JacksonBruce/HtmlSanitizer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into AngleSharp_0_10

Browse Source
This commit is contained in:
Michael Ganss
2019-06-02 15:34:02 +02:00
parent 7fc84579c3 a258535f13
commit a27b0d80a7
4 changed files with 35 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/HtmlSanitizer/HtmlSanitizer.cs
View File

@@ -460,8 +460,7 @@ namespace Ganss.XSS
public IHtmlDocument SanitizeDom(string html, string baseUrl = "")
{
var parser = HtmlParserFactory();
var dom = parser.ParseDocument("<html><body></body></html>");
dom.Body.InnerHtml = html;
var dom = parser.ParseDocument("<html><body>" + html);
DoSanitize(dom, dom.Body, baseUrl);
@@ -480,7 +479,7 @@ namespace Ganss.XSS
var parser = HtmlParserFactory();
var dom = parser.ParseDocument(html);
DoSanitize(dom, dom.DocumentElement, baseUrl);
DoSanitize(dom, dom, baseUrl);
var output = dom.ToHtml(outputFormatter ?? OutputFormatter);
@@ -499,7 +498,7 @@ namespace Ganss.XSS
var parser = HtmlParserFactory();
var dom = parser.ParseDocument(html);
DoSanitize(dom, dom.DocumentElement, baseUrl);
DoSanitize(dom, dom, baseUrl);
var output = dom.ToHtml(outputFormatter ?? OutputFormatter);
@@ -536,7 +535,7 @@ namespace Ganss.XSS
}
}
private void DoSanitize(IHtmlDocument dom, IElement context, string baseUrl = "")
private void DoSanitize(IHtmlDocument dom, IParentNode context, string baseUrl = "")
{
// remove non-whitelisted tags
foreach (var tag in context.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList())
@@ -601,9 +600,9 @@ namespace Ganss.XSS
}
}
RemoveComments(context);
RemoveComments(context as IElement);
DoPostProcess(dom, context);
DoPostProcess(dom, context as IElement);
}
private void SanitizeStyleSheets(IHtmlDocument dom, string baseUrl)

3
src/HtmlSanitizer/HtmlSanitizer.csproj
View File

@@ -32,9 +32,10 @@
<PackageReference Include="AngleSharp" Version="[0.12.1]" />
<PackageReference Include="AngleSharp.Css" Version="[0.12.1]" />
<PackageReference Include="System.Text.Encoding.CodePages" Version="4.5.0" />
<PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.0.0-beta2-19270-01" PrivateAssets="All" />
</ItemGroup>
<ItemGroup Condition=" '$(TargetFramework)' == 'net46' ">
<ItemGroup Condition=" '$(TargetFramework)' == 'net46'">
<Reference Include="System" />
<Reference Include="Microsoft.CSharp" />
</ItemGroup>

14
src/HtmlSanitizer/Properties/AssemblyInfo.cs
View File

@@ -1,14 +0,0 @@
using System.Reflection;
using System.Runtime.InteropServices;
#if !NETSTANDARD
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("16af04e9-e712-417e-b749-c8d10148dda9")]
#endif

27
test/HtmlSanitizer.Tests/Tests.cs
View File

@@ -3124,6 +3124,33 @@ zqy1QY1kkPOuMvKWvvmFIwClI2393jVVcp91eda4+J+fIYDbfJa7RY5YcNrZhTuV//9k="">
Assert.Equal(html, actual);
}
}
[Fact]
public void RemovingFramesetShouldTriggerEventTest()
{
// https://github.com/mganss/HtmlSanitizer/issues/163
var sanitizer = new HtmlSanitizer();
bool anyNodeRemoved = false;
sanitizer.RemovingTag += (s, e) => anyNodeRemoved = true;
var html = @"<html><frameset><frame src=""javascript:alert(1)""></frame></frameset></html>";
var actual = sanitizer.SanitizeDocument(html);
Assert.True(anyNodeRemoved);
Assert.Equal("<html><head></head></html>", actual);
}
[Fact]
public void HtmlDocumentTest()
{
// https://github.com/mganss/HtmlSanitizer/issues/164
var sanitizer = new HtmlSanitizer();
var html = @"<html onmousemove=""alert(document.location)""><head></head><body></body></html>";
var actual = sanitizer.SanitizeDocument(html);
Assert.Equal("<html><head></head><body></body></html>", actual);
}
}
}