Force input HTML into body

mganss · Feb 11, 2016 · 24d3767 · 24d3767
1 parent a36f4c8
commit 24d3767
Show file tree

Hide file tree

Showing 2 changed files with 43 additions and 5 deletions.
diff --git a/HtmlSanitizer.Tests/Tests.cs b/HtmlSanitizer.Tests/Tests.cs
@@ -479,7 +479,7 @@ public void ImageHalfOpenHtmlXSSTest()
             string actual = sanitizer.Sanitize(htmlFragment);
 
             // Assert
-            string expected = "";
+            string expected = "<img>";
             Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
         }
 
@@ -493,13 +493,12 @@ public void ImageDoubleOpenAngleBracketXSSTest()
             // Arrange
             var sanitizer = new HtmlSanitizer();
 
-
             // Act
             string htmlFragment = "<image src=http://ha.ckers.org/scriptlet.html <";
             string actual = sanitizer.Sanitize(htmlFragment);
 
             // Assert
-            string expected = "";
+            string expected = "<img src=\"http://ha.ckers.org/scriptlet.html\">";
             Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
         }
 
@@ -976,7 +975,7 @@ public void XmlNamespaceXSSTest()
 
 
             // Act
-            string htmlFragment = "<HTML xmlns:xss>  <?import namespace=\"xss\" implementation=\"http://ha.ckers.org/xss.htc\">  <xss:xss>XSS</xss:xss></HTML>";
+            string htmlFragment = "<HTML xmlns:xss><?import namespace=\"xss\" implementation=\"http://ha.ckers.org/xss.htc\"><xss:xss>XSS</xss:xss></HTML>";
             string actual = sanitizer.Sanitize(htmlFragment);
 
             // Assert
@@ -2449,6 +2448,45 @@ public void RemoveEventForNotAllowedUrlAtStyle()
 
             Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedUrlValue));
         }
+
+        [Test]
+        public void RemoveEventForNotAllowedTag_ScriptTag()
+        {
+            RemoveReason? actual = null;
+            var s = new HtmlSanitizer();
+            s.RemovingTag += (sender, args) =>
+            {
+                actual = args.Reason;
+            };
+            s.Sanitize("<script>alert('Hello world!')</script>");
+            Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedTag));
+        }
+
+        [Test]
+        public void RemoveEventForNotAllowedTag_StyleTag()
+        {
+            RemoveReason? actual = null;
+            var s = new HtmlSanitizer();
+            s.RemovingTag += (sender, args) =>
+            {
+                actual = args.Reason;
+            };
+            s.Sanitize("<style> body {background-color:lightgrey;}</style>");
+            Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedTag));
+        }
+
+        [Test]
+        public void RemoveEventForNotAllowedTag_ScriptTagAndSpan()
+        {
+            RemoveReason? actual = null;
+            var s = new HtmlSanitizer();
+            s.RemovingTag += (sender, args) =>
+            {
+                actual = args.Reason;
+            };
+            s.Sanitize("<span>Hi</span><script>alert('Hello world!')</script>");
+            Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedTag));
+        }
     }
 }
 

diff --git a/HtmlSanitizer/HtmlSanitizer.cs b/HtmlSanitizer/HtmlSanitizer.cs
@@ -326,7 +326,7 @@ public string Sanitize(string html, string baseUrl = "", IMarkupFormatter output
                 IsToleratingInvalidConstraints = true,
                 IsToleratingInvalidValues = true
             }));
-            var dom = parser.Parse(html);
+            var dom = parser.Parse("<body>" + html + "</body>");
 
             // remove non-whitelisted tags
             foreach (var tag in dom.Body.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList())