JacksonBruce/HtmlSanitizer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix #206

Browse Source
This commit is contained in:
Michael Ganss
2020-02-28 16:50:59 +01:00
parent 3a1c6f73ef
commit 146d5e4f60
3 changed files with 19 additions and 30 deletions
Download Patch File Download Diff File Expand all files Collapse all files

23
src/HtmlSanitizer/HtmlSanitizer.cs
View File

@@ -58,9 +58,8 @@ namespace Ganss.XSS
/// <param name="allowedAttributes">The allowed HTML attributes such as "href" and "alt". When <c>null</c>, uses <see cref="DefaultAllowedAttributes"/></param>
/// <param name="uriAttributes">The HTML attributes that can contain a URI such as "href". When <c>null</c>, uses <see cref="DefaultUriAttributes"/></param>
/// <param name="allowedCssProperties">The allowed CSS properties such as "font" and "margin". When <c>null</c>, uses <see cref="DefaultAllowedCssProperties"/></param>
/// <param name="allowedCssClasses">CSS class names which are allowed in the value of a class attribute. When <c>null</c>, any class names are allowed.</param>
public HtmlSanitizer(IEnumerable<string> allowedTags = null, IEnumerable<string> allowedSchemes = null,
IEnumerable<string> allowedAttributes = null, IEnumerable<string> uriAttributes = null, IEnumerable<string> allowedCssProperties = null, IEnumerable<string> allowedCssClasses = null)
IEnumerable<string> allowedAttributes = null, IEnumerable<string> uriAttributes = null, IEnumerable<string> allowedCssProperties = null)
{
AllowedTags = new HashSet<string>(allowedTags ?? DefaultAllowedTags, StringComparer.OrdinalIgnoreCase);
AllowedSchemes = new HashSet<string>(allowedSchemes ?? DefaultAllowedSchemes, StringComparer.OrdinalIgnoreCase);
@@ -68,7 +67,7 @@ namespace Ganss.XSS
UriAttributes = new HashSet<string>(uriAttributes ?? DefaultUriAttributes, StringComparer.OrdinalIgnoreCase);
AllowedCssProperties = new HashSet<string>(allowedCssProperties ?? DefaultAllowedCssProperties, StringComparer.OrdinalIgnoreCase);
AllowedAtRules = new HashSet<CssRuleType>(DefaultAllowedAtRules);
AllowedCssClasses = allowedCssClasses != null ? new HashSet<string>(allowedCssClasses) : null;
AllowedClasses = new HashSet<string>(DefaultAllowedClasses, StringComparer.OrdinalIgnoreCase);
}
/// <summary>
@@ -393,12 +392,17 @@ namespace Ganss.XSS
}
/// <summary>
/// Gets or sets the allowed CSS classes.
/// The default allowed CSS classes.
/// </summary>
public static ISet<string> DefaultAllowedClasses { get; } = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
/// <summary>
/// Gets or sets the allowed CSS classes. If the set is empty, all classes will be allowed.
/// </summary>
/// <value>
/// The allowed CSS classes.
/// The allowed CSS classes. An empty set means all classes are allowed.
/// </value>
public ISet<string> AllowedCssClasses { get; private set; }
public ISet<string> AllowedClasses { get; private set; }
/// <summary>
/// Occurs after sanitizing the document and post processing nodes.
@@ -675,9 +679,6 @@ namespace Ganss.XSS
var oldStyleEmpty = string.IsNullOrEmpty(tag.GetAttribute("style"));
SanitizeStyle(tag, baseUrl);
var checkClasses = AllowedCssClasses != null;
var allowedTags = AllowedCssClasses?.ToArray() ?? Array.Empty<string>();
// sanitize the value of the attributes
foreach (var attribute in tag.Attributes.ToList())
{
@@ -689,9 +690,9 @@ namespace Ganss.XSS
}
else
{
if (checkClasses && attribute.Name == "class")
if (AllowedClasses.Any() && attribute.Name == "class")
{
var removedClasses = tag.ClassList.Except(allowedTags).ToArray();
var removedClasses = tag.ClassList.Except(AllowedClasses).ToArray();
foreach (var removedClass in removedClasses)
RemoveCssClass(tag, removedClass, RemoveReason.NotAllowedCssClass);

6
src/HtmlSanitizer/IHtmlSanitizer.cs
View File

@@ -91,12 +91,12 @@ namespace Ganss.XSS
Regex DisallowCssPropertyValue { get; set; }
/// <summary>
/// Gets or sets the allowed CSS classes.
/// Gets or sets the allowed CSS classes. If the set is empty, all classes will be allowed.
/// </summary>
/// <value>
/// The allowed CSS classes.
/// The allowed CSS classes. An empty set means all classes are allowed.
/// </value>
ISet<string> AllowedCssClasses { get; }
ISet<string> AllowedClasses { get; }
/// <summary>
/// Occurs after sanitizing the document and post processing nodes.

20
test/HtmlSanitizer.Tests/Tests.cs
View File

@@ -2548,7 +2548,7 @@ rl(javascript:alert(""foo""))'>";
RemoveReason? reason = null;
string removedClass = null;
var s = new HtmlSanitizer(allowedAttributes: new[] { "class" }, allowedCssClasses: new[] { "good" });
var s = new HtmlSanitizer(allowedAttributes: new[] { "class" }) { AllowedClasses = { "good" } };
s.RemovingCssClass += (sender, args) =>
{
reason = args.Reason;
@@ -2567,7 +2567,7 @@ rl(javascript:alert(""foo""))'>";
RemoveReason? reason = null;
string attributeName = null;
var s = new HtmlSanitizer(allowedAttributes: new[] { "class" }, allowedCssClasses: new[] { "other" });
var s = new HtmlSanitizer(allowedAttributes: new[] { "class" }) { AllowedClasses = { "other" } };
s.RemovingAttribute += (sender, args) =>
{
attributeName = args.Attribute.Name;
@@ -2942,7 +2942,7 @@ zqy1QY1kkPOuMvKWvvmFIwClI2393jVVcp91eda4+J+fIYDbfJa7RY5YcNrZhTuV//9k="">
[Fact]
public void AllowClassesTest()
{
var sanitizer = new HtmlSanitizer(allowedAttributes: new[] { "class" }, allowedCssClasses: new[] { "good" });
var sanitizer = new HtmlSanitizer(allowedAttributes: new[] { "class" }) { AllowedClasses = { "good" } };
var html = @"<div class=""good bad"">Test</div>";
var actual = sanitizer.Sanitize(html);
@@ -2969,22 +2969,10 @@ zqy1QY1kkPOuMvKWvvmFIwClI2393jVVcp91eda4+J+fIYDbfJa7RY5YcNrZhTuV//9k="">
Assert.Equal(@"<div class=""good"">Test</div>", actual);
}
[Fact]
public void RemoveClassAttributeIfNoAllowedClassesTest()
{
// Empty array for allowed classes = no classes allowed
var sanitizer = new HtmlSanitizer(allowedAttributes: new[] { "class" }, allowedCssClasses: Array.Empty<string>());
var html = @"<div class=""good bad"">Test</div>";
var actual = sanitizer.Sanitize(html);
Assert.Equal(@"<div>Test</div>", actual);
}
[Fact]
public void RemoveClassAttributeIfEmptyTest()
{
var sanitizer = new HtmlSanitizer(allowedAttributes: new[] { "class" }, allowedCssClasses: new[] { "other" });
var sanitizer = new HtmlSanitizer(allowedAttributes: new[] { "class" }) { AllowedClasses = { "other" } };
var html = @"<div class=""good bad"">Test</div>";
var actual = sanitizer.Sanitize(html);