Fix #164

mganss · mganss · commit a258535f13eb · 2019-06-02T14:36:53.000+02:00
diff --git a/src/HtmlSanitizer/HtmlSanitizer.cs b/src/HtmlSanitizer/HtmlSanitizer.cs
@@ -482,7 +482,7 @@ public string SanitizeDocument(string html, string baseUrl = "", IMarkupFormatte
 
             using (var dom = parser.Parse(html))
             {
-                DoSanitize(dom, dom.DocumentElement, baseUrl);
+                DoSanitize(dom, dom, baseUrl);
 
                 var output = dom.ToHtml(outputFormatter ?? OutputFormatter);
 
@@ -503,7 +503,7 @@ public string SanitizeDocument(Stream html, string baseUrl = "", IMarkupFormatte
 
             using (var dom = parser.Parse(html))
             {
-                DoSanitize(dom, dom.DocumentElement, baseUrl);
+                DoSanitize(dom, dom, baseUrl);
 
                 var output = dom.ToHtml(outputFormatter ?? OutputFormatter);
 
@@ -542,7 +542,7 @@ private void RemoveComments(IElement context)
             }
         }
 
-        private void DoSanitize(IHtmlDocument dom, IElement context, string baseUrl = "")
+        private void DoSanitize(IHtmlDocument dom, IParentNode context, string baseUrl = "")
         {
             // remove non-whitelisted tags
             foreach (var tag in context.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList())
@@ -607,9 +607,9 @@ private void DoSanitize(IHtmlDocument dom, IElement context, string baseUrl = ""
                 }
             }
 
-            RemoveComments(context);
+            RemoveComments(context as IElement);
 
-            DoPostProcess(dom, context);
+            DoPostProcess(dom, context as IElement);
         }
 
         private void SanitizeStyleSheets(IHtmlDocument dom, string baseUrl)
diff --git a/test/HtmlSanitizer.Tests/Tests.cs b/test/HtmlSanitizer.Tests/Tests.cs
@@ -3135,6 +3135,19 @@ public void RemovingFramesetShouldTriggerEventTest()
             Assert.True(anyNodeRemoved);
             Assert.Equal("<html><head></head></html>", actual);
         }
+
+        [Fact]
+        public void HtmlDocumentTest()
+        {
+            // https://github.com/mganss/HtmlSanitizer/issues/164
+
+            var sanitizer = new HtmlSanitizer();
+            var html = @"<html onmousemove=""alert(document.location)""><head></head><body></body></html>";
+
+            var actual = sanitizer.SanitizeDocument(html);
+
+            Assert.Equal("<html><head></head><body></body></html>", actual);
+        }
     }
 }
 

Original file line number	Diff line number	Diff line change
`@@ -482,7 +482,7 @@ public string SanitizeDocument(string html, string baseUrl = "", IMarkupFormatte`
`482`	`482`
`483`	`483`	`using (var dom = parser.Parse(html))`
`484`	`484`	`{`
`485`		`- DoSanitize(dom, dom.DocumentElement, baseUrl);`
	`485`	`+ DoSanitize(dom, dom, baseUrl);`
`486`	`486`
`487`	`487`	`var output = dom.ToHtml(outputFormatter ?? OutputFormatter);`
`488`	`488`
`@@ -503,7 +503,7 @@ public string SanitizeDocument(Stream html, string baseUrl = "", IMarkupFormatte`
`503`	`503`
`504`	`504`	`using (var dom = parser.Parse(html))`
`505`	`505`	`{`
`506`		`- DoSanitize(dom, dom.DocumentElement, baseUrl);`
	`506`	`+ DoSanitize(dom, dom, baseUrl);`
`507`	`507`
`508`	`508`	`var output = dom.ToHtml(outputFormatter ?? OutputFormatter);`
`509`	`509`
`@@ -542,7 +542,7 @@ private void RemoveComments(IElement context)`
`542`	`542`	`}`
`543`	`543`	`}`
`544`	`544`
`545`		`- private void DoSanitize(IHtmlDocument dom, IElement context, string baseUrl = "")`
	`545`	`+ private void DoSanitize(IHtmlDocument dom, IParentNode context, string baseUrl = "")`
`546`	`546`	`{`
`547`	`547`	`// remove non-whitelisted tags`
`548`	`548`	`foreach (var tag in context.QuerySelectorAll("*").Where(t => !IsAllowedTag(t)).ToList())`
`@@ -607,9 +607,9 @@ private void DoSanitize(IHtmlDocument dom, IElement context, string baseUrl = ""`
`607`	`607`	`}`
`608`	`608`	`}`
`609`	`609`
`610`		`- RemoveComments(context);`
	`610`	`+ RemoveComments(context as IElement);`
`611`	`611`
`612`		`- DoPostProcess(dom, context);`
	`612`	`+ DoPostProcess(dom, context as IElement);`
`613`	`613`	`}`
`614`	`614`
`615`	`615`	`private void SanitizeStyleSheets(IHtmlDocument dom, string baseUrl)`
Original file line number	Diff line number	Diff line change
`@@ -3135,6 +3135,19 @@ public void RemovingFramesetShouldTriggerEventTest()`
`3135`	`3135`	`Assert.True(anyNodeRemoved);`
`3136`	`3136`	`Assert.Equal("<html><head></head></html>", actual);`
`3137`	`3137`	`}`
	`3138`	`+`
	`3139`	`+ [Fact]`
	`3140`	`+ public void HtmlDocumentTest()`
	`3141`	`+ {`
	`3142`	`+ // https://github.com/mganss/HtmlSanitizer/issues/164`
	`3143`	`+`
	`3144`	`+ var sanitizer = new HtmlSanitizer();`
	`3145`	`+ var html = @"<html onmousemove=""alert(document.location)""><head></head><body></body></html>";`
	`3146`	`+`
	`3147`	`+ var actual = sanitizer.SanitizeDocument(html);`
	`3148`	`+`
	`3149`	`+ Assert.Equal("<html><head></head><body></body></html>", actual);`
	`3150`	`+ }`
`3138`	`3151`	`}`
`3139`	`3152`	`}`
`3140`	`3153`