JacksonBruce/HtmlSanitizer
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Merge branch 'master' into AngleSharp_0_10

Browse Source
This commit is contained in:
Michael Ganss
2019-06-02 15:34:02 +02:00
parent 7fc84579c3 a258535f13
commit a27b0d80a7
4 changed files with 35 additions and 22 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
src/HtmlSanitizer/HtmlSanitizer.cs
View File

@@ -460,8 +460,7 @@ namespace Ganss.XSS
public IHtmlDocument SanitizeDom(string html, string baseUrl = "") public IHtmlDocument SanitizeDom(string html, string baseUrl = "")
{ {
var parser = HtmlParserFactory(); var parser = HtmlParserFactory();
var dom = parser.ParseDocument("<html><body></body></html>"); var dom = parser.ParseDocument("<html><body>" + html);
dom.Body.InnerHtml = html;
DoSanitize(dom, dom.Body, baseUrl); DoSanitize(dom, dom.Body, baseUrl);
@@ -480,7 +479,7 @@ namespace Ganss.XSS
var parser = HtmlParserFactory(); var parser = HtmlParserFactory();
var dom = parser.ParseDocument(html); var dom = parser.ParseDocument(html);
DoSanitize(dom, dom.DocumentElement, baseUrl); DoSanitize(dom, dom, baseUrl);
var output = dom.ToHtml(outputFormatter ?? OutputFormatter); var output = dom.ToHtml(outputFormatter ?? OutputFormatter);
@@ -499,7 +498,7 @@ namespace Ganss.XSS
var parser = HtmlParserFactory(); var parser = HtmlParserFactory();
var dom = parser.ParseDocument(html); var dom = parser.ParseDocument(html);
DoSanitize(dom, dom.DocumentElement, baseUrl); DoSanitize(dom, dom, baseUrl);
var output = dom.ToHtml(outputFormatter ?? OutputFormatter); var output = dom.ToHtml(outputFormatter ?? OutputFormatter);
@@ -536,7 +535,7 @@ namespace Ganss.XSS
} }
} }
private void DoSanitize(IHtmlDocument dom, IElement context, string baseUrl = "") private void DoSanitize(IHtmlDocument dom, IParentNode context, string baseUrl = "")
{ {
// remove non-whitelisted tags // remove non-whitelisted tags
foreach (var tag in context.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList()) foreach (var tag in context.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList())
@@ -601,9 +600,9 @@ namespace Ganss.XSS
} }
} }
RemoveComments(context); RemoveComments(context as IElement);
DoPostProcess(dom, context); DoPostProcess(dom, context as IElement);
} }
private void SanitizeStyleSheets(IHtmlDocument dom, string baseUrl) private void SanitizeStyleSheets(IHtmlDocument dom, string baseUrl)

3
src/HtmlSanitizer/HtmlSanitizer.csproj
View File

@@ -32,9 +32,10 @@
<PackageReference Include="AngleSharp" Version="[0.12.1]" /> <PackageReference Include="AngleSharp" Version="[0.12.1]" />
<PackageReference Include="AngleSharp.Css" Version="[0.12.1]" /> <PackageReference Include="AngleSharp.Css" Version="[0.12.1]" />
<PackageReference Include="System.Text.Encoding.CodePages" Version="4.5.0" /> <PackageReference Include="System.Text.Encoding.CodePages" Version="4.5.0" />
<PackageReference Include="Microsoft.SourceLink.GitHub" Version="1.0.0-beta2-19270-01" PrivateAssets="All" />
</ItemGroup> </ItemGroup>
<ItemGroup Condition=" '$(TargetFramework)' == 'net46' "> <ItemGroup Condition=" '$(TargetFramework)' == 'net46'">
<Reference Include="System" /> <Reference Include="System" />
<Reference Include="Microsoft.CSharp" /> <Reference Include="Microsoft.CSharp" />
</ItemGroup> </ItemGroup>

14
src/HtmlSanitizer/Properties/AssemblyInfo.cs
View File

@@ -1,14 +0,0 @@
using System.Reflection;
using System.Runtime.InteropServices;
#if !NETSTANDARD
// Setting ComVisible to false makes the types in this assembly not visible
// to COM components. If you need to access a type in this assembly from
// COM, set the ComVisible attribute to true on that type.
[assembly: ComVisible(false)]
// The following GUID is for the ID of the typelib if this project is exposed to COM
[assembly: Guid("16af04e9-e712-417e-b749-c8d10148dda9")]
#endif

27
test/HtmlSanitizer.Tests/Tests.cs
View File

@@ -3124,6 +3124,33 @@ zqy1QY1kkPOuMvKWvvmFIwClI2393jVVcp91eda4+J+fIYDbfJa7RY5YcNrZhTuV//9k="">
Assert.Equal(html, actual); Assert.Equal(html, actual);
} }
} }
[Fact]
public void RemovingFramesetShouldTriggerEventTest()
{
// https://github.com/mganss/HtmlSanitizer/issues/163
var sanitizer = new HtmlSanitizer();
bool anyNodeRemoved = false;
sanitizer.RemovingTag += (s, e) => anyNodeRemoved = true;
var html = @"<html><frameset><frame src=""javascript:alert(1)""></frame></frameset></html>";
var actual = sanitizer.SanitizeDocument(html);
Assert.True(anyNodeRemoved);
Assert.Equal("<html><head></head></html>", actual);
}
[Fact]
public void HtmlDocumentTest()
{
// https://github.com/mganss/HtmlSanitizer/issues/164
var sanitizer = new HtmlSanitizer();
var html = @"<html onmousemove=""alert(document.location)""><head></head><body></body></html>";
var actual = sanitizer.SanitizeDocument(html);
Assert.Equal("<html><head></head><body></body></html>", actual);
}
} }
} }