JacksonBruce/HtmlSanitizer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Force input HTML into body

Browse Source
This commit is contained in:
Michael Ganss
2016-02-11 16:53:54 +01:00
parent a36f4c8c1a
commit 24d3767520
2 changed files with 43 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

46
HtmlSanitizer.Tests/Tests.cs
View File

@@ -479,7 +479,7 @@ S
string actual = sanitizer.Sanitize(htmlFragment); string actual = sanitizer.Sanitize(htmlFragment);
// Assert // Assert
string expected = ""; string expected = "<img>";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase); Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
} }
@@ -493,13 +493,12 @@ S
// Arrange // Arrange
var sanitizer = new HtmlSanitizer(); var sanitizer = new HtmlSanitizer();
// Act // Act
string htmlFragment = "<image src=http://ha.ckers.org/scriptlet.html <"; string htmlFragment = "<image src=http://ha.ckers.org/scriptlet.html <";
string actual = sanitizer.Sanitize(htmlFragment); string actual = sanitizer.Sanitize(htmlFragment);
// Assert // Assert
string expected = ""; string expected = "<img src=\"http://ha.ckers.org/scriptlet.html\">";
Assert.That(actual, Is.EqualTo(expected).IgnoreCase); Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
} }
@@ -976,7 +975,7 @@ S
// Act // Act
string htmlFragment = "<HTML xmlns:xss> <?import namespace=\"xss\" implementation=\"http://ha.ckers.org/xss.htc\"> <xss:xss>XSS</xss:xss></HTML>"; string htmlFragment = "<HTML xmlns:xss><?import namespace=\"xss\" implementation=\"http://ha.ckers.org/xss.htc\"><xss:xss>XSS</xss:xss></HTML>";
string actual = sanitizer.Sanitize(htmlFragment); string actual = sanitizer.Sanitize(htmlFragment);
// Assert // Assert
@@ -2449,6 +2448,45 @@ rl(javascript:alert(""foo""))'>";
Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedUrlValue)); Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedUrlValue));
} }
[Test]
public void RemoveEventForNotAllowedTag_ScriptTag()
{
RemoveReason? actual = null;
var s = new HtmlSanitizer();
s.RemovingTag += (sender, args) =>
{
actual = args.Reason;
};
s.Sanitize("<script>alert('Hello world!')</script>");
Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedTag));
}
[Test]
public void RemoveEventForNotAllowedTag_StyleTag()
{
RemoveReason? actual = null;
var s = new HtmlSanitizer();
s.RemovingTag += (sender, args) =>
{
actual = args.Reason;
};
s.Sanitize("<style> body {background-color:lightgrey;}</style>");
Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedTag));
}
[Test]
public void RemoveEventForNotAllowedTag_ScriptTagAndSpan()
{
RemoveReason? actual = null;
var s = new HtmlSanitizer();
s.RemovingTag += (sender, args) =>
{
actual = args.Reason;
};
s.Sanitize("<span>Hi</span><script>alert('Hello world!')</script>");
Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedTag));
}
} }
} }

2
HtmlSanitizer/HtmlSanitizer.cs
View File

@@ -326,7 +326,7 @@ namespace Ganss.XSS
IsToleratingInvalidConstraints = true, IsToleratingInvalidConstraints = true,
IsToleratingInvalidValues = true IsToleratingInvalidValues = true
})); }));
var dom = parser.Parse(html); var dom = parser.Parse("<body>" + html + "</body>");
// remove non-whitelisted tags // remove non-whitelisted tags
foreach (var tag in dom.Body.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList()) foreach (var tag in dom.Body.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList())