Skip to content

Instantly share code, notes, and snippets.

@jesslilly
Created January 31, 2020 14:22
Show Gist options
  • Save jesslilly/782977c2a45e1ca68ed59a4164b389e2 to your computer and use it in GitHub Desktop.
Save jesslilly/782977c2a45e1ca68ed59a4164b389e2 to your computer and use it in GitHub Desktop.
MSTEST Stub for Ganss.XSS.HtmlSanitizer. Test your config.
using Ganss.XSS;
using Microsoft.VisualStudio.TestTools.UnitTesting;
namespace VEIC.Tracker.Services.Tests.Shared
{
[TestClass]
public class HtmlSanitizerTests
{
private IHtmlSanitizer _htmlSanitizer;
[TestInitialize]
public void TestInitialize()
{
_htmlSanitizer = new HtmlSanitizer();
_htmlSanitizer.AllowedAttributes.Add("class");
}
[TestMethod]
[DataRow("<p>safe</p>", "<p>safe</p>", DisplayName = "Normal HTML - no changes")]
[DataRow("<p title=\"escaped\"></p>", "<p title=\"escaped\"></p>", DisplayName = "Escaped HTML - works")]
[DataRow("<p class=\"cls-Normal\"></p>", "<p class=\"cls-Normal\"></p>", DisplayName = "HTML with class attr - no changes")]
[DataRow("<body><p>safe</p></body>", "<p>safe</p>", DisplayName = "HTML with body tag - no changes")]
[DataRow("<p onload=alert('unsafe')></p>", "<p></p>", DisplayName = "Unsafe HTML - XSS removed")]
public void SanitizeDocument(string input, string expected)
{
// Arrange
// Act
var result = _htmlSanitizer.SanitizeDocument(input);
// Assert
Assert.AreEqual("<html><head></head><body>" + expected + "</body></html>", result);
}
}
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment