Skip to content

Commit

Permalink
Fix the Sanitizer ampersand encoding (Resolve #243) (#253)
Browse files Browse the repository at this point in the history
  • Loading branch information
@MikhailTymchukDX
MikhailTymchukDX committed Nov 3, 2016
1 parent 9146eb2 commit d7b5b8b
Show file tree
Hide file tree
Showing 5 changed files with 138 additions and 218 deletions.
23 changes: 3 additions & 20 deletions AjaxControlToolkit.HtmlEditor.Sanitizer/DefaultHtmlSanitizer.cs
View file
Expand Up @@ -128,28 +128,11 @@ public class DefaultHtmlSanitizer : IHtmlSanitizer {
}

static string EncodeCharacterToHtmlEntityEscape(char c) {
string hex;
// check for alphnumeric characters
if(c < 0xFF) {
hex = GetEncodedChar(c);
if(hex == null)
return String.Empty + c;
} else {
hex = ((int)(c)).ToString("X2");
}

// check for illegal characters
if((c <= 0x1f && c != '\t' && c != '\n' && c != '\r') || (c >= 0x7f && c <= 0x9f))
hex = "fffd"; // Let's entity encode this instead of returning it

return "&#x" + hex + ";";
}

static string GetEncodedChar(int charCode) {
if(charCode >= 0x30 && charCode <= 0x39 || charCode >= 0x41 && charCode <= 0x5A || charCode >= 0x61 && charCode <= 0x7A)
return null;
if((c <= 31 && c != '\t' && c != '\n' && c != '\r') || (c >= 127 && c <= 159))
return "&#xfffd;"; // Let's entity encode this instead of returning it
else
return charCode.ToString("X2");
return c.ToString();
}
}

Expand Down
40 changes: 40 additions & 0 deletions AjaxControlToolkit.Jasmine/Suites/HtmlEditorExtenderTests/HtmlEditorExtenderTests.aspx
View file
Expand Up @@ -676,6 +676,46 @@
$("#SubmitButton").click();
});
it("handles ampersand outside an attribute correctly", function(done) {
var wrapper = new HtmlEditorWrapper(this.extender);
wrapper.setContent("&");
var endRequestHandler = function() {
var extender = $find("<%= TargetExtender.ClientID %>"),
wrapper = new HtmlEditorWrapper(extender);
expect(wrapper.currentState.editorContent()).toEqual("&");
Sys.WebForms.PageRequestManager.getInstance().remove_endRequest(arguments.callee);
done();
};
Sys.WebForms.PageRequestManager.getInstance().add_endRequest(endRequestHandler);
$("#SubmitButton").click();
});
it("handles ampersand inside an attribute correctly", function(done) {
var wrapper = new HtmlEditorWrapper(this.extender);
wrapper.setContent('<a href="http://www.codeplex.com?a=1&amp;b=2">aaa</a>', "source");
var endRequestHandler = function() {
var extender = $find("<%= TargetExtender.ClientID %>"),
wrapper = new HtmlEditorWrapper(extender);
expect(wrapper.currentState.editorContent("source")).toEqual('<a href="http://www.codeplex.com?a=1&amp;b=2">aaa</a>');
Sys.WebForms.PageRequestManager.getInstance().remove_endRequest(arguments.callee);
done();
};
Sys.WebForms.PageRequestManager.getInstance().add_endRequest(endRequestHandler);
$("#SubmitButton").click();
});
it("removes all link href attribute value with javascript code after postback", function(done) {
var wrapper = new HtmlEditorWrapper(this.extenderSanitized);
wrapper.switchTab("source").setContent("<a href='javascript:alert(\"hello world\");'>test link</a>");
Expand Down

0 comments on commit d7b5b8b

Please sign in to comment.