Skip to content

Commit

Permalink
Merge branch 'advisory-fix-1'
Browse files Browse the repository at this point in the history
  • Loading branch information
@mganss
mganss committed Oct 4, 2023
2 parents 0b8b5d1 + 93cbca7 commit ab29319
Show file tree
Hide file tree
Showing 2 changed files with 70 additions and 1 deletion.
14 changes: 14 additions & 0 deletions src/HtmlSanitizer/HtmlSanitizer.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -453,6 +453,10 @@ private void RemoveComments(INode context)
{
foreach (var comment in GetAllNodes(context).OfType<IComment>().ToList())
{
var escapedText = comment.TextContent.Replace("<", "&lt;").Replace(">", "&gt;");
if (escapedText != comment.TextContent)
comment.TextContent = escapedText;

var e = new RemovingCommentEventArgs(comment);
OnRemovingComment(e);

Expand All @@ -463,6 +467,16 @@ private void RemoveComments(INode context)

private void DoSanitize(IHtmlDocument dom, IParentNode context, string baseUrl = "")
{
// always encode text in raw data content
foreach (var tag in context.QuerySelectorAll("*").Where(t => t.Flags.HasFlag(NodeFlags.LiteralText) && !string.IsNullOrWhiteSpace(t.InnerHtml)))
{
var escapedHtml = tag.InnerHtml.Replace("<", "&lt;").Replace(">", "&gt;");
if (escapedHtml != tag.InnerHtml)
tag.InnerHtml = escapedHtml;
if (tag.InnerHtml != escapedHtml) // setting InnerHtml does not work for noscript
tag.SetInnerText(escapedHtml);
}

// remove disallowed tags
foreach (var tag in context.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList())
{
Expand Down
57 changes: 56 additions & 1 deletion test/HtmlSanitizer.Tests/Tests.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3248,7 +3248,7 @@ public void StyleByPassTest()
var sanitized = sanitizer.Sanitize(html, "http://www.example.com");

// Assert
Assert.Equal("aaabc<style>x[x=\"\\3c/style>\\3cimg src onerror=alert(1)>\"] { }</style>", sanitized);
Assert.Equal("aaabc<style>x[x=\"\\3c/style&gt;\\3cimg src onerror=alert(1)&gt;\"] { }</style>", sanitized);
}

[Fact]
Expand Down Expand Up @@ -3497,4 +3497,59 @@ public void Number469Test()
var sanitized = sanitizer.Sanitize(html);
Assert.Equal(@"<div style=""height: 0; background-image: url(&quot;https://example.com/1.jpg&quot;), url(&quot;https://example.com/2.jpg&quot;), url(&quot;https://example.com/3.jpg&quot;); display: none""></div>", sanitized);
}

[Fact]
public void BypassTest()
{
var sanitizer = new HtmlSanitizer();
sanitizer.AllowedTags.Add("svg");
sanitizer.AllowedTags.Add("title");
sanitizer.AllowedTags.Add("xmp");
var bypass = @"<svg></p><title><xmp></title><img src=x onerror=alert(1)></xmp></title>";
var sanitized = sanitizer.Sanitize(bypass, "https://www.example.com");
var expected = @"<svg><p></p><title><xmp>&lt;/title&gt;&lt;img src=x onerror=alert(1)&gt;</xmp></title></svg>";
Assert.Equal(expected, sanitized);
}

[Fact]
public void Bypass2Test()
{
var sanitizer = new HtmlSanitizer();
sanitizer.AllowedTags.Add("form");
sanitizer.AllowedTags.Add("math");
sanitizer.AllowedTags.Add("mtext");
sanitizer.AllowedTags.Add("mglyph");
sanitizer.AllowedTags.Add("xmp");
var bypass = @"<form><math><mtext></form><form><mglyph><xmp></math><img src onerror=alert(1)>";
var sanitized = sanitizer.Sanitize(bypass, "https://www.example.com");
var expected = @"<form><math><mtext><form><mglyph><xmp>&lt;/math&gt;&lt;img src onerror=alert(1)&gt;</xmp></mglyph></form></mtext></math></form>";
Assert.Equal(expected, sanitized);
}

[Fact]
public void Bypass3Test()
{
var sanitizer = new HtmlSanitizer();
sanitizer.AllowedTags.Add("svg");
sanitizer.AllowedTags.Add("title");
sanitizer.AllowedTags.Add("noscript");
var bypass = @"<svg></p><title><noscript></title><img src=x onerror=alert(1)></noscript></title>";
var sanitized = sanitizer.Sanitize(bypass, "https://www.example.com");
var expected = "<svg><p></p><title><noscript>&lt;/title&gt;&lt;img src=x onerror=alert(1)&gt;</noscript></title></svg>";
Assert.Equal(expected, sanitized);
}

[Fact]
public void Bypass4Test()
{
var sanitizer = new HtmlSanitizer();
sanitizer.AllowedTags.Add("svg");
sanitizer.AllowedTags.Add("p");
sanitizer.AllowedTags.Add("style");
sanitizer.RemovingComment += (s, e) => e.Cancel = true;
var bypass = @"<svg></p><style><!--</style><img src=x onerror=alert(1)>-->";
var sanitized = sanitizer.Sanitize(bypass, "https://www.example.com");
var expected = "<svg><p></p><style><!--&lt;/style&gt;&lt;img src=x onerror=alert(1)&gt;--></style></svg>";
Assert.Equal(expected, sanitized);
}
}

0 comments on commit ab29319

Please sign in to comment.