diff --git a/src/Roadkill.Core/Roadkill.Core.csproj b/src/Roadkill.Core/Roadkill.Core.csproj
index 0dfb4e376..d8830be61 100644
--- a/src/Roadkill.Core/Roadkill.Core.csproj
+++ b/src/Roadkill.Core/Roadkill.Core.csproj
@@ -125,8 +125,8 @@
false
-
- ..\..\packages\AngleSharp.0.9.8.1\lib\net45\AngleSharp.dll
+
+ ..\..\packages\AngleSharp.0.9.7\lib\net45\AngleSharp.dll
True
@@ -145,6 +145,10 @@
..\..\packages\HtmlAgilityPack.1.4.9\lib\Net45\HtmlAgilityPack.dll
True
+
+ ..\..\packages\HtmlSanitizer.3.3.132-beta\lib\net45\HtmlSanitizer.dll
+ True
+
..\..\packages\SharpZipLib.0.86.0\lib\20\ICSharpCode.SharpZipLib.dll
@@ -533,7 +537,6 @@
-
diff --git a/src/Roadkill.Core/Text/MarkupConverter.cs b/src/Roadkill.Core/Text/MarkupConverter.cs
index b1574d015..b03ef8b64 100644
--- a/src/Roadkill.Core/Text/MarkupConverter.cs
+++ b/src/Roadkill.Core/Text/MarkupConverter.cs
@@ -1,8 +1,10 @@
using System;
using System.Collections.Generic;
using System.Linq;
+using System.Runtime.Caching;
using System.Web;
using System.Text.RegularExpressions;
+using Ganss.XSS;
using Roadkill.Core.Configuration;
using Roadkill.Core.Text.Sanitizer;
using Roadkill.Core.Database;
@@ -293,13 +295,64 @@ private string RemoveHarmfulTags(string html)
{
if (_applicationSettings.UseHtmlWhiteList)
{
- MarkupSanitizer sanitizer = new MarkupSanitizer(_applicationSettings, true, false, true);
- return sanitizer.SanitizeHtml(html);
+ HtmlWhiteList htmlWhiteList = GetCachedWhiteList();
+ string[] allowedTags = htmlWhiteList.ElementWhiteList.Select(x => x.Name).ToArray();
+ string[] allowedAttributes = htmlWhiteList.ElementWhiteList.SelectMany(x => x.AllowedAttributes.Select(y => y.Name)).ToArray();
+
+ if (allowedTags.Length == 0)
+ allowedTags = null;
+
+ if (allowedAttributes.Length == 0)
+ allowedAttributes = null;
+
+ var sanitizer = new HtmlSanitizer(allowedTags, null, allowedAttributes);
+ sanitizer.AllowDataAttributes = false;
+ sanitizer.AllowedAttributes.Add("class");
+ sanitizer.AllowedAttributes.Add("id");
+ sanitizer.AllowedSchemes.Add("mailto");
+ sanitizer.RemovingAttribute += Sanitizer_RemovingAttribute;
+
+ return sanitizer.Sanitize(html);
}
else
{
return html;
}
}
+
+ private void Sanitizer_RemovingAttribute(object sender, RemovingAttributeEventArgs e)
+ {
+ // Don't clean /wiki/Special:Tag urls in href="" attributes
+ if (e.Attribute.Name.ToLower() == "href" && e.Attribute.Value.Contains("Special:"))
+ {
+ e.Cancel = true;
+ }
+ }
+
+ private string _cacheKey = "whitelist";
+ internal static MemoryCache _memoryCache = new MemoryCache("MarkupSanitizer");
+
+ ///
+ /// Changes the key name used for the cache'd version of the HtmlWhiteList object.
+ ///
+ ///
+ public void SetWhiteListCacheKey(string key)
+ {
+ _memoryCache.Remove(_cacheKey);
+ _cacheKey = key;
+ }
+
+ private HtmlWhiteList GetCachedWhiteList()
+ {
+ HtmlWhiteList whiteList = _memoryCache.Get(_cacheKey) as HtmlWhiteList;
+
+ if (whiteList == null)
+ {
+ whiteList = HtmlWhiteList.Deserialize(_applicationSettings);
+ _memoryCache.Add(_cacheKey, whiteList, new CacheItemPolicy());
+ }
+
+ return whiteList;
+ }
}
}
diff --git a/src/Roadkill.Core/Text/Sanitizer/MarkupSanitizer.cs b/src/Roadkill.Core/Text/Sanitizer/MarkupSanitizer.cs
deleted file mode 100644
index 5afe7c2b7..000000000
--- a/src/Roadkill.Core/Text/Sanitizer/MarkupSanitizer.cs
+++ /dev/null
@@ -1,289 +0,0 @@
-using System.Collections.Generic;
-using System.Linq;
-using System.Runtime.Caching;
-using System.Text;
-using System.Text.RegularExpressions;
-using System.Web;
-using AngleSharp.Dom.Html;
-using AngleSharp.Parser.Html;
-using HtmlAgilityPack;
-using Roadkill.Core.Configuration;
-using HapHtmlAttribute = HtmlAgilityPack.HtmlAttribute;
-
-// Parts of this class are based on source (c) 2009 Codeplex Foundation
-// from: http://ajaxcontroltoolkit.codeplex.com under the new BSD license.
-namespace Roadkill.Core.Text.Sanitizer
-{
- ///
- /// Sanitizer class that allows tag and attributes those are in whitelist and removes
- /// other tags and attributes. This also cleans attribute values to remove vulnerable
- /// words and characters
- ///
- public class MarkupSanitizer
- {
- private readonly string[] _encodedCharacters = new string[256];
- private readonly ApplicationSettings _applicationSettings;
- private string _cacheKey;
- internal static MemoryCache _memoryCache = new MemoryCache("MarkupSanitizer");
- public bool UseWhiteList { get; set; }
- public bool CleanAttributes { get; set; }
- public bool EncodeHtmlEntities { get; set; }
-
- ///
- /// The strict version of the cleaner - uses the whitelist, cleans all attributes, encodes
- /// all HTML entities in attributes.
- ///
- public MarkupSanitizer(ApplicationSettings settings) : this(settings, true, true, true)
- {
-
- }
-
- ///
- /// The customisable/looser version of the cleaner, allows you to customise how strict it is with
- /// additional checks like the whitelist, attribute removal, html entity encoding in attributes.
- ///
- public MarkupSanitizer(ApplicationSettings settings, bool useWhiteList, bool cleanAttributes, bool encodeHtmlEntities)
- {
- _applicationSettings = settings;
- _cacheKey = "whitelist";
- UseWhiteList = useWhiteList;
- CleanAttributes = cleanAttributes;
- EncodeHtmlEntities = encodeHtmlEntities;
-
- // Intialize an array to mark which characters are to be encoded.
- for (int i = 0; i < 0xFF; i++)
- {
- if (i >= 0x30 && i <= 0x39 || i >= 0x41 && i <= 0x5A || i >= 0x61 && i <= 0x7A)
- {
- _encodedCharacters[i] = null;
- }
- else
- {
- _encodedCharacters[i] = i.ToString("X2");
- }
- }
- }
-
- ///
- /// Changes the key name used for the cache'd version of the HtmlWhiteList object.
- ///
- ///
- public void SetWhiteListCacheKey(string key)
- {
- _memoryCache.Remove(_cacheKey);
- _cacheKey = key;
- }
-
- ///
- /// A MemoryCache is used as an alternative to a unit-test unfriendly static HtmlWhiteList.
- ///
- private HtmlWhiteList GetCachedWhiteList()
- {
- HtmlWhiteList whiteList = _memoryCache.Get(_cacheKey) as HtmlWhiteList;
-
- if (whiteList == null)
- {
- whiteList = HtmlWhiteList.Deserialize(_applicationSettings);
- _memoryCache.Add(_cacheKey, whiteList, new CacheItemPolicy());
- }
-
- return whiteList;
- }
-
- ///
- /// Removes all tags from a html string that aren't in the whitelist.
- ///
- /// Html Content which need to sanitze.
- /// Html text after sanitize.
- public string SanitizeHtml(string htmlText)
- {
- if (string.IsNullOrEmpty(htmlText))
- return "";
-
- var parserOptions = new HtmlParserOptions()
- {
- IsStrictMode = false
- };
- var parser = new HtmlParser(parserOptions);
- IHtmlDocument document = parser.Parse(htmlText);
-
- // Create Html document
- HtmlDocument html = new HtmlDocument();
- html.OptionFixNestedTags = true;
- html.OptionAutoCloseOnEnd = true;
- html.OptionDefaultStreamEncoding = Encoding.UTF8;
- html.LoadHtml(htmlText);
-
- HtmlNode allNodes = html.DocumentNode;
-
- if (UseWhiteList)
- {
- CleanNoneWhiteListedAttributes(allNodes);
- }
- else
- {
- CleanAllTagAttributes(allNodes);
- }
-
- return allNodes.InnerHtml;
- }
-
- private void CleanAllTagAttributes(HtmlNode allNodes)
- {
- IEnumerable nodes = allNodes.DescendantsAndSelf();
-
- foreach (HtmlNode node in nodes)
- {
- if (!node.HasAttributes) continue;
-
- // Get all the allowed attributes for this tag
- HapHtmlAttribute[] attributes = node.Attributes.ToArray();
- foreach (HapHtmlAttribute attribute in attributes)
- {
- CleanAttributeValues(attribute);
- }
- }
- }
-
- private void CleanNoneWhiteListedAttributes(HtmlNode allNodes)
- {
- string[] tagNames = GetCachedWhiteList().ElementWhiteList.Select(x => x.Name).ToArray();
- CleanNodes(allNodes, tagNames);
-
- // Filter the attributes of the remaining
- foreach (HtmlElement whiteListTag in GetCachedWhiteList().ElementWhiteList)
- {
- IEnumerable nodes = (from n in allNodes.DescendantsAndSelf()
- where n.Name == whiteListTag.Name
- select n);
-
- if (nodes == null)
- continue;
-
- foreach (HtmlNode node in nodes)
- {
- if (!node.HasAttributes) continue;
-
- // Get all the allowed attributes for this tag
- HapHtmlAttribute[] attributes = node.Attributes.ToArray();
- foreach (HapHtmlAttribute attribute in attributes)
- {
- if (!whiteListTag.ContainsAttribute(attribute.Name))
- {
- attribute.Remove(); // Wasn't in the list
- }
- else
- {
- CleanAttributeValues(attribute);
- }
- }
- }
- }
- }
-
- ///
- /// This removes the current node tags and its child nodes if these are not in whitelist.
- ///
- ///
- ///
- private void CleanNodes(HtmlNode node, string[] tagWhiteList)
- {
- // remove node that is not in the whitelist.
- if (node.NodeType == HtmlNodeType.Element)
- {
- if (!tagWhiteList.Contains(node.Name))
- {
- node.ParentNode.RemoveChild(node);
- return; // We're done
- }
- }
-
- // remove nested nodes those are not in the whitelist.
- if (node.HasChildNodes)
- CleanChildren(node, tagWhiteList);
- }
-
- ///
- /// Apply CleanNodes to each of the child nodes
- ///
- private void CleanChildren(HtmlNode parent, string[] tagWhiteList)
- {
- for (int i = parent.ChildNodes.Count - 1; i >= 0; i--)
- CleanNodes(parent.ChildNodes[i], tagWhiteList);
- }
-
- ///
- /// This removes the vulnerable keywords and make values safe by html encoding and html character escaping.
- ///
- /// Attribute that contain values that need to check and clean.
- private void CleanAttributeValues(HapHtmlAttribute attribute)
- {
- if (CleanAttributes)
- {
- attribute.Value = HttpUtility.HtmlEncode(attribute.Value);
-
- attribute.Value = Regex.Replace(attribute.Value, @"\s*j\s*a\s*v\s*a\s*s\s*c\s*r\s*i\s*p\s*t\s*", "", RegexOptions.IgnoreCase);
- attribute.Value = Regex.Replace(attribute.Value, @"\s*s\s*c\s*r\s*i\s*p\s*t\s*", "", RegexOptions.IgnoreCase);
-
- if (attribute.Name.ToLower() == "style")
- {
- attribute.Value = Regex.Replace(attribute.Value, @"\s*e\s*x\s*p\s*r\s*e\s*s\s*s\s*i\s*o\s*n\s*", "", RegexOptions.IgnoreCase);
- attribute.Value = Regex.Replace(attribute.Value, @"\s*b\s*e\s*h\s*a\s*v\s*i\s*o\s*r\s*", "", RegexOptions.IgnoreCase);
- }
-
- if (attribute.Name.ToLower() == "href" || attribute.Name.ToLower() == "src")
- {
- attribute.Value = Regex.Replace(attribute.Value, @"\s*m\s*o\s*c\s*h\s*a\s*", "", RegexOptions.IgnoreCase);
- }
- }
-
- // HtmlEntity Escape
- if (EncodeHtmlEntities)
- {
- // Ensure no double encoding goes on - reverse the ones done by the CreoleParser
- string value = attribute.Value;
- value = value.Replace("2", "\"");
- value = value.Replace("<", "<");
- value = value.Replace(">", ">");
- value = value.Replace("&", "&");
- value = value.Replace("'", "'");
- attribute.Value = value;
-
- StringBuilder sbAttributeValue = new StringBuilder();
- foreach (char c in attribute.Value.ToCharArray())
- {
- sbAttributeValue.Append(EncodeCharacterToHtmlEntityEscape(c));
- }
-
- attribute.Value = sbAttributeValue.ToString();
- }
- }
-
- ///
- /// To encode html attribute characters to hex format except alphanumeric characters.
- ///
- /// Character from the attribute value
- /// Hex formatted string.
- private string EncodeCharacterToHtmlEntityEscape(char c)
- {
- string hex;
- // check for alphanumeric characters
- if (c < 0xFF)
- {
- hex = _encodedCharacters[c];
- if (hex == null)
- return "" + c;
- }
- else
- hex = ((int)(c)).ToString("X2");
-
- // check for illegal characters
- if ((c <= 0x1f && c != '\t' && c != '\n' && c != '\r') || (c >= 0x7f && c <= 0x9f))
- {
- hex = "fffd"; // Let's entity encode this instead of returning it
- }
-
- return "" + hex + ";";
- }
- }
-}
diff --git a/src/Roadkill.Core/packages.config b/src/Roadkill.Core/packages.config
index 066b889e0..01a06c1b1 100644
--- a/src/Roadkill.Core/packages.config
+++ b/src/Roadkill.Core/packages.config
@@ -1,12 +1,13 @@
-
+
+
diff --git a/src/Roadkill.Plugins/Roadkill.Plugins.csproj b/src/Roadkill.Plugins/Roadkill.Plugins.csproj
index 72bb70ddf..3eab60a56 100644
--- a/src/Roadkill.Plugins/Roadkill.Plugins.csproj
+++ b/src/Roadkill.Plugins/Roadkill.Plugins.csproj
@@ -31,8 +31,8 @@
4
-
- ..\..\packages\AngleSharp.0.9.8.1\lib\net45\AngleSharp.dll
+
+ ..\..\packages\AngleSharp.0.9.7\lib\net45\AngleSharp.dll
True
diff --git a/src/Roadkill.Plugins/packages.config b/src/Roadkill.Plugins/packages.config
index 5530f7493..8055c2a32 100644
--- a/src/Roadkill.Plugins/packages.config
+++ b/src/Roadkill.Plugins/packages.config
@@ -1,6 +1,6 @@
-
+
diff --git a/src/Roadkill.Tests/Roadkill.Tests.csproj b/src/Roadkill.Tests/Roadkill.Tests.csproj
index 49c2ff0b2..b1f7a13fb 100644
--- a/src/Roadkill.Tests/Roadkill.Tests.csproj
+++ b/src/Roadkill.Tests/Roadkill.Tests.csproj
@@ -439,7 +439,6 @@
-
diff --git a/src/Roadkill.Tests/Unit/Text/MarkupConverterTests.cs b/src/Roadkill.Tests/Unit/Text/MarkupConverterTests.cs
index ebd2714bc..bc4c2b860 100644
--- a/src/Roadkill.Tests/Unit/Text/MarkupConverterTests.cs
+++ b/src/Roadkill.Tests/Unit/Text/MarkupConverterTests.cs
@@ -138,7 +138,7 @@ public void links_starting_with_https_or_hash_are_not_rewritten_as_internal()
_settingsRepository.SiteSettings.MarkupType = "Creole";
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "hello world google \n
";
+ string expectedHtml = "hello world google \n
";
// Act
string actualHtml = _markupConverter.ToHtml("[[#myanchortag|hello world]] [[https://www.google.com|google]]");
@@ -154,7 +154,7 @@ public void links_with_dashes_or_23_are_rewritten_and_not_parsed_as_encoded_hash
_settingsRepository.SiteSettings.MarkupType = "Creole";
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "hello world google \n
";
+ string expectedHtml = "hello world google \n
";
// Act
string actualHtml = _markupConverter.ToHtml("[[#myanchortag|hello world]] [[https://www.google.com/some-page-23|google]]");
@@ -170,7 +170,7 @@ public void links_to_named_anchors_should_not_have_external_css_class()
_settingsRepository.SiteSettings.MarkupType = "Creole";
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "hello world \n
";
+ string expectedHtml = "hello world \n
";
// Act
string actualHtml = _markupConverter.ToHtml("[[#myanchortag|hello world]]");
@@ -186,7 +186,7 @@ public void links_starting_with_tilde_should_resolve_as_attachment_paths()
_settingsRepository.SiteSettings.MarkupType = "Creole";
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "hello world \n
";
+ string expectedHtml = "hello world \n
";
// Act
string actualHtml = _markupConverter.ToHtml("[[~/my/folder/image1.jpg|hello world]]");
@@ -204,7 +204,7 @@ public void external_links_with_anchor_tag_should_retain_the_anchor()
_pageRepository.AddNewPage(new Page() { Id = 1, Title = "foo" }, "foo", "admin", DateTime.Today);
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "Some link text \n
";
+ string expectedHtml = "Some link text \n
";
// Act
string actualHtml = _markupConverter.ToHtml("[[http://www.google.com/?blah=xyz#myanchor|Some link text]]");
@@ -221,7 +221,7 @@ public void internal_wiki_page_link_should_not_have_nofollow_attribute()
_pageRepository.AddNewPage(new Page() { Id = 1, Title = "foo-page" }, "foo", "admin", DateTime.Today);
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "Some link text \n
";
+ string expectedHtml = "Some link text \n
";
// Act
string actualHtml = _markupConverter.ToHtml("[[foo-page|Some link text]]");
@@ -237,7 +237,7 @@ public void attachment_link_should_not_have_nofollow_attribute()
_settingsRepository.SiteSettings.MarkupType = "Creole";
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "Some link text Some link text \n
";
+ string expectedHtml = "Some link text Some link text \n
";
// Act
string actualHtml = _markupConverter.ToHtml("[[~/folder/myfile.jpg|Some link text]] [[attachment:/folder2/myfile.jpg|Some link text]]");
@@ -253,7 +253,7 @@ public void specialurl_link_should_not_have_nofollow_attribute()
_settingsRepository.SiteSettings.MarkupType = "Creole";
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "Some link text \n
";
+ string expectedHtml = "Some link text \n
";
// Act
string actualHtml = _markupConverter.ToHtml("[[Special:Random|Some link text]]");
@@ -271,7 +271,7 @@ public void internal_links_with_anchor_tag_should_retain_the_anchor()
_pageRepository.AddNewPage(new Page() { Id = 1, Title = "foo" }, "foo", "admin", DateTime.Today);
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "Some link text \n
"; // use /index/ as no routing exists
+ string expectedHtml = "Some link text \n
"; // use /index/ as no routing exists
// Act
string actualHtml = _markupConverter.ToHtml("[[foo#myanchor|Some link text]]");
@@ -289,7 +289,7 @@ public void internal_links_with_urlencoded_anchor_tag_should_retain_the_anchor()
_pageRepository.AddNewPage(new Page() { Id = 1, Title = "foo" }, "foo", "admin", DateTime.Today);
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "Some link text \n
";
+ string expectedHtml = "Some link text \n
";
// Act
string actualHtml = _markupConverter.ToHtml("[[foo%23myanchor|Some link text]]");
@@ -307,7 +307,7 @@ public void internal_links_with_anchor_tag_should_retain_the_anchor_with_markdow
_pageRepository.AddNewPage(new Page() { Id = 1, Title = "foo" }, "foo", "admin", DateTime.Today);
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "Some link text
\n"; // use /index/ as no routing exists
+ string expectedHtml = "Some link text
\n"; // use /index/ as no routing exists
// Act
string actualHtml = _markupConverter.ToHtml("[Some link text](foo#myanchor)");
@@ -324,7 +324,7 @@ public void links_with_the_word_script_in_url_should_not_be_cleaned()
_settingsRepository.SiteSettings.MarkupType = "Creole";
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "ComponentModel.Description \n
";
+ string expectedHtml = "ComponentModel.Description \n
";
// Act
string actualHtml = _markupConverter.ToHtml("[[http://msdn.microsoft.com/en-us/library/system.componentmodel.descriptionattribute.aspx|ComponentModel.Description]]");
@@ -341,7 +341,7 @@ public void links_with_angle_brackets_and_quotes_should_be_encoded()
_settingsRepository.SiteSettings.MarkupType = "Creole";
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "ComponentModel \n
";
+ string expectedHtml = "ComponentModel \n
";
// Act
string actualHtml = _markupConverter.ToHtml("[[http://www.google.com/\">javascript:alert('hello')|ComponentModel]]");
@@ -358,7 +358,7 @@ public void links_starting_with_attachmentcolon_should_resolve_as_attachment_pat
_settingsRepository.SiteSettings.MarkupType = "Creole";
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "hello world \n
";
+ string expectedHtml = "hello world \n
";
// Act
string actualHtml = _markupConverter.ToHtml("[[attachment:/my/folder/image1.jpg|hello world]]");
@@ -374,7 +374,7 @@ public void links_starting_with_specialcolon_should_resolve_as_full_specialpage(
_settingsRepository.SiteSettings.MarkupType = "Creole";
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "My special page \n
";
+ string expectedHtml = "My special page \n
";
// Act
string actualHtml = _markupConverter.ToHtml("[[Special:Foo|My special page]]");
@@ -390,7 +390,7 @@ public void links_starting_with_http_www_mailto_tag_are_no_rewritten_as_internal
_settingsRepository.SiteSettings.MarkupType = "Creole";
_markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
- string expectedHtml = "link1 link2 spam \n
";
+ string expectedHtml = "link1 link2 spam \n
";
// Act
string actualHtml = _markupConverter.ToHtml("[[http://www.blah.com|link1]] [[www.blah.com|link2]] [[mailto:spam@gmail.com|spam]]");
@@ -427,14 +427,14 @@ public void should_not_render_toc_with_multiple_curlies()
_markupConverter.UrlResolver = new UrlResolverMock();
string htmlFragment = "Give me a {{TOC}} and a {{{TOC}}} - the should not render a TOC";
- string expected = @"Give me a
and a TOC - the should not render a TOC"
- + "\n
";
+ string expected = @"Give me a
and a TOC - the should not render a TOC"
+ + "\n
";
// Act
string actualHtml = _markupConverter.ToHtml(htmlFragment);
// Assert
- Assert.That(actualHtml, Is.EqualTo(expected));
+ Assert.That(actualHtml, Is.EqualTo(expected), actualHtml);
}
[Test]
@@ -451,12 +451,14 @@ public void warningbox_token_with_nowiki_adds_pre_and_renders_token_html()
expectedHtml = expectedHtml.Replace("\r\n", "\n"); // fix line ending issues
// Act
+ ;
string actualHtml = _markupConverter.ToHtml(@"@@warningbox:ENTER YOUR CONTENT HERE
-{{{
-here is my C#code
-}}}
+
+ here is my C#code
+
@@");
+ Console.WriteLine(actualHtml);
// Assert
Assert.That(actualHtml, Is.EqualTo(expectedHtml), actualHtml);
@@ -540,6 +542,22 @@ public void should_fire_afterparse_in_textplugin_and_output_should_not_be_cleane
Assert.That(actualHtml, Is.EqualTo(expectedHtml));
}
+ [Test]
+ public void should_allow_style_tags()
+ {
+ // Arrange
+ _settingsRepository.SiteSettings.MarkupType = "Markdown";
+ _markupConverter = new MarkupConverter(_applicationSettings, _settingsRepository, _pageRepository, _pluginFactory);
+
+ string expectedHtml = "";
+
+ // Act
+ string actualHtml = _markupConverter.ToHtml(" ");
+
+ // Assert
+ Assert.That(actualHtml, Is.EqualTo(expectedHtml));
+ }
+
// TODO:
// ContainsPageLink -
// ReplacePageLinks - Refactor into seperate class
diff --git a/src/Roadkill.Tests/Unit/Text/MarkupSanitizerTests.cs b/src/Roadkill.Tests/Unit/Text/MarkupSanitizerTests.cs
deleted file mode 100644
index 7b87435fb..000000000
--- a/src/Roadkill.Tests/Unit/Text/MarkupSanitizerTests.cs
+++ /dev/null
@@ -1,2346 +0,0 @@
-// To create unit tests in this class reference is taken from
-// https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.232_-_Attribute_Escape_Before_Inserting_Untrusted_Data_into_HTML_Common_Attributes
-// and http://ha.ckers.org/xss.html
-
-using System;
-using System.Collections.Generic;
-using System.IO;
-using System.Xml.Serialization;
-using NUnit.Framework;
-using Roadkill.Core.Configuration;
-using Roadkill.Core.Text.Sanitizer;
-
-namespace Roadkill.Tests.Unit.Text
-{
- [TestFixture]
- [Category("Unit")]
- public class MarkupSanitizerTests
- {
- private ApplicationSettings _settings;
-
- [SetUp]
- public void Setup()
- {
- _settings = new ApplicationSettings();
- _settings.UseHtmlWhiteList = true;
- }
-
- [Test]
- [Ignore("This was use to generate the initial Whitelist XML file and isn't a test")]
- public void GenerateTestXmlFile()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- using (FileStream stream = new FileStream("test.xml", FileMode.Create, FileAccess.Write))
- {
- //XmlSerializer serializer = new XmlSerializer(typeof(HtmlWhiteList));
- //serializer.Serialize(stream, MarkupSanitizer._htmlWhiteList);
-
- XmlSerializer serializer = new XmlSerializer(typeof(HtmlWhiteList));
-
- List list = new List();
- list.Add(new HtmlElement("blah", new string[] { "id", "class" }));
- list.Add(new HtmlElement("test", new string[] { "href" }));
-
- HtmlWhiteList whiteList = new HtmlWhiteList();
- whiteList.ElementWhiteList = list;
-
- serializer.Serialize(stream, whiteList);
- }
- }
-
- [Test]
- public void shoulddeserializewhitelistfromexistingxmlfile()
- {
- // Arrange
- string whitelistFile = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "Unit", "Text", "whitelist.xml");
- ApplicationSettings settings = new ApplicationSettings();
- settings.HtmlElementWhiteListPath = whitelistFile;
-
- string htmlFragment = "link somediv test ";
-
- // Act
- MarkupSanitizer sanitizer = new MarkupSanitizer(settings);
- sanitizer.SetWhiteListCacheKey("ShouldDeserializeWhiteListFromExistingXmlFile");
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "link somediv ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- [Test]
- public void shoulddeserializewhitelistfromgeneratedxmlfile()
- {
- // Arrange
- string whitelistFile = Path.Combine(AppDomain.CurrentDomain.BaseDirectory, "whitelistgenerated.xml");
- ApplicationSettings settings = new ApplicationSettings();
- settings.HtmlElementWhiteListPath = whitelistFile;
-
- using (FileStream stream = new FileStream(whitelistFile, FileMode.Create, FileAccess.Write))
- {
- XmlSerializer serializer = new XmlSerializer(typeof(HtmlWhiteList));
-
- List list = new List();
- list.Add(new HtmlElement("blah", new string[] { "id", "class" }));
- list.Add(new HtmlElement("test", new string[] { "href" }));
-
- HtmlWhiteList whiteList = new HtmlWhiteList();
- whiteList.ElementWhiteList = list;
-
- serializer.Serialize(stream, whiteList);
- }
-
- string htmlFragment = "link somediv test ";
-
- // Act
- MarkupSanitizer sanitizer = new MarkupSanitizer(settings);
- sanitizer.SetWhiteListCacheKey("ShouldDeserializeWhiteListFromGeneratedXmlFile");
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "link somediv ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Xss locator
- /// Example
- ///
- [Test]
- public void xsslocatortest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "=&{()}\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector
- /// Example
- ///
- [Test]
- public void imagexss1test()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Action
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector without quotes and semicolon.
- /// Example
- ///
- [Test]
- public void imagexss2test()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image xss vector with case insensitive.
- /// Example
- ///
- [Test]
- public void imagecaseinsensitivexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with Html entities
- /// Example
- ///
- [Test]
- public void imagehtmlentitiesxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with grave accent
- /// Example
- ///
- [Test]
- public void imagegraveaccentxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with malformed
- /// Example
- ///
- [Test]
- public void imagemalformedxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " \">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " \">";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with ImageFromCharCode
- /// Example
- ///
- [Test]
- public void imagefromcharcodexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with UTF-8 Unicode
- /// Example
- ///
- [Test]
- public void imageutf8unicodexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with Long UTF-8 Unicode
- /// Example
- ///
- [Test]
- public void imagelongutf8unicodexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with Hex encoding without semicolon
- /// Example
- ///
- [Test]
- public void imagehexencodexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with embedded tab
- /// Example
- ///
- [Test]
- public void imageembeddedtabxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with embedded encoded tab
- /// Example
- ///
- [Test]
- public void imageembeddedencodedtabxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with embedded new line
- /// Example
- ///
- [Test]
- public void imageembeddednewlinexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with embedded carriage return
- /// Example
- ///
- [Test]
- public void imageembeddedcarriagereturnxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with Multiline using ASCII carriage return
- /// Example
- ///
- [Test]
- public void imagemultilineinjectedxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = @"
-";
-
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " \r\n";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with Null breaks up Javascript directive
- /// Example
- ///
- [Test]
- public void imagenullbreaksupxsstest1()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "perl -e 'print \" \";' > out";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "perl -e 'print \" \";' > out";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with Null breaks up cross site scripting vector
- /// Example
- ///
- [Test]
- public void imagenullbreaksupxsstest2()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "alert(\"XSS\")\";' > out \">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "\";' > out \">";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with spaces and Meta characters
- /// Example
- ///
- [Test]
- public void imagespaceandmetacharxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with half open html
- /// Example
- ///
- [Test]
- public void imagehalfopenhtmlxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
- /// A test for Image Xss vector with double open angle bracket
- /// Example
- ///
- [Test]
- public void imagedoubleopenanglebracketxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
- /// A test for Dic Xss vector with Javascript escaping
- /// Example
- ///
- [Test]
- public void divjavascriptescapingxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with input image
- /// Example
- ///
- [Test]
- public void imageinputxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with Dynsrc
- /// Example
- ///
- [Test]
- public void imagedynsrcxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Xss vector with Lowsrc
- /// Example
- ///
- [Test]
- public void imagelowsrcxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Xss vector with BGSound
- /// Example
- ///
- [Test]
- public void bgsoundxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for BR with Javascript Include
- /// Example
- ///
- [Test]
- public void brjavascriptincludexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for P with url in style
- /// Example
- ///
- [Test]
- public void pwithurlinstylexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- // intentionally keep it failing to get notice when reviewing unit tests so can disucss
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image with vbscript
- /// Example
- ///
- [Test]
- public void imagewithvbscriptxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image with Mocha
- /// Example
- ///
- [Test]
- public void imagewithmochaxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image with Livescript
- /// Example
- ///
- [Test]
- public void imagewithlivescriptxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Iframe
- /// Example
- ///
- [Test]
- public void iframexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Frame
- /// Example
- ///
- [Test]
- public void framexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Table
- /// Example
- ///
- [Test]
- public void tablexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for TD
- /// Example
- ///
- [Test]
- public void tdxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div Background Image
- /// Example
- ///
- [Test]
- public void divbackgroundimagexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div Background Image with unicoded XSS
- /// Example
- ///
- [Test]
- public void divbackgroundimagewithunicodedxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div Background Image with extra characters
- /// Example
- ///
- [Test]
- public void divbackgroundimagewithextracharactersxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for DIV expression
- /// Example
- ///
- [Test]
- public void divexpressionxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image with break up expression
- /// Example
- ///
- [Test]
- public void imagestyleexpressionxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with break up expression
- /// Example
- ///
- [Test]
- public void anchortagstyleexpressionxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "exp/*
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "exp/* ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for BaseTag
- /// Example
- ///
- [Test]
- public void basetagxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for EMBEDTag
- /// Example
- ///
- [Test]
- public void embedtagxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for EMBEDSVG
- /// Example
- ///
- [Test]
- public void embedsvgxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for XML namespace
- /// Example
- ///
- [Test]
- public void xmlnamespacexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for XML with CData
- /// Example
- ///
- [Test]
- public void xmlwithcdataxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
]]> ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for XML with Comment obfuscation
- /// Example cript:alert('XSS')"> -->
- ///
- [Test]
- public void xmlwithcommentobfuscationxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
<IMG SRC=\"javascript:alert('XSS')\"> ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for XML with Embedded script
- /// Example
- ///
- [Test]
- public void xmlwithembeddedscriptxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Html + Time
- /// Example
- ///
- [Test]
- public void htmlplustimexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Embedded commands
- /// Example
- ///
- [Test]
- public void imagewithembeddedcommandxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Image Embedded commands part 2
- /// Example
- ///
- [Test]
- public void imagewithembeddedcommand2xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = " ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = " ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag IP verses hostname
- /// Example
- ///
- [Test]
- public void anchortagipverseshostnamexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Url encoding
- /// Example
- ///
- [Test]
- public void anchortagurlencodingxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Dword encoding
- /// Example
- ///
- [Test]
- public void anchortagdwordencodingxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Hex encoding
- /// Example
- ///
- [Test]
- public void anchortaghexencodingxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Octal encoding
- /// Example
- ///
- [Test]
- public void anchortagoctalencodingxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Mixed encoding
- /// Example
- ///
- [Test]
- public void anchortagmixedencodingxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = @"XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Protocol resolution
- /// Example
- ///
- [Test]
- public void anchortagprotocolresolutionxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Google feeling lucky part1
- /// Example
- ///
- [Test]
- public void anchortaggooglefeelinglucky1xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Google feeling lucky part2
- /// Example
- ///
- [Test]
- public void anchortaggooglefeelinglucky2xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Google feeling lucky part3
- /// Example
- ///
- [Test]
- public void anchortaggooglefeelinglucky3xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with removing cnames
- /// Example
- ///
- [Test]
- public void anchortagremovingcnamesxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with extra dot for absolute dns
- /// Example
- ///
- [Test]
- public void anchortagabsolutednsxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with javascript link location
- /// Example
- ///
- [Test]
- public void anchortagjavascriptlinklocationxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with content replace
- /// Example
- ///
- [Test]
- public void anchortagcontentreplacexsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with no filter evasion
- /// Example
- ///
- [Test]
- public void anchortagnofilterevasionxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "\">XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with no filter evasion
- /// Example
- ///
- [Test]
- public void divnofilterevasionxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and no filter evasion
- /// Example
- ///
- [Test]
- public void divstyleexpressionnofilterevasionxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
)\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with non alpha non digit xss
- /// Example
- ///
- [Test]
- public void anchortagnonalphanondigitxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\">XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\">XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with non alpha non digit xss
- /// Example
- ///
- [Test]
- public void divnonalphanondigitxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and non alpha non digit xss
- /// Example
- ///
- [Test]
- public void divstyleexpressionnonalphanondigitxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
)\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
)\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with non alpha non digit part 3 xss
- /// Example
- ///
- [Test]
- public void anchortagnonalphanondigit3xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\">XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\">XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with non alpha non digit part 3 xss
- /// Example
- ///
- [Test]
- public void divnonalphanondigit3xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and non alpha non digit part 3 xss
- /// Example
- ///
- [Test]
- public void divstyleexpressionnonalphanondigit3xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
)\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
)\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Extraneous open brackets xss
- /// Example
- ///
- [Test]
- public void anchortagextraneousopenbracketsxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
alert(\"XSS\");//<\">XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\">XSS";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with Extraneous open brackets xss
- /// Example
- ///
- [Test]
- public void divextraneousopenbracketsxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
alert(\"XSS\");//<\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\">";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and Extraneous open brackets xss
- /// Example
- ///
- [Test]
- public void divstyleexpressionextraneousopenbracketsxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
alert(\"XSS\");//<)\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
)\">";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with No closing script tags xss
- /// Example
- ///
- [Test]
- public void anchortagnoclosingscripttagsxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\">XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with No closing script tags xss
- /// Example
- ///
- [Test]
- public void divnoclosingscripttagsxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and No closing script tags xss
- /// Example
- ///
- [Test]
- public void divstyleexpressionnoclosingscripttagsxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
)\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Protocol resolution in script tags xss
- /// Example
- ///
- [Test]
- public void anchortagprotocolresolutionscriptxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\">XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with Protocol resolution in script tags xss
- /// Example
- ///
- [Test]
- public void divprotocolresolutionscriptxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and Protocol resolution in script tags xss
- /// Example
- ///
- [Test]
- public void divstyleexpressionprotocolresolutionscriptxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
)\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with no single quotes or double quotes or semicolons xss
- /// Example
- ///
- [Test]
- public void anchortagnoquotesxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
a=/XSS/alert(a.source)\">XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with no single quotes or double quotes or semicolons xss
- /// Example
- ///
- [Test]
- public void divnoquotesxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
a=/XSS/alert(a.source)\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and no single quotes or double quotes or semicolons xss
- /// Example
- ///
- [Test]
- public void divstyleexpressionnoquotesxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
a=/XSS/alert(a.source))\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with US-ASCII encoding xss
- /// Example
- ///
- [Test]
- public void anchortagusasciiencodingxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with US-ASCII encoding xss
- /// Example
- ///
- [Test]
- public void divusasciiencodingxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and US-ASCII encoding xss
- /// Example
- ///
- [Test]
- public void divstyleexpressionusasciiencodingxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Downlevel-Hidden block xss
- /// Example ">XSS -->
- ///
- [Test]
- public void anchortagdownlevelhiddenblockxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\">XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with Downlevel-Hidden block xss
- /// Example "> -->
- ///
- [Test]
- public void divdownlevelhiddenblockxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and Downlevel-Hidden block xss
- /// Example )"> -->
- ///
- [Test]
- public void divstyleexpressiondownlevelhiddenblockxsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
)\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Html Quotes Encapsulation 1 xss
- /// Example
- ///
- [Test]
- public void anchortaghtmlquotesencapsulation1xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\" SRC=\"http://ha.ckers.org/xss.js\">\">XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\" SRC=\"http://ha.ckers.org/xss.js\">\">XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with Html Quotes Encapsulation 1 xss
- /// Example
- ///
- [Test]
- public void divhtmlquotesencapsulation1xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\" SRC=\"http://ha.ckers.org/xss.js\">\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\" SRC=\"http://ha.ckers.org/xss.js\">\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and Html Quotes Encapsulation 1 xss
- /// Example
- ///
- [Test]
- public void divstyleexpressionhtmlquotesencapsulation1xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\" SRC=\"http://ha.ckers.org/xss.js\">)\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\" SRC=\"http://ha.ckers.org/xss.js\">)\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Html Quotes Encapsulation 2 xss
- /// Example
- ///
- [Test]
- public void anchortaghtmlquotesencapsulation2xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\" SRC=\"http://ha.ckers.org/xss.js\">\">XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\" SRC=\"http://ha.ckers.org/xss.js\">\">XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with Html Quotes Encapsulation 2 xss
- /// Example
- ///
- [Test]
- public void divhtmlquotesencapsulation2xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\" SRC=\"http://ha.ckers.org/xss.js\">\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\" SRC=\"http://ha.ckers.org/xss.js\">\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and Html Quotes Encapsulation 2 xss
- /// Example
- ///
- [Test]
- public void divstyleexpressionhtmlquotesencapsulation2xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\" SRC=\"http://ha.ckers.org/xss.js\">)\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\" SRC=\"http://ha.ckers.org/xss.js\">)\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Html Quotes Encapsulation 3 xss
- /// Example
- ///
- [Test]
- public void anchortaghtmlquotesencapsulation3xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\" '' SRC=\"http://ha.ckers.org/xss.js\">\">XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\" '' SRC=\"http://ha.ckers.org/xss.js\">\">XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with Html Quotes Encapsulation 3 xss
- /// Example
- ///
- [Test]
- public void divhtmlquotesencapsulation3xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\" '' SRC=\"http://ha.ckers.org/xss.js\">\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\" '' SRC=\"http://ha.ckers.org/xss.js\">\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and Html Quotes Encapsulation 3 xss
- /// Example
- ///
- [Test]
- public void divstyleexpressionhtmlquotesencapsulation3xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
\" '' SRC=\"http://ha.ckers.org/xss.js\">)\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\" '' SRC=\"http://ha.ckers.org/xss.js\">)\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Html Quotes Encapsulation 4 xss
- /// Example
- ///
- [Test]
- public void anchortaghtmlquotesencapsulation4xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
'\" SRC=\"http://ha.ckers.org/xss.js\">\">XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\">XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with Html Quotes Encapsulation 4 xss
- /// Example
- ///
- [Test]
- public void divhtmlquotesencapsulation4xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
'\" SRC=\"http://ha.ckers.org/xss.js\">\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and Html Quotes Encapsulation 4 xss
- /// Example
- ///
- [Test]
- public void divstyleexpressionhtmlquotesencapsulation4xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
'\" SRC=\"http://ha.ckers.org/xss.js\">)\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
)\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Html Quotes Encapsulation 5 xss
- /// Example
- ///
- [Test]
- public void anchortaghtmlquotesencapsulation5xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
` SRC=\"http://ha.ckers.org/xss.js\">\">XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\">XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with Html Quotes Encapsulation 5 xss
- /// Example
- ///
- [Test]
- public void divhtmlquotesencapsulation5xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
` SRC=\"http://ha.ckers.org/xss.js\">\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and Html Quotes Encapsulation 5 xss
- /// Example
- ///
- [Test]
- public void divstyleexpressionhtmlquotesencapsulation5xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
` SRC=\"http://ha.ckers.org/xss.js\">)\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
)\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Html Quotes Encapsulation 6 xss
- /// Example
- ///
- [Test]
- public void anchortaghtmlquotesencapsulation6xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
'>\" SRC=\"http://ha.ckers.org/xss.js\">\">XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
'>\" SRC=\"http://ha.ckers.org/xss.js\">\">XSS ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with Html Quotes Encapsulation 6 xss
- /// Example
- ///
- [Test]
- public void divhtmlquotesencapsulation6xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
'>\" SRC=\"http://ha.ckers.org/xss.js\">\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
'>\" SRC=\"http://ha.ckers.org/xss.js\">\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and Html Quotes Encapsulation 6 xss
- /// Example
- ///
- [Test]
- public void divstyleexpressionhtmlquotesencapsulation6xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
'>\" SRC=\"http://ha.ckers.org/xss.js\">)\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
'>\" SRC=\"http://ha.ckers.org/xss.js\">)\">
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for AnchorTag with Html Quotes Encapsulation 7 xss
- /// Example
- ///
- [Test]
- public void anchortaghtmlquotesencapsulation7xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
document.write(\"PT SRC=\"http://ha.ckers.org/xss.js\">\">XSS ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
PT SRC=\"http://ha.ckers.org/xss.js\">\">XSS";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with Html Quotes Encapsulation 7 xss
- /// Example
- ///
- [Test]
- public void divhtmlquotesencapsulation7xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
document.write(\"
PT SRC=\"http://ha.ckers.org/xss.js\">\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
PT SRC=\"http://ha.ckers.org/xss.js\">\">";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- ///
- /// A test for Div with style expression and Html Quotes Encapsulation 7 xss
- /// Example
- ///
- [Test]
- public void divstyleexpressionhtmlquotesencapsulation7xsstest()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "document.write(\"
PT SRC=\"http://ha.ckers.org/xss.js\">)\">";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
PT SRC=\"http://ha.ckers.org/xss.js\">)\">";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- [Test]
- public void htmlencode()
- {
- // Arrange
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
- }
-
- [Test(Description="To be fixed post 1.6")]
- [Ignore]
- public void UrlWithScriptInHref()
- {
- // Arrange
- //issue #159
- MarkupSanitizer sanitizer = new MarkupSanitizer(_settings);
-
- // Act
- string htmlFragment = "
ComponentModel.Description ";
- string actual = sanitizer.SanitizeHtml(htmlFragment);
-
- // Assert
- string expected = "
ComponentModel.Description ";
- Assert.That(actual, Is.EqualTo(expected).IgnoreCase, actual);
- }
- }
-}
diff --git a/src/Roadkill.Web/Assets/Scripts/roadkill.js b/src/Roadkill.Web/Assets/Scripts/roadkill.js
index 4e723724e..9af3f6d3f 100644
--- a/src/Roadkill.Web/Assets/Scripts/roadkill.js
+++ b/src/Roadkill.Web/Assets/Scripts/roadkill.js
@@ -28426,7 +28426,7 @@ var Roadkill;
$(selector).modal("hide");
};
return Dialogs;
- })();
+ }());
Web.Dialogs = Dialogs;
})(Web = Roadkill.Web || (Roadkill.Web = {}));
})(Roadkill || (Roadkill = {}));
@@ -28513,7 +28513,7 @@ var Roadkill;
});
};
return Setup;
- })();
+ }());
Web.Setup = Setup;
})(Web = Roadkill.Web || (Roadkill.Web = {}));
})(Roadkill || (Roadkill = {}));
@@ -28559,7 +28559,7 @@ var Roadkill;
});
};
return Validation;
- })();
+ }());
Web.Validation = Validation;
})(Web = Roadkill.Web || (Roadkill.Web = {}));
})(Roadkill || (Roadkill = {}));
@@ -28738,7 +28738,7 @@ var Roadkill;
});
};
return EditPage;
- })();
+ }());
Web.EditPage = EditPage;
})(Web = Roadkill.Web || (Roadkill.Web = {}));
})(Roadkill || (Roadkill = {}));
@@ -28895,7 +28895,7 @@ var Roadkill;
}
};
return WysiwygEditor;
- })();
+ }());
Web.WysiwygEditor = WysiwygEditor;
})(Web = Roadkill.Web || (Roadkill.Web = {}));
})(Roadkill || (Roadkill = {}));
@@ -28953,7 +28953,7 @@ var Roadkill;
});
};
return AjaxRequest;
- })();
+ }());
FileManager.AjaxRequest = AjaxRequest;
})(FileManager = Web.FileManager || (Web.FileManager = {}));
})(Web = Roadkill.Web || (Roadkill.Web = {}));
@@ -28997,7 +28997,7 @@ var Roadkill;
});
};
return BreadCrumbTrail;
- })();
+ }());
FileManager.BreadCrumbTrail = BreadCrumbTrail;
})(FileManager = Web.FileManager || (Web.FileManager = {}));
})(Web = Roadkill.Web || (Roadkill.Web = {}));
@@ -29123,7 +29123,7 @@ var Roadkill;
$("tr#newfolderrow").remove();
};
return ButtonEvents;
- })();
+ }());
FileManager.ButtonEvents = ButtonEvents;
})(FileManager = Web.FileManager || (Web.FileManager = {}));
})(Web = Roadkill.Web || (Roadkill.Web = {}));
@@ -29197,7 +29197,7 @@ var Roadkill;
return FileManager.Util.FormatString(html, fileModel.Name, fileModel.CreateDate, fileModel.Extension, fileModel.Size);
};
return HtmlBuilder;
- })();
+ }());
FileManager.HtmlBuilder = HtmlBuilder;
})(FileManager = Web.FileManager || (Web.FileManager = {}));
})(Web = Roadkill.Web || (Roadkill.Web = {}));
@@ -29282,7 +29282,7 @@ var Roadkill;
});
};
return Setup;
- })();
+ }());
FileManager.Setup = Setup;
})(FileManager = Web.FileManager || (Web.FileManager = {}));
})(Web = Roadkill.Web || (Roadkill.Web = {}));
@@ -29350,7 +29350,7 @@ var Roadkill;
ajaxRequest.getFolderInfo(path, success);
};
return TableEvents;
- })();
+ }());
FileManager.TableEvents = TableEvents;
})(FileManager = Web.FileManager || (Web.FileManager = {}));
})(Web = Roadkill.Web || (Roadkill.Web = {}));
@@ -29382,7 +29382,7 @@ var Roadkill;
return result;
};
return Util;
- })();
+ }());
FileManager.Util = Util;
})(FileManager = Web.FileManager || (Web.FileManager = {}));
})(Web = Roadkill.Web || (Roadkill.Web = {}));
@@ -29399,7 +29399,7 @@ var Roadkill;
function SettingsMessages() {
}
return SettingsMessages;
- })();
+ }());
Admin.SettingsMessages = SettingsMessages;
var Settings = (function () {
function Settings(messages) {
@@ -29503,7 +29503,7 @@ var Roadkill;
bootbox.alert("
" + title + "" + errorMessage + " ");
};
return Settings;
- })();
+ }());
Admin.Settings = Settings;
})(Admin = Web.Admin || (Web.Admin = {}));
})(Web = Roadkill.Web || (Roadkill.Web = {}));