update JsonLdScriptEncoding

Author: tvatavuk

Razor.Blade/Internals/ReplaceExtension.cs

@@ -9,24 +9,26 @@ public static class ReplaceExtension
         /// <summary>
         /// Returns a new string in which all occurrences of a specified string in the current instance are replaced with another specified string.
         /// This is to be used in .NET Framework or .netstandard 2.0 because .NET 5+ already has this string.Replace() method
-        /// https://stackoverflow.com/a/36317315
+        /// based on https://stackoverflow.com/a/36317315
         /// </summary>
         /// <param name="str">The string performing the replace method.</param>
+        /// <param name="find">The string find.</param>
         /// <param name="oldValue">The string to be replaced.</param>
         /// <param name="newValue">The string replace all occurrences of oldValue.</param>
         /// <param name="comparisonType">Type of the comparison.</param>
         /// <returns></returns>
-        public static string Replace(this string str, string oldValue, string newValue, StringComparison comparisonType)
+        public static string Replace(this string str, string find, string oldValue, string newValue, StringComparison comparisonType)
         {
             newValue = newValue ?? string.Empty;
-            if (string.IsNullOrEmpty(str) || string.IsNullOrEmpty(oldValue) || oldValue.Equals(newValue, comparisonType))
-            {
+            if (string.IsNullOrEmpty(str) || string.IsNullOrEmpty(find) || string.IsNullOrEmpty(oldValue) || oldValue.Equals(newValue, comparisonType))
+                return str;
+            var findOffset = find.IndexOf(oldValue, 0, comparisonType);
+            if (findOffset < 0)
                 return str;
-            }
             int foundAt;
-            while ((foundAt = str.IndexOf(oldValue, 0, comparisonType)) != -1)
+            while ((foundAt = str.IndexOf(find, 0, comparisonType)) != -1)
             {
-                str = str.Remove(foundAt, oldValue.Length).Insert(foundAt, newValue);
+                str = str.Remove(foundAt + findOffset, oldValue.Length).Insert(foundAt + findOffset, newValue);
             }
             return str;
         }

Razor.Blade/Wip/XssPrevention.cs

@@ -8,10 +8,10 @@ namespace ToSic.Razor.Wip
     /// https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html
     /// https://cheatsheetseries.owasp.org/cheatsheets/DotNet_Security_Cheat_Sheet.html#a7-cross-site-scripting-xss
     /// </summary>
-    internal class XssPrevention
+    public class XssPrevention
     {
         /// <summary>
-        /// Output Encoding for "JSON-LD Context"
+        /// Output Encoding for "JSON-LD Contexts"
         /// https://w3c.github.io/json-ld-syntax/#restrictions-for-contents-of-json-ld-script-elements
         /// https://cheatsheetseries.owasp.org/cheatsheets/Cross_Site_Scripting_Prevention_Cheat_Sheet.html#output-encoding-for-javascript-contexts
         /// Authors should avoid using character sequences in scripts embedded in HTML which may be confused with a
@@ -20,14 +20,11 @@ internal class XssPrevention
         /// </summary>
         /// <param name="unsafeJsonLd"></param>
         /// <returns></returns>
-        internal static string JsonLdScriptEncoding(string unsafeJsonLd) => unsafeJsonLd
-            .Replace("<!--", @"\u003C!--", StringComparison.OrdinalIgnoreCase)
-            .Replace("<script", @"\u003Cscript", StringComparison.OrdinalIgnoreCase)
-            .Replace("-->", @"--\u003E", StringComparison.OrdinalIgnoreCase)
-            // TODO @STV: use </script and NOT </script> - the closing tag can be much later
-            // also write a test to verify
-            // and also a test to verify different script cases
-            .Replace("</script>", @"\u003C/script>", StringComparison.OrdinalIgnoreCase);
+        public static string JsonLdScriptEncoding(string unsafeJsonLd) => unsafeJsonLd
+            .Replace("<!--", "<", @"\u003C", StringComparison.OrdinalIgnoreCase)
+            .Replace("<script", "<", @"\u003C", StringComparison.OrdinalIgnoreCase)
+            .Replace("-->", ">", @"\u003E", StringComparison.OrdinalIgnoreCase)
+            .Replace("</script", "<", @"\u003C", StringComparison.OrdinalIgnoreCase);
 
         ///// <summary>
         ///// Output Encoding for "HTML Contexts"

ToSic.RazorBladeTests/WIP/XssPreventionTests.cs

@@ -0,0 +1,31 @@
+using Microsoft.VisualStudio.TestTools.UnitTesting;
+using ToSic.Razor.Wip;
+
+namespace ToSic.RazorBladeTests.WIP
+{
+    [TestClass]
+    public class XssPreventionTests
+    {
+        [TestMethod]
+        [DataRow("<script>alert('xss')</script><!-- html comment -->", @"\u003Cscript>alert('xss')\u003C/script>\u003C!-- html comment --\u003E")]
+        [DataRow(null, null)]
+        [DataRow("", "")]
+        [DataRow("nothing to do", "nothing to do")]
+        [DataRow("</script", "\\u003C/script")]
+        [DataRow("</scriptnewtag", "\\u003C/scriptnewtag")]
+        [DataRow("</ScRiPt>", "\\u003C/ScRiPt>")]
+        [DataRow("</script   >", "\\u003C/script   >")]
+        [DataRow("  </script", "  \\u003C/script")]
+        [DataRow("\n</script\n\t>", "\n\\u003C/script\n\t>")]
+        [DataRow("<<<</script", "<<<\\u003C/script")]
+        [DataRow("<><></script", "<><>\\u003C/script")]
+        [DataRow("</  script   >", "</  script   >")]
+        [DataRow("<  /  script   >", "<  /  script   >")]
+        [DataRow("-->", "--\\u003E")]
+        [DataRow("-->>", "--\\u003E>")]
+        [DataRow("<-->>", "<--\\u003E>")]
+        [DataRow("-- >", "-- >")]
+        [DataRow("  --\t\n>\n ", "  --\t\n>\n ")]
+        public void JsonLdScriptEncoding(string content, string expected) => Assert.AreEqual(expected, XssPrevention.JsonLdScriptEncoding(content));
+    }
+}