CleanHtml.Contains("style").Should().BeFalse();
_sut.Scan("<div/style=&#92&#45&#92&#109&#111&#92&#122&#92&#45&#98&#92&#105&#92&#110&#100&#92&#105&#110&#92&#103:&#92&#117&#114&#108&#40&#47&#47&#98&#117&#115&#105&#110&#101&#115&#115&#92&#105&#92&#110&#102&#111&#46&#99&#111&#46&#117&#107&#92&#47&#108&#97&#98&#115&#92&#47&#120&#98&#108&#92&#47&#120&#98&#108&#92&#46&#120&#109&#108&#92&#35&#120&#115&#115&#41&>", TestPolicy).CleanHtml.Contains("style").Should().BeFalse();
_sut.Scan("<a href='aim: &c:\\windows\\system32\\calc.exe' ini='C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pwnd.bat'>", policy).CleanHtml.Contains("aim.exe").Should().BeFalse();
_sut.Scan("<a href='aim: &c:\\windows\\system32\\calc.exe' ini='C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\pwnd.bat'>", TestPolicy).CleanHtml.Contains("aim.exe").Should().BeFalse();
_sut.Scan("<!--\n<A href=\n- --><a href=javascript:alert:document.domain>test-->", policy).CleanHtml.Contains("javascript").Should().BeFalse();
_sut.Scan("<!--\n<A href=\n- --><a href=javascript:alert:document.domain>test-->", TestPolicy).CleanHtml.Contains("javascript").Should().BeFalse();
_sut.Scan("<a></a style=\"\"xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')\">", policy).CleanHtml.Contains("document").Should().BeFalse();
_sut.Scan("<a></a style=\"\"xx:expr/**/ession(document.appendChild(document.createElement('script')).src='http://h4k.in/i.js')\">", TestPolicy).CleanHtml.Contains("document").Should().BeFalse();
_sut.Scan("<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>", policy).CleanHtml.Contains("iframe").Should().BeFalse();
_sut.Scan("<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>", TestPolicy).CleanHtml.Contains("iframe").Should().BeFalse();
}
[Fact]
public void IllegalXML()
{
foreach (String BASE64_BAD_XML_STRING in BASE64_BAD_XML_STRINGS)
foreach (string BASE64_BAD_XML_STRING in BASE64_BAD_XML_STRINGS)
{
try
{
String testStr = Encoding.UTF8.GetString(Convert.FromBase64String(BASE64_BAD_XML_STRING));
_sut.Scan(testStr, policy);
string testStr = Encoding.UTF8.GetString(Convert.FromBase64String(BASE64_BAD_XML_STRING));
_sut.Scan(testStr, TestPolicy);
}
catch (ScanException ex)
catch (ScanException)
{
// still success!
}
}
_sut.Scan("<style>", policy).Should().NotBeNull();
_sut.Scan("<style>", TestPolicy).Should().NotBeNull();
}
[Fact]
@@ -197,7 +186,7 @@ namespace AntiSamy.Tests
var p = new Regex(".*<strong(\\s*)/>.*");
string s1 = _sut.Scan("<br ><strong></strong><a>hello world</a><b /><i/><hr>", policy).CleanHtml;
string s1 = _sut.Scan("<br ><strong></strong><a>hello world</a><b /><i/><hr>", TestPolicy).CleanHtml;
p.IsMatch(s1).Should().BeFalse();
@@ -213,17 +202,17 @@ namespace AntiSamy.Tests
[Fact]
public void issue20()
{
var s = _sut.Scan("<b><i>Some Text</b></i>", policy).CleanHtml;
string s = _sut.Scan("<b><i>Some Text</b></i>", TestPolicy).CleanHtml;
s.Contains("<i />").Should().BeFalse();
}
[Fact]
public void issue25()
{
String s = "<div style=\"margin: -5em\">Test</div>";
String expected = "<div>Test</div>";
var s = "<div style=\"margin: -5em\">Test</div>";
var expected = "<div>Test</div>";
String crDom = _sut.Scan(s, policy).CleanHtml;
string crDom = _sut.Scan(s, TestPolicy).CleanHtml;
crDom.Should().BeEquivalentTo(expected);
}
@@ -231,7 +220,7 @@ namespace AntiSamy.Tests
[Fact]
public void issue28()
{
String s1 = _sut.Scan("<div style=\"font-family: serif\">Test</div>", policy).CleanHtml;
string s1 = _sut.Scan("<div style=\"font-family: serif\">Test</div>", TestPolicy).CleanHtml;
s1.Contains("font-family").Should().BeTrue();
}
@@ -239,8 +228,8 @@ namespace AntiSamy.Tests
public void issue29()
{
/* issue #29 - missing quotes around properties with spaces */
String s = "<style type=\"text/css\"><![CDATA[P {\n font-family: \"Arial Unicode MS\";\n}\n]]></style>";
AntiySamyResult result = _sut.Scan(s, policy);
var s = "<style type=\"text/css\"><![CDATA[P {\n font-family: \"Arial Unicode MS\";\n}\n]]></style>";
AntiySamyResult result = _sut.Scan(s, TestPolicy);
s.Should().BeEquivalentTo(result.CleanHtml);
}
@@ -248,19 +237,18 @@ namespace AntiSamy.Tests
public void issue30()
{
String s = "<style type=\"text/css\"><![CDATA[P { margin-bottom: 0.08in; } ]]></style>";
var s = "<style type=\"text/css\"><![CDATA[P { margin-bottom: 0.08in; } ]]></style>";
_sut.Scan(s, policy);
_sut.Scan(s, TestPolicy);
/* followup - does the patch fix multiline CSS? */
String s2 = "<style type=\"text/css\"><![CDATA[\r\nP {\r\n margin-bottom: 0.08in;\r\n}\r\n]]></style>";
var cr = _sut.Scan(s2, policy);
var s2 = "<style type=\"text/css\"><![CDATA[\r\nP {\r\n margin-bottom: 0.08in;\r\n}\r\n]]></style>";
AntiySamyResult cr = _sut.Scan(s2, TestPolicy);
"<style type=\"text/css\"><![CDATA[P {\n\tmargin-bottom: 0.08in;\n}\n]]></style>".Should().BeEquivalentTo(cr.CleanHtml);
/* next followup - does non-CDATA parsing still work? */
String s3 = "<style>P {\n\tmargin-bottom: 0.08in;\n}\n";
//var s3 = "<style>P {\n\tmargin-bottom: 0.08in;\n}\n";
//policy.UseXhtml = false;
//cr = _sut.Scan(s3, );
//"<style>P {\n\tmargin-bottom: 0.08in;\n}\n</style>\n".Should().BeEquivalentTo(cr.CleanHtml);
@@ -270,11 +258,11 @@ namespace AntiSamy.Tests
public void isssue31()
{
String test = "<b><u><g>foo";
var test = "<b><u><g>foo";
//Policy revised = policy.cloneWithDirective("onUnknownTag", "encode");
var cr = _sut.Scan(test, policy);
String s = cr.CleanHtml;
AntiySamyResult cr = _sut.Scan(test, TestPolicy);
string s = cr.CleanHtml;
s.Contains("&lt;g&gt;").Should().BeTrue();
}
@@ -290,7 +278,7 @@ namespace AntiSamy.Tests
+ "<em>Names For Snow. </em>We'll catch up with you next week....wonder which" + "hat Bill will wear?<br />Jane";
Policy mySpacePolicy = GetPolicy("antisamy-myspace.xml");
var cr = _sut.Scan(dirty, mySpacePolicy);
AntiySamyResult cr = _sut.Scan(dirty, mySpacePolicy);
cr.CleanHtml.Should().NotBeNull();
Policy ebayPolicy = GetPolicy("antisamy-ebay.xml");
@@ -307,9 +295,9 @@ namespace AntiSamy.Tests
{
/* issue #38 - color problem/color combinations */
String s = "<font color=\"#fff\">Test</font>";
String expected = "<font color=\"#fff\">Test</font>";
assertEquals(_sut.Scan(s, policy).CleanHtml, expected);
var s = "<font color=\"#fff\">Test</font>";
var expected = "<font color=\"#fff\">Test</font>";
assertEquals(_sut.Scan(s, TestPolicy).CleanHtml, expected);
//Not supported
//s = "<div style=\"color: #fff\">Test 3 letter code</div>";
@@ -318,43 +306,31 @@ namespace AntiSamy.Tests
s = "<font color=\"red\">Test</font>";
expected = "<font color=\"red\">Test</font>";
assertEquals(_sut.Scan(s, policy).CleanHtml, expected);
assertEquals(_sut.Scan(s, TestPolicy).CleanHtml, expected);
s = "<font color=\"neonpink\">Test</font>";
expected = "<font>Test</font>";
assertEquals(_sut.Scan(s, policy).CleanHtml, expected);
assertEquals(_sut.Scan(s, TestPolicy).CleanHtml, expected);
s = "<font color=\"#0000\">Test</font>";
expected = "<font>Test</font>";
assertEquals(_sut.Scan(s, policy).CleanHtml, expected);
assertEquals(_sut.Scan(s, TestPolicy).CleanHtml, expected);
s = "<div style=\"color: #0000\">Test</div>";
expected = "<div>Test</div>";
assertEquals(_sut.Scan(s, policy).CleanHtml, expected);
assertEquals(_sut.Scan(s, TestPolicy).CleanHtml, expected);
s = "<font color=\"#000000\">Test</font>";
expected = "<font color=\"#000000\">Test</font>";
assertEquals(_sut.Scan(s, policy).CleanHtml, expected);
assertEquals(_sut.Scan(s, TestPolicy).CleanHtml, expected);
//Not supported
//s = "<div style=\"color: #000000\">Test</div>";
//expected = "<div style=\"color: rgb(0,0,0);\">Test</div>";
//assertEquals(_sut.Scan(s, policy).CleanHtml, expected);
/*
* This test case was failing because of the following code from the
* batik CSS library, which throws an exception if any character
* other than a '!' follows a beginning token of '<'. The
* ParseException is now caught in the node a CssScanner.java and
* the outside AntiSamyDOMScanner.java.
*
* 0398 nextChar(); 0399 if (current != '!') { 0400 throw new
* ParseException("character", 0401 reader.getLine(), 0402
* reader.getColumn());
*/
s = "<b><u>foo<style><script>alert(1)</script></style>@import 'x';</u>bar";
_sut.Scan(s, policy);
_sut.Scan(s, TestPolicy);
}
[Fact]
@@ -362,10 +338,10 @@ namespace AntiSamy.Tests
{
/* issue #40 - handling <style> media attributes right */
String s = "<style media=\"print, projection, screen\"> P { margin: 1em; }</style>";
var s = "<style media=\"print, projection, screen\"> P { margin: 1em; }</style>";
//Policy revised = policy.cloneWithDirective(Policy.PRESERVE_SPACE, "true");
var result = _sut.Scan(s, policy);
AntiySamyResult result = _sut.Scan(s, TestPolicy);
result.CleanHtml.Contains("print, projection, screen").Should().BeTrue();
}
@@ -374,5 +350,175 @@ namespace AntiSamy.Tests
{
actual.Should().BeEquivalentTo(expected);
}
[Fact]
public void issue41()
{
/* issue #41 - comment handling */
// comments will be removed by default
_sut.Scan("text <!-- comment -->", TestPolicy).CleanHtml.Should().BeEquivalentTo("text ");
//Policy revised2 = policy.cloneWithDirective(Policy.PRESERVE_COMMENTS, "true").cloneWithDirective(Policy.PRESERVE_SPACE, "true").cloneWithDirective(Policy.FORMAT_OUTPUT, "false");
///*
//* These make sure the regular comments are kept alive and that
//* conditional comments are ripped out.
//*/
//assertEquals("<div>text <!-- comment --></div>", as.scan("<div>text <!-- comment --></div>", revised2, AntiSamy.DOM).getCleanHTML());
//assertEquals("<div>text <!-- comment --></div>", as.scan("<div>text <!--[if IE]> comment <[endif]--></div>", revised2, AntiSamy.DOM).getCleanHTML());
///*
//* Check to see how nested conditional comments are handled. This is
//* not very clean but the main goal is to avoid any tags. Not sure
//* on encodings allowed in comments.
//*/
string input = "<div>text <!--[if IE]> <!--[if gte 6]> comment <[endif]--><[endif]--></div>";
string expected = "<div>text &lt;[endif]--&gt;</div>";
_sut.Scan(input, TestPolicy).CleanHtml.Should().BeEquivalentTo(expected);
/*
* Regular comment nested inside conditional comment. Test makes
* sure
*/
_sut.Scan("<div>text <!--[if IE]> <!-- IE specific --> comment <[endif]--></div>", TestPolicy).CleanHtml
.Should().BeEquivalentTo("<div>text comment &lt;[endif]--&gt;</div>");
///*
//* These play with whitespace and have invalid comment syntax.
//*/
//assertEquals("<div>text <!-- \ncomment --></div>", as.scan("<div>text <!-- [ if lte 6 ]>\ncomment <[ endif\n]--></div>", revised2, AntiSamy.DOM).getCleanHTML());
//assertEquals("<div>text comment </div>", as.scan("<div>text <![if !IE]> comment <![endif]></div>", revised2, AntiSamy.DOM).getCleanHTML());
//assertEquals("<div>text comment </div>", as.scan("<div>text <![ if !IE]> comment <![endif]></div>", revised2, AntiSamy.DOM).getCleanHTML());
var attack = "[if lte 8]<script>";
var spacer = "<![if IE]>";
var sb = new StringBuilder();
sb.Append("<div>text<!");
for (var i = 0; i < attack.Length; i++)
{
sb.Append(attack[i]);
sb.Append(spacer);
}
sb.Append("<![endif]>");
string s = sb.ToString();
_sut.Scan(s, TestPolicy).CleanHtml.Contains("<script").Should().BeFalse();
}
[Fact]
public void issue44()
{
/*
* issue #44 - childless nodes of non-allowed elements won't cause an
* error
*/
string s = "<iframe src='http://foo.com/'></iframe>" + "<script src=''></script>" + "<link href='/foo.css'>";
_sut.Scan(s, TestPolicy);
_sut.Scan(s, TestPolicy).ErrorMessages.Count().Should().Be(3);
}
[Fact]
public void issue51()
{
/* issue #51 - offsite urls with () are found to be invalid */
var s = "<a href='http://subdomain.domain/(S(ke0lpq54bw0fvp53a10e1a45))/MyPage.aspx'>test</a>";
AntiySamyResult result = _sut.Scan(s, TestPolicy);
result.ErrorMessages.Count().Should().Be(0);
}
[Fact]
public void isssue56()
{
/* issue #56 - unnecessary spaces */
var s = "<SPAN style='font-weight: bold;'>Hello World!</SPAN>";
var expected = "<span style='font-weight: bold'>Hello World!</span>";
AntiySamyResult result = _sut.Scan(s, TestPolicy);
result.CleanHtml.Should().BeEquivalentTo(expected);
}
[Fact]
public void issue58()
{
/* issue #58 - input not in list of allowed-to-be-empty tags */
var s = "tgdan <input/> g h";
AntiySamyResult result = _sut.Scan(s, TestPolicy);
result.ErrorMessages.Count().Should().Be(0);
}
[Fact]
public void issue61()
{
/* issue #61 - input has newline appended if ends with an accepted tag */
var dirtyInput = "blah <b>blah</b>.";
//Format output not supported
//Policy revised = policy.cloneWithDirective(Policy.FORMAT_OUTPUT, "false");
AntiySamyResult result = _sut.Scan(dirtyInput, TestPolicy);
result.CleanHtml.Should().BeEquivalentTo(dirtyInput);
}
[Fact]
public void issue69()
{
/* issue #69 - char attribute should allow single char or entity ref */
string s = "<table><tr><td char='.'>test</td></tr></table>";
AntiySamyResult result = _sut.Scan(s, TestPolicy);
result.CleanHtml.Contains("char").Should().BeTrue();
s = "<table><tr><td char='..'>test</td></tr></table>";
result = _sut.Scan(s, TestPolicy);
result.CleanHtml.Contains("char").Should().BeFalse();
s = "<table><tr><td char='&quot;'>test</td></tr></table>";
result = _sut.Scan(s, TestPolicy);
result.CleanHtml.Contains("char").Should().BeTrue();
s = "<table><tr><td char='&quot;a'>test</td></tr></table>";
result = _sut.Scan(s, TestPolicy);
result.CleanHtml.Contains("char").Should().BeFalse();
s = "<table><tr><td char='&quot;&amp;'>test</td></tr></table>";
result = _sut.Scan(s, TestPolicy);
result.CleanHtml.Contains("char").Should().BeFalse();
}
[Fact(Skip = "CData section is not supported and will be removed by default")]
public void CDATAByPass()
{
String malInput = "<![CDATA[]><script>alert(1)</script>]]>";
AntiySamyResult result = _sut.Scan(malInput, TestPolicy);
result.ErrorMessages.Should().NotBeEmpty();
result.CleanHtml.Should().Contain("&lt;script");
result.CleanHtml.Should().NotContain("<script");
}
[Fact]
public void literalLists()
{
/* this test is for confirming literal-lists work as
* advertised. it turned out to be an invalid / non-
* reproducible bug report but the test seemed useful
* enough to keep.
*/
var malInput = "hello<p align='invalid'>world</p>";
AntiySamyResult result = _sut.Scan(malInput, TestPolicy);
result.CleanHtml.Contains("invalid").Should().BeFalse();
result.ErrorMessages.Count().Should().Be(1);
var goodInput = "hello<p align='left'>world</p>";
_sut.Scan(goodInput, TestPolicy).CleanHtml.Contains("left").Should().BeTrue();
}
}
}

30
test/AntiSamy.Tests/LiteralTests.cs Normal file
View File

@@ -0,0 +1,30 @@
using FluentAssertions;
using System.Linq;
using Xunit;
namespace AntiSamy.Tests
{
public class LiteralTests : TestBase
{
[Fact]
public void Test_dom_good_result()
{
var html = "<div align=\"right\">html</div>";
AntiySamyResult result = new AntiSamy().Scan(html, TestPolicy);
result.ErrorMessages.Count().Should().Be(0);
}
[Fact]
public void TestDomBadResult()
{
var badHtml = "<div align=\"foo\">badhtml</div>";
AntiySamyResult result = new AntiSamy().Scan(badHtml, TestPolicy);
result.ErrorMessages.Count().Should().BeGreaterThan(0);
}
}
}

21
test/AntiSamy.Tests/TestBase.cs Normal file
View File

@@ -0,0 +1,21 @@
using System.IO;
namespace AntiSamy.Tests
{
public abstract class TestBase
{
private const string DefaultAntiSamyFile = "antisamy.xml";
protected readonly Policy TestPolicy;
protected TestBase()
{
TestPolicy = GetPolicy(DefaultAntiSamyFile);
}
protected Policy GetPolicy(string fileName)
{
string currentDir = Directory.GetCurrentDirectory();
return Policy.FromFile(Path.Combine(currentDir, $@"resources\{fileName}"));
}
}
}