Fix #119

2017-04-28 15:40:08 +02:00
parent 7601eaf333
commit 62c6fbdd5f
2 changed files with 17 additions and 2 deletions
--- a/src/HtmlSanitizer/HtmlSanitizer.cs
+++ b/src/HtmlSanitizer/HtmlSanitizer.cs
@@ -468,7 +468,7 @@ namespace Ganss.XSS
            SanitizeStyleSheets(dom, baseUrl);

            // cleanup attributes
-            foreach (var tag in context.QuerySelectorAll("*").OfType<IHtmlElement>().ToList())
+            foreach (var tag in context.QuerySelectorAll("*").OfType<IElement>().ToList())
            {
                // remove non-whitelisted attributes
                foreach (var attribute in tag.Attributes.Where(a => !IsAllowedAttribute(a)).ToList())
@@ -633,7 +633,7 @@ namespace Ganss.XSS
        /// </summary>
        /// <param name="element">The element.</param>
        /// <param name="baseUrl">The base URL.</param>
-        protected void SanitizeStyle(IHtmlElement element, string baseUrl)
+        protected void SanitizeStyle(IElement element, string baseUrl)
        {
            // filter out invalid CSS declarations
            // see https://github.com/AngleSharp/AngleSharp/issues/101
--- a/test/HtmlSanitizer.Tests/Tests.cs
+++ b/test/HtmlSanitizer.Tests/Tests.cs
@@ -2953,6 +2953,21 @@ zqy1QY1kkPOuMvKWvvmFIwClI2393jVVcp91eda4+J+fIYDbfJa7RY5YcNrZhTuV//9k="">

            Assert.Equal(html, actual);
        }
+
+        [Fact]
+        public void SvgTest()
+        {
+            // https://github.com/mganss/HtmlSanitizer/issues/119
+
+            var sanitizer = new HtmlSanitizer();
+            sanitizer.AllowedTags.Add("svg");
+
+            var html = @"<svg onchange='alert(1)'>123</svg>";
+
+            var actual = sanitizer.Sanitize(html);
+
+            Assert.Equal("<svg>123</svg>", actual);
+        }
    }
 }