From 92ac8afe43f73d295c709b04080d7d9a4239fcae Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Sebasti=C3=A1n=20Passaro?= <sebastian.passaro@owasp.org>
Date: Tue, 19 Dec 2023 22:32:47 -0300
Subject: [PATCH] Add tests and noscript specific case logic

---
 .../Html/Scan/AntiSamyDomScanner.cs           | 11 ++++-
 OWASP.AntiSamyTests/Html/AntiSamyTest.cs      | 48 +++++++++++++++++++
 2 files changed, 58 insertions(+), 1 deletion(-)

diff --git a/OWASP.AntiSamy/Html/Scan/AntiSamyDomScanner.cs b/OWASP.AntiSamy/Html/Scan/AntiSamyDomScanner.cs
index 680bd39..592344b 100644
--- a/OWASP.AntiSamy/Html/Scan/AntiSamyDomScanner.cs
+++ b/OWASP.AntiSamy/Html/Scan/AntiSamyDomScanner.cs
@@ -136,7 +136,7 @@ public CleanResults Scan(string html)
 
             // All the cleaned HTML
             string finalCleanHTML = Policy.PreservesSpace ? htmlDocument.DocumentNode.InnerHtml : htmlDocument.DocumentNode.InnerHtml.Trim();
-
+            
             // Encode special/international characters if stated by policy
             if (Policy.EntityEncodesInternationalCharacters)
             {
@@ -371,6 +371,15 @@ private void ValidateTag(HtmlNode node, HtmlNode parentNode, string tagName, Tag
                 return;
             }
 
+            /*
+            * Parse every <noscript> node content as plain text by replacing its content with its transformation.
+            * Covers a case when preserving comments and how the underlying parser works, where a bug arises.
+            */
+            if (tagName.ToLowerInvariant() == "noscript" && Policy.PreservesComments)
+            {
+                node.ParentNode.ReplaceChild(parentNode.OwnerDocument.CreateTextNode(node.InnerText), node);
+            }
+
             /*
             * Go through the attributes in the tainted tag and validate them against the values we have for them.
             * If we don't have a rule for the attribute we remove the attribute.
diff --git a/OWASP.AntiSamyTests/Html/AntiSamyTest.cs b/OWASP.AntiSamyTests/Html/AntiSamyTest.cs
index a32b05e..700ae64 100644
--- a/OWASP.AntiSamyTests/Html/AntiSamyTest.cs
+++ b/OWASP.AntiSamyTests/Html/AntiSamyTest.cs
@@ -934,5 +934,53 @@ public void TestMalformedPIScan()
             }
             result.Should().NotBeNull();
         }
+
+        [Test]
+        [Ignore("Not passing. To correct in the future if there is a complain or easy fix.")]
+        public void TestQuotesInsideStyles()
+        {
+            string input = "<span style=\"font-family: 'comic sans ms', sans-serif; color: #ba372a;\">Text</span>";
+            antisamy.Scan(input, policy).GetCleanHtml().Should().ContainAll("'comic sans ms'", "\"font-family");
+
+            input = "<span style='font-family: \"comic sans ms\", sans-serif; color: #ba372a;'>Text</span>";
+            antisamy.Scan(input, policy).GetCleanHtml().Should().ContainAll("'comic sans ms'", "\"font-family");
+        }
+
+        [Test]
+        public void TestRawTextProcessingWhenPreservingComments()
+        {
+            var tag = new Tag("xmp", Constants.ACTION_VALIDATE, new Dictionary<string, Attribute>());
+            Policy revised = policy.MutateTag(tag).CloneWithDirective(Constants.PRESERVE_COMMENTS, "true");
+
+            antisamy.Scan("<noscript><!--</noscript><img src=x onerror=mxss(1)>-->", revised)
+                .GetCleanHtml().Should().NotContain("mxss");
+            antisamy.Scan("<textarea/><!--</textarea><img src=x onerror=mxss(1)>-->", revised)
+                .GetCleanHtml().Should().NotContain("mxss");
+            antisamy.Scan("<xmp/><!--</xmp><img src=x onerror=mxss(1)>-->", revised)
+                .GetCleanHtml().Should().Be("<!--</xmp><img src=x onerror=mxss(1)>-->");
+            antisamy.Scan("<!--<div/>--><img src=x onerror=mxss(1)> <li>--></p><input/>", revised)
+                .GetCleanHtml().Should().NotContain("mxss");
+        }
+
+        [Test]
+        public void TestRegexStackOverflow()
+        {
+            string result = null;
+            try
+            {
+                string input = "<img border=\"0\" width=\"320\" height=\"200\" style=\"width:3.368in;height:2.0486in\" id=\"id_123\" src=\"/url/uri\" alt=\"";
+                for (int i = 0; i < 2500; i++)
+                {
+                    input += "SampleText ";
+                }
+                input += "!\\\">";
+                result = antisamy.Scan(input, policy).GetCleanHtml();
+            }
+            catch
+            {
+                // To comply with try/catch
+            }
+            result.Should().NotBeNull();
+        }
     }
 }