1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
|
//------------------------------------------------------------------------------
// <copyright file="CssEncoder.cs" company="Microsoft">
// Copyright (c) Microsoft Corporation. All rights reserved.
// </copyright>
//------------------------------------------------------------------------------
namespace System.Web.Security.AntiXss {
using System;
using System.Collections;
using System.Text;
using System.Threading;
/// <summary>
/// Provides CSS Encoding methods.
/// </summary>
internal static class CssEncoder {
/// <summary>
/// The values to output for each character.
/// </summary>
private static Lazy<char[][]> characterValuesLazy = new Lazy<char[][]>(InitialiseSafeList);
/// <summary>
/// Encodes according to the CSS encoding rules.
/// </summary>
/// <param name="input">The string to encode.</param>
/// <returns>The encoded string.</returns>
internal static string Encode(string input) {
if (string.IsNullOrEmpty(input)) {
return input;
}
char[][] characterValues = characterValuesLazy.Value;
// Setup a new StringBuilder for output.
// Worse case scenario - CSS encoding wants \XXXXXX for encoded characters.
StringBuilder builder = EncoderUtil.GetOutputStringBuilder(input.Length, 7 /* worstCaseOutputCharsPerInputChar */);
Utf16StringReader stringReader = new Utf16StringReader(input);
while (true) {
int currentCodePoint = stringReader.ReadNextScalarValue();
if (currentCodePoint < 0) {
break; // EOF
}
if (currentCodePoint >= characterValues.Length) {
// We don't have a pre-generated mapping of characters beyond the U+00FF, so we need
// to generate these encodings on-the-fly. We should encode the code point rather
// than the surrogate code units that make up this code point.
// See: http://www.w3.org/International/questions/qa-escapes#cssescapes
char[] encodedCharacter = SafeList.SlashThenSixDigitHexValueGenerator(currentCodePoint);
builder.Append(encodedCharacter);
}
else if (characterValues[currentCodePoint] != null) {
// character needs to be encoded
char[] encodedCharacter = characterValues[currentCodePoint];
builder.Append(encodedCharacter);
}
else {
// character does not need encoding
builder.Append((char)currentCodePoint);
}
}
return builder.ToString();
}
/// <summary>
/// Initializes the HTML safe list.
/// </summary>
private static char[][] InitialiseSafeList() {
char[][] result = SafeList.Generate(0xFF, SafeList.SlashThenSixDigitHexValueGenerator);
SafeList.PunchSafeList(ref result, CssSafeList());
return result;
}
/// <summary>
/// Provides the safe characters for CS encoding.
/// </summary>
/// <returns>The safe characters for CSS encoding.</returns>
/// <remarks>See http://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet </remarks>
private static IEnumerable CssSafeList() {
for (int i = '0'; i <= '9'; i++) {
yield return i;
}
for (int i = 'A'; i <= 'Z'; i++) {
yield return i;
}
for (int i = 'a'; i <= 'z'; i++) {
yield return i;
}
}
}
}
|
