Fix #469

mganss · mganss · commit 0b8b5d111900 · 2023-09-25T15:55:11.000+02:00
diff --git a/src/HtmlSanitizer/HtmlSanitizer.cs b/src/HtmlSanitizer/HtmlSanitizer.cs
@@ -721,7 +721,7 @@ private void SanitizeStyleDeclaration(IElement element, ICssStyleDeclaration sty
 
                         foreach (var url in urls)
                         {
-                            sb.Append(val, ix, url.Match.Index);
+                            sb.Append(val, ix, url.Match.Index - ix);
                             sb.Append("url(");
                             sb.Append(url.Match.Groups[1].Value);
                             sb.Append(url.Url);
diff --git a/test/HtmlSanitizer.Tests/Tests.cs b/test/HtmlSanitizer.Tests/Tests.cs
@@ -3487,4 +3487,14 @@ public void VarUrlTest()
         var sanitized = sanitizer.Sanitize(html);
         Assert.Equal(html, sanitized);
     }
+
+    [Fact]
+    public void Number469Test()
+    {
+        // see https://github.com/mganss/HtmlSanitizer/issues/469
+        var html = @"<div style=""height: 0; background-image: url('https://example.com/1.jpg'), url('https://example.com/2.jpg'), url('https://example.com/3.jpg'); display: none;""/>";
+        var sanitizer = new HtmlSanitizer();
+        var sanitized = sanitizer.Sanitize(html);
+        Assert.Equal(@"<div style=""height: 0; background-image: url(&quot;https://example.com/1.jpg&quot;), url(&quot;https://example.com/2.jpg&quot;), url(&quot;https://example.com/3.jpg&quot;); display: none""></div>", sanitized);
+    }
 }

Original file line number	Diff line number	Diff line change
`@@ -721,7 +721,7 @@ private void SanitizeStyleDeclaration(IElement element, ICssStyleDeclaration sty`
`721`	`721`
`722`	`722`	`foreach (var url in urls)`
`723`	`723`	`{`
`724`		`- sb.Append(val, ix, url.Match.Index);`
	`724`	`+ sb.Append(val, ix, url.Match.Index - ix);`
`725`	`725`	`sb.Append("url(");`
`726`	`726`	`sb.Append(url.Match.Groups[1].Value);`
`727`	`727`	`sb.Append(url.Url);`