JacksonBruce/HtmlSanitizer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix #164

Browse Source
This commit is contained in:
Michael Ganss
2019-06-02 14:36:53 +02:00
parent 07835ee2d6
commit a258535f13
2 changed files with 18 additions and 5 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
src/HtmlSanitizer/HtmlSanitizer.cs
View File

@@ -482,7 +482,7 @@ namespace Ganss.XSS
using (var dom = parser.Parse(html)) using (var dom = parser.Parse(html))
{ {
DoSanitize(dom, dom.DocumentElement, baseUrl); DoSanitize(dom, dom, baseUrl);
var output = dom.ToHtml(outputFormatter ?? OutputFormatter); var output = dom.ToHtml(outputFormatter ?? OutputFormatter);
@@ -503,7 +503,7 @@ namespace Ganss.XSS
using (var dom = parser.Parse(html)) using (var dom = parser.Parse(html))
{ {
DoSanitize(dom, dom.DocumentElement, baseUrl); DoSanitize(dom, dom, baseUrl);
var output = dom.ToHtml(outputFormatter ?? OutputFormatter); var output = dom.ToHtml(outputFormatter ?? OutputFormatter);
@@ -542,7 +542,7 @@ namespace Ganss.XSS
} }
} }
private void DoSanitize(IHtmlDocument dom, IElement context, string baseUrl = "") private void DoSanitize(IHtmlDocument dom, IParentNode context, string baseUrl = "")
{ {
// remove non-whitelisted tags // remove non-whitelisted tags
foreach (var tag in context.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList()) foreach (var tag in context.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList())
@@ -607,9 +607,9 @@ namespace Ganss.XSS
} }
} }
RemoveComments(context); RemoveComments(context as IElement);
DoPostProcess(dom, context); DoPostProcess(dom, context as IElement);
} }
private void SanitizeStyleSheets(IHtmlDocument dom, string baseUrl) private void SanitizeStyleSheets(IHtmlDocument dom, string baseUrl)

13
test/HtmlSanitizer.Tests/Tests.cs
View File

@@ -3135,6 +3135,19 @@ zqy1QY1kkPOuMvKWvvmFIwClI2393jVVcp91eda4+J+fIYDbfJa7RY5YcNrZhTuV//9k="">
Assert.True(anyNodeRemoved); Assert.True(anyNodeRemoved);
Assert.Equal("<html><head></head></html>", actual); Assert.Equal("<html><head></head></html>", actual);
} }
[Fact]
public void HtmlDocumentTest()
{
// https://github.com/mganss/HtmlSanitizer/issues/164
var sanitizer = new HtmlSanitizer();
var html = @"<html onmousemove=""alert(document.location)""><head></head><body></body></html>";
var actual = sanitizer.SanitizeDocument(html);
Assert.Equal("<html><head></head><body></body></html>", actual);
}
} }
} }