Merge pull request #12 from spassarop/develop

Changes for v1.2.0

.github/workflows/codeql-analysis.yml

@@ -57,7 +57,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v1
+      uses: github/codeql-action/init@v2
       with:
         languages: ${{ matrix.language }}
         # If you wish to specify custom queries, you can do so here or in a config file.
@@ -66,21 +66,16 @@ jobs:
         # queries: ./path/to/local/query, your-org/your-repo/queries@main
 
     # This prevents errors when automatically installing SDK.
-    # CodeQL does not install .NET 5.0 nor 6.0.    
-    - name: Setup .NET 5.0 SDK+Runtime
+    # CodeQL does not install .NET 8.0.    
+    - name: Setup .NET 8.0 SDK+Runtime
       uses: actions/setup-dotnet@v1.7.2
       with:
-        dotnet-version: 5.0.404
-
-    - name: Setup .NET 6.0 SDK+Runtime
-      uses: actions/setup-dotnet@v1.7.2
-      with:
-        dotnet-version: 6.0.101
+        dotnet-version: 8.0.100
 
     # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
     # If this step fails, then you should remove it and run the build manually (see below)
     - name: Autobuild
-      uses: github/codeql-action/autobuild@v1
+      uses: github/codeql-action/autobuild@v2
 
     # ℹ️ Command-line programs to run using the OS shell.
     # 📚 https://git.io/JvXDl
@@ -94,4 +89,4 @@ jobs:
     #   make release
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v1
+      uses: github/codeql-action/analyze@v2

.github/workflows/netcore_and_netframework.yml

@@ -40,20 +40,10 @@ jobs:
       # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
       - uses: actions/checkout@v2
 
-      - name: Setup .NET Core SDK+Runtime
+      - name: Setup .NET 8.0 SDK+Runtime
         uses: actions/setup-dotnet@v1.7.2
         with:
-          dotnet-version: 3.1.x
-
-      - name: Setup .NET 5.0 SDK+Runtime
-        uses: actions/setup-dotnet@v1.7.2
-        with:
-          dotnet-version: 5.0.404
-
-      - name: Setup .NET 6.0 SDK+Runtime
-        uses: actions/setup-dotnet@v1.7.2
-        with:
-          dotnet-version: 6.0.101
+          dotnet-version: 8.0.100
 
       - name: Setup MSBuild for .NET Framework
         uses: microsoft/setup-msbuild@v1

LICENSE

@@ -1,6 +1,6 @@
 BSD 3-Clause License
 
-Copyright (c) 2022, spassarop
+Copyright (c) 2023, spassarop
 All rights reserved.
 
 Redistribution and use in source and binary forms, with or without

OWASP.AntiSamy/AntiSamyPolicyExamples/antisamy-anythinggoes.xml

@@ -41,7 +41,7 @@ http://www.w3.org/TR/html401/struct/global.html
 
 		<regexp name="anything" value=".*"/>
 		<regexp name="numberOrPercent" value="(\d)+(%{0,1})"/>
-		<regexp name="paragraph" value="([\p{L}\p{N},'\.\s\-_\(\)]|&amp;[0-9]{2};)*"/>
+		<regexp name="paragraph" value="[\p{L}\p{N},'.\s\-_\(\)&amp;;]*"/>
 		<regexp name="htmlId" value="[a-zA-Z0-9\:\-_\.]+"/>
 		<regexp name="htmlTitle" value="[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&amp;]*"/> <!-- force non-empty with a '+' at the end instead of '*' -->
 		<regexp name="htmlClass" value="[a-zA-Z0-9\s,\-_]+"/>

OWASP.AntiSamy/AntiSamyPolicyExamples/antisamy-ebay.xml

@@ -39,7 +39,7 @@ http://www.w3.org/TR/html401/struct/global.html
 
 		<regexp name="anything" value=".*"/>
 		<regexp name="numberOrPercent" value="(\d)+(%{0,1})"/>
-		<regexp name="paragraph" value="([\p{L}\p{N},'\.\s\-_\(\)]|&amp;[0-9]{2};)*"/>
+		<regexp name="paragraph" value="[\p{L}\p{N},'.\s\-_\(\)&amp;;]*"/>
 		<regexp name="htmlId" value="[a-zA-Z0-9\:\-_\.]+"/>
 		<regexp name="htmlTitle" value="[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&amp;]*"/> <!-- force non-empty with a '+' at the end instead of '*' -->
 		<regexp name="htmlClass" value="[a-zA-Z0-9\s,\-_]+"/>

OWASP.AntiSamy/AntiSamyPolicyExamples/antisamy-myspace.xml

@@ -41,7 +41,7 @@ http://www.w3.org/TR/html401/struct/global.html
 
 		<regexp name="anything" value=".*"/>
 		<regexp name="numberOrPercent" value="(\d)+(%{0,1})"/>
-		<regexp name="paragraph" value="([\p{L}\p{N},'\.\s\-_\(\)]|&amp;[0-9]{2};)*"/>
+		<regexp name="paragraph" value="[\p{L}\p{N},'.\s\-_\(\)&amp;;]*"/>
 		<regexp name="htmlId" value="[a-zA-Z0-9\:\-_\.]+"/>
 		<regexp name="htmlTitle" value="[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&amp;]*"/> <!-- force non-empty with a '+' at the end instead of '*' -->
 		<regexp name="htmlClass" value="[a-zA-Z0-9\s,\-_]+"/>

OWASP.AntiSamy/AntiSamyPolicyExamples/antisamy.xml

@@ -44,7 +44,7 @@ http://www.w3.org/TR/html401/struct/global.html
 
 		<regexp name="anything" value=".*"/>
 		<regexp name="numberOrPercent" value="(\d)+(%{0,1})"/>
-		<regexp name="paragraph" value="([\p{L}\p{N},'\.\s\-_\(\)]|&amp;[0-9]{2};)*"/>
+		<regexp name="paragraph" value="[\p{L}\p{N},'.\s\-_\(\)&amp;;]*"/>
 		<regexp name="htmlId" value="[a-zA-Z0-9\:\-_\.]+"/>
 		<regexp name="htmlTitle" value="[\p{L}\p{N}\s\-_',:\[\]!\./\\\(\)&amp;]*"/>
 		<!-- force non-empty with a '+' at the end instead of '*' -->

OWASP.AntiSamy/Css/CssScanner.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Jerry Hoff, Caner Patir, Sebastián Passaro
+ * Copyright (c) 2023, Jerry Hoff, Caner Patir, Sebastián Passaro
  * 
  * 
  * All rights reserved.

OWASP.AntiSamy/Exceptions/ParseException.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Caner Patir, Sebastián Passaro
+ * Copyright (c) 2023, Caner Patir, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Exceptions/PolicyException.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008-2022, Jerry Hoff, Sebastián Passaro
+ * Copyright (c) 2008-2023, Jerry Hoff, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Exceptions/ScanException.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008-2022, Jerry Hoff, Sebastián Passaro
+ * Copyright (c) 2008-2023, Jerry Hoff, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Exceptions/UnknownSelectorException.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009-2022, Sebastián Passaro
+ * Copyright (c) 2009-2023, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Html/AntiSamy.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008-2022, Jerry Hoff, Sebastián Passaro
+ * Copyright (c) 2008-2023, Jerry Hoff, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Html/CleanResults.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008-2022, Jerry Hoff, Sebastián Passaro
+ * Copyright (c) 2008-2023, Jerry Hoff, Sebastián Passaro
  * 
  * All rights reserved.
  * 
@@ -29,11 +29,31 @@
 namespace OWASP.AntiSamy.Html
 {
     /// <summary> 
-    /// This class contains the results of a scan.
-    /// 
-    /// The list of error messages (<see cref="GetErrorMessages"/>) will let the user know
-    /// what, if any HTML errors existed, and what, if any, security or
-    /// validation-related errors existed, and what was done about them.
+    /// This class contains the results of a scan. It primarily provides access to the clean sanitized
+    /// HTML, per the AntiSamy sanitization policy applied. It also provides access to some utility
+    /// information, like possible error messages and error message counts.
+    ///
+    /// <para>WARNING: The ONLY output from the class you can completely rely on is the CleanResults output.
+    /// As stated in the documentation, neither the <see cref="GetErrorMessages"/> nor the <see cref="GetNumberOfErrors"/> methods
+    /// subtly answer the question "is this safe input?" in the affirmative if it returns an empty list. 
+    /// You must always use the sanitized 'Clean' input and there is no way to be sure the input passed in had no attacks.
+    /// </para>
+    ///
+    /// <para>The serialization and deserialization process that is critical to the effectiveness of the
+    /// sanitizer is purposefully lossy and will filter out attacks via a number of attack vectors.
+    /// Unfortunately, one of the tradeoffs of this strategy is that AntiSamy doesn't always know in
+    /// retrospect that an attack was seen. Thus, the <see cref="GetErrorMessages"/> API is there to help users
+    /// understand whether their well-intentioned input meets the requirements of the system, not help a
+    /// developer detect if an attack was present.
+    /// </para>
+    ///
+    /// <para>The list of error messages (<see cref="errorMessages"/>) will let the user know what, if any
+    /// HTML errors existed, and what, if any, security or validation-related errors were detected, and
+    /// what was done about them. NOTE: As just stated, the absence of error messages does NOT mean there
+    /// were no attacks in the input that was sanitized out. You CANNOT rely on the <see cref="errorMessages"/> to tell
+    /// you if the input was dangerous. You MUST use the output of <see cref="GetCleanHtml"/> to ensure your output
+    /// is safe.
+    /// </para>
     /// </summary>
     public class CleanResults
     {
@@ -74,11 +94,17 @@ public CleanResults(DateTime startOfScan, DateTime endOfScan, string cleanHTML,
         /// <param name="cleanHtml"></param>
         public void SetCleanHtml(string cleanHtml) => this.cleanHtml = cleanHtml;
 
-        /// <summary> Return the filtered HTML as a string.</summary>
+        /// <summary> 
+        /// Return the filtered HTML as a string. This output is the ONLY output you can trust to be safe.
+        /// The absence of error messages does NOT indicate the input was safe.
+        /// </summary>
         /// <returns> A string object which contains the serialized, safe HTML.</returns>
         public string GetCleanHtml() => cleanHtml;
 
-        /// <summary> Return a list of error messages.</summary>
+        /// <summary> 
+        /// Return a list of error messages -- but an empty list returned does not mean there was no attack
+        /// present, due to the serialization and deserialization process automatically cleaning up some attacks.
+        /// </summary>
         /// <returns> A <see cref="List{String}"/> object which contains the error messages after a scan.</returns>
         public List<string> GetErrorMessages() => errorMessages;
 
@@ -98,7 +124,10 @@ public CleanResults(DateTime startOfScan, DateTime endOfScan, string cleanHTML,
         /// <param name="msg">An error message to append to the list of aggregate error messages during filtering.</param>
         public void AddErrorMessage(string msg) => errorMessages.Add(msg);
 
-        /// <summary> Return the number of errors encountered during filtering.</summary>
+        /// <summary> 
+        /// Return the number of errors encountered during filtering. Note that 0 errors does NOT
+        /// mean the input was safe. Only the output of <see cref="GetCleanHtml"/> can be considered safe.
+        /// </summary>
         public int GetNumberOfErrors() => errorMessages.Count;
     }
 }

OWASP.AntiSamy/Html/InternalPolicy.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008-2022, Kristian Rosenvold, Sebastián Passaro
+ * Copyright (c) 2008-2023, Kristian Rosenvold, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Html/Model/AntiSamyPattern.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008-2022, Jerry Hoff, Sebastián Passaro
+ * Copyright (c) 2008-2023, Jerry Hoff, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Html/Model/Attribute.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008-2022, Jerry Hoff, Sebastián Passaro
+ * Copyright (c) 2008-2023, Jerry Hoff, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Html/Model/Property.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008-2022, Jerry Hoff, Sebastián Passaro
+ * Copyright (c) 2008-2023, Jerry Hoff, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Html/Model/Tag.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008-2022, Jerry Hoff, Sebastián Passaro
+ * Copyright (c) 2008-2023, Jerry Hoff, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Html/ParseContext.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2007-2022, Arshan Dabirsiaghi, Jason Li, Kristian Rosenvold, Sebastián Passaro
+ * Copyright (c) 2007-2023, Arshan Dabirsiaghi, Jason Li, Kristian Rosenvold, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Html/Policy.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008-2022, Jerry Hoff, Sebastián Passaro
+ * Copyright (c) 2008-2023, Jerry Hoff, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Html/Scan/AntiSamyDomScanner.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2009-2022, Jerry Hoff, Sebastián Passaro
+ * Copyright (c) 2009-2023, Jerry Hoff, Sebastián Passaro
  * 
  * All rights reserved.
  * 
@@ -136,7 +136,7 @@ public CleanResults Scan(string html)
 
             // All the cleaned HTML
             string finalCleanHTML = Policy.PreservesSpace ? htmlDocument.DocumentNode.InnerHtml : htmlDocument.DocumentNode.InnerHtml.Trim();
-
+            
             // Encode special/international characters if stated by policy
             if (Policy.EntityEncodesInternationalCharacters)
             {
@@ -371,6 +371,15 @@ private void ValidateTag(HtmlNode node, HtmlNode parentNode, string tagName, Tag
                 return;
             }
 
+            /*
+            * Parse every <noscript> node content as plain text by replacing its content with its transformation.
+            * Covers a case when preserving comments and how the underlying parser works, where a bug arises.
+            */
+            if (tagName.ToLowerInvariant() == "noscript" && Policy.PreservesComments)
+            {
+                node.ParentNode.ReplaceChild(parentNode.OwnerDocument.CreateTextNode(node.InnerText), node);
+            }
+
             /*
             * Go through the attributes in the tainted tag and validate them against the values we have for them.
             * If we don't have a rule for the attribute we remove the attribute.

OWASP.AntiSamy/Html/Scan/Constants.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008-2022, Jerry Hoff, Sebastián Passaro
+ * Copyright (c) 2008-2023, Jerry Hoff, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Html/TagMatcher.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2013-2022, Kristian Rosenvold, Sebastián Passaro
+ * Copyright (c) 2013-2023, Kristian Rosenvold, Sebastián Passaro
  *
  * All rights reserved.
  *

OWASP.AntiSamy/Html/Util/DictionaryExtensions.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Sebastián Passaro
+ * Copyright (c) 2023, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Html/Util/ErrorMessageUtil.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Sebastián Passaro
+ * Copyright (c) 2023, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Html/Util/HtmlEntityEncoder.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008-2022, Jerry Hoff, Sebastián Passaro
+ * Copyright (c) 2008-2023, Jerry Hoff, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Html/Util/PolicyParserUtil.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008-2022, Arshan Dabirsiaghi, Jason Li, Kristian Rosenvold, Sebastián Passaro
+ * Copyright (c) 2008-2023, Arshan Dabirsiaghi, Jason Li, Kristian Rosenvold, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Html/Util/SpecialCharactersEncoder.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2022, Sebastián Passaro
+ * Copyright (c) 2023, Sebastián Passaro
  * 
  * All rights reserved.
  * 

OWASP.AntiSamy/Html/Util/XmlUtil.cs

@@ -1,5 +1,5 @@
 /*
- * Copyright (c) 2008-2022, Jerry Hoff, Sebastián Passaro
+ * Copyright (c) 2008-2023, Jerry Hoff, Sebastián Passaro
  * 
  * All rights reserved.
  *