Skip to content

Commit

Permalink
Always encode text in raw data content
Browse files Browse the repository at this point in the history
  • Loading branch information
Michael Ganss committed Sep 22, 2023
1 parent 1cf8ff0 commit 2a4304d
Show file tree
Hide file tree
Showing 2 changed files with 37 additions and 1 deletion.
8 changes: 8 additions & 0 deletions src/HtmlSanitizer/HtmlSanitizer.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -463,6 +463,14 @@ private void RemoveComments(INode context)

private void DoSanitize(IHtmlDocument dom, IParentNode context, string baseUrl = "")
{
// always encode text in raw data content
foreach (var tag in context.QuerySelectorAll("*").Where(t => t.Flags.HasFlag(NodeFlags.LiteralText) && !string.IsNullOrWhiteSpace(t.InnerHtml)))
{
var escapedHtml = tag.InnerHtml.Replace("<", "&lt;").Replace(">", "&gt;");
if (escapedHtml != tag.InnerHtml)
tag.InnerHtml = escapedHtml;
}

// remove disallowed tags
foreach (var tag in context.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList())
{
Expand Down
30 changes: 29 additions & 1 deletion test/HtmlSanitizer.Tests/Tests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3248,7 +3248,7 @@ public void StyleByPassTest()
var sanitized = sanitizer.Sanitize(html, "http://www.example.com");

// Assert
Assert.Equal("aaabc<style>x[x=\"\\3c/style>\\3cimg src onerror=alert(1)>\"] { }</style>", sanitized);
Assert.Equal("aaabc<style>x[x=\"\\3c/style&gt;\\3cimg src onerror=alert(1)&gt;\"] { }</style>", sanitized);
}

[Fact]
Expand Down Expand Up @@ -3487,4 +3487,32 @@ public void VarUrlTest()
var sanitized = sanitizer.Sanitize(html);
Assert.Equal(html, sanitized);
}

[Fact]
public void BypassTest()
{
var sanitizer = new HtmlSanitizer();
sanitizer.AllowedTags.Add("svg");
sanitizer.AllowedTags.Add("title");
sanitizer.AllowedTags.Add("xmp");
var bypass = @"<svg></p><title><xmp></title><img src=x onerror=alert(1)></xmp></title>";
var sanitized = sanitizer.Sanitize(bypass, "https://www.example.com");
var expected = @"<svg><p></p><title><xmp>&lt;/title&gt;&lt;img src=x onerror=alert(1)&gt;</xmp></title></svg>";
Assert.Equal(expected, sanitized);
}

[Fact]
public void Bypass2Test()
{
var sanitizer = new HtmlSanitizer();
sanitizer.AllowedTags.Add("form");
sanitizer.AllowedTags.Add("math");
sanitizer.AllowedTags.Add("mtext");
sanitizer.AllowedTags.Add("mglyph");
sanitizer.AllowedTags.Add("xmp");
var bypass = @"<form><math><mtext></form><form><mglyph><xmp></math><img src onerror=alert(1)>";
var sanitized = sanitizer.Sanitize(bypass, "https://www.example.com");
var expected = @"<form><math><mtext><form><mglyph><xmp>&lt;/math&gt;&lt;img src onerror=alert(1)&gt;</xmp></mglyph></form></mtext></math></form>";
Assert.Equal(expected, sanitized);
}
}

0 comments on commit 2a4304d

Please sign in to comment.