Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NullReferenceException with invalid style attribute due to incorrect null check in HtmlSanitizer.SanitizeStyle #81

Closed
LunNova opened this issue Aug 15, 2016 · 3 comments
Closed

NullReferenceException with invalid style attribute due to incorrect null check in HtmlSanitizer.SanitizeStyle #81

LunNova opened this issue Aug 15, 2016 · 3 comments

Comments

@LunNova
Copy link

LunNova commented Aug 15, 2016
edited
Loading

When attempting to sanitize <font style="t"></font> an exception is thrown:

System.NullReferenceException: Object reference not set to an instance of an object.
at AngleSharp.Extensions.FormatExtensions.ToCss(IStyleFormattable style, IStyleFormatter formatter)
at Ganss.XSS.HtmlSanitizer.SanitizeStyle(IHtmlElement element, String baseUrl)
at Ganss.XSS.HtmlSanitizer.DoSanitize(IHtmlDocument dom, IElement context, String baseUrl, IMarkupFormatter outputFormatter)

In SanitizeStyle, the following null check is used to guard against calling ToCss on a null ICssStyleDeclaration:

      if (element.GetAttribute("style") == null)
        return;
      element.SetAttribute("style", element.Style.ToCss());

This is not correct, as the getter of Style in element calls CreateStyle. It may return null even if the style attribute is non-null.

Here is the implementation of CreateStyle:

    protected ICssStyleDeclaration CreateStyle()
    {
      if ((this.Flags & (NodeFlags.HtmlMember | NodeFlags.SvgMember)) != NodeFlags.None)
      {
        Document owner = this.Owner;
        IConfiguration options1 = owner.Options;
        IBrowsingContext context = owner.Context;
        ICssStyleEngine cssStyleEngine = options1.GetCssStyleEngine();
        if (cssStyleEngine != null)
        {
          string ownAttribute = this.GetOwnAttribute(AttributeNames.Style);
          StyleOptions options2 = new StyleOptions(context)
          {
            Element = (IElement) this
          };
          ICssStyleDeclaration declaration = cssStyleEngine.ParseDeclaration(ownAttribute, options2);
          IBindable bindable = declaration as IBindable;
          if (bindable == null)
            return declaration;
          bindable.Changed += (Action<string>) (value => this.UpdateAttribute(AttributeNames.Style, value));
          return declaration;
        }
      }
      return (ICssStyleDeclaration) null;
    }

I am not sure what the correct behaviour is when the style attribute is non-null but Style is null. Should the style attribute be cleared in that case, as it means the style attribute either isn't expected on that element type or could not be parsed?
@LunNova
Copy link
Author

LunNova commented Aug 15, 2016

Oops. This occurred due to using a custom parser configuration which (unintentionally) didn't have the CssParserOptions you set. When those are used, the issue does not occur.

I'm leaving this open as the code still seems fragile, and there may be other ways to cause Style to return null, so I think it still should be null checked.

Of course, if you disagree, you're free to close this! :)

@304NotModified
Copy link
Contributor

so I think it still should be null checked.

Agree with that.

@mganss mganss closed this as completed in bf1b96c Aug 15, 2016
@mganss
Copy link
Owner

mganss commented Aug 15, 2016

Thanks for the bug report. I've fixed this by removing the style attribute if the Style property is null.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@LunNova @mganss @304NotModified