From 24d3767520341c946b53caa1041a9fb7ff0c9497 Mon Sep 17 00:00:00 2001
From: Michael Ganss <michael@ganss.org>
Date: Thu, 11 Feb 2016 16:53:54 +0100
Subject: [PATCH] Force input HTML into body

---
 HtmlSanitizer.Tests/Tests.cs   | 46 +++++++++++++++++++++++++++++++---
 HtmlSanitizer/HtmlSanitizer.cs |  2 +-
 2 files changed, 43 insertions(+), 5 deletions(-)

diff --git a/HtmlSanitizer.Tests/Tests.cs b/HtmlSanitizer.Tests/Tests.cs
index 4797e8d..34268ff 100644
--- a/HtmlSanitizer.Tests/Tests.cs
+++ b/HtmlSanitizer.Tests/Tests.cs
@@ -479,7 +479,7 @@ public void ImageHalfOpenHtmlXSSTest()
             string actual = sanitizer.Sanitize(htmlFragment);
 
             // Assert
-            string expected = "";
+            string expected = "<img>";
             Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
         }
 
@@ -493,13 +493,12 @@ public void ImageDoubleOpenAngleBracketXSSTest()
             // Arrange
             var sanitizer = new HtmlSanitizer();
 
-
             // Act
             string htmlFragment = "<image src=http://ha.ckers.org/scriptlet.html <";
             string actual = sanitizer.Sanitize(htmlFragment);
 
             // Assert
-            string expected = "";
+            string expected = "<img src=\"http://ha.ckers.org/scriptlet.html\">";
             Assert.That(actual, Is.EqualTo(expected).IgnoreCase);
         }
 
@@ -976,7 +975,7 @@ public void XmlNamespaceXSSTest()
 
 
             // Act
-            string htmlFragment = "<HTML xmlns:xss>  <?import namespace=\"xss\" implementation=\"http://ha.ckers.org/xss.htc\">  <xss:xss>XSS</xss:xss></HTML>";
+            string htmlFragment = "<HTML xmlns:xss><?import namespace=\"xss\" implementation=\"http://ha.ckers.org/xss.htc\"><xss:xss>XSS</xss:xss></HTML>";
             string actual = sanitizer.Sanitize(htmlFragment);
 
             // Assert
@@ -2449,6 +2448,45 @@ public void RemoveEventForNotAllowedUrlAtStyle()
 
             Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedUrlValue));
         }
+
+        [Test]
+        public void RemoveEventForNotAllowedTag_ScriptTag()
+        {
+            RemoveReason? actual = null;
+            var s = new HtmlSanitizer();
+            s.RemovingTag += (sender, args) =>
+            {
+                actual = args.Reason;
+            };
+            s.Sanitize("<script>alert('Hello world!')</script>");
+            Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedTag));
+        }
+
+        [Test]
+        public void RemoveEventForNotAllowedTag_StyleTag()
+        {
+            RemoveReason? actual = null;
+            var s = new HtmlSanitizer();
+            s.RemovingTag += (sender, args) =>
+            {
+                actual = args.Reason;
+            };
+            s.Sanitize("<style> body {background-color:lightgrey;}</style>");
+            Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedTag));
+        }
+
+        [Test]
+        public void RemoveEventForNotAllowedTag_ScriptTagAndSpan()
+        {
+            RemoveReason? actual = null;
+            var s = new HtmlSanitizer();
+            s.RemovingTag += (sender, args) =>
+            {
+                actual = args.Reason;
+            };
+            s.Sanitize("<span>Hi</span><script>alert('Hello world!')</script>");
+            Assert.That(actual, Is.EqualTo(RemoveReason.NotAllowedTag));
+        }
     }
 }
 
diff --git a/HtmlSanitizer/HtmlSanitizer.cs b/HtmlSanitizer/HtmlSanitizer.cs
index f675f1d..2bfe680 100644
--- a/HtmlSanitizer/HtmlSanitizer.cs
+++ b/HtmlSanitizer/HtmlSanitizer.cs
@@ -326,7 +326,7 @@ public string Sanitize(string html, string baseUrl = "", IMarkupFormatter output
                 IsToleratingInvalidConstraints = true,
                 IsToleratingInvalidValues = true
             }));
-            var dom = parser.Parse(html);
+            var dom = parser.Parse("<body>" + html + "</body>");
 
             // remove non-whitelisted tags
             foreach (var tag in dom.Body.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList())