Update narrative sanitizer for potentially dangerous content

src/Microsoft.Health.Fhir.Core/Features/Validation/Narratives/NarrativeHtmlSanitizer.cs

@@ -131,14 +131,28 @@
             "xmlns",
         };
 
-        private static readonly ISet<string> Src = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
+        private static readonly ISet<string> AllowedSrcSchemes = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
         {
             "#",
             "data:",
             "http:",
             "https:",
         };
 
+        private static readonly ISet<string> DangerousHrefSchemes = new HashSet<string>(StringComparer.OrdinalIgnoreCase)
+        {
+            "javascript:",
+            "vbscript:",
+            "data:",
+            "livescript:",
+            "file:",
+            "blob:",
+            "ftp:",
+            "ms-its:",
+            "mhtml:",
+            "jar:",
+        };
+
         // Obvious invalid structural parsing errors to report
         private static readonly HashSet<HtmlParseError> RaiseErrorTypes = new HashSet<HtmlParseError>
         {
@@ -292,11 +306,19 @@
 
                 if (string.Equals("src", attr.Name, StringComparison.OrdinalIgnoreCase))
                 {
-                    if (!Src.Any(x => attr.Value.StartsWith(x, StringComparison.OrdinalIgnoreCase)))
+                    if (!AllowedSrcSchemes.Any(x => attr.Value.StartsWith(x, StringComparison.OrdinalIgnoreCase)))
+                    {
+                        onInvalidAttr(element, attr);
+                    }
+                }
+
+                if (string.Equals("href", attr.Name, StringComparison.OrdinalIgnoreCase))
+                {
+                    if (DangerousHrefSchemes.Any(x => attr.Value.StartsWith(x, StringComparison.OrdinalIgnoreCase)))
                     {
                         onInvalidAttr(element, attr);
                     }
                 }
             }
         }
     }

src/Microsoft.Health.Fhir.Shared.Core.UnitTests/Features/Validation/Narratives/NarrativeHtmlSanitizerTests.cs

@@ -84,5 +84,41 @@ public void GivenHtmlWithDivAndText_WhenCleaningHtml_ThenResultIsSuccessful(stri
 
             Assert.Equal(output, results);
         }
+
+        [Theory]
+        [InlineData("<div><a href=\"javascript:alert('XSS')\">click</a></div>")]
+        [InlineData("<div><a href=\"JAVASCRIPT:alert('XSS')\">click</a></div>")]
+        [InlineData("<div><a href=\"vbscript:MsgBox('XSS')\">click</a></div>")]
+        [InlineData("<div><a href=\"data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4=\">click</a></div>")]
+        public void GivenHtmlWithMaliciousHref_WhenValidating_ThenValidationErrorIsReturned(string html)
+        {
+            var results = _sanitizer.Validate(html);
+
+            Assert.NotEmpty(results);
+        }
+
+        [Theory]
+        [InlineData("<div><a href=\"https://example.com\">safe</a></div>")]
+        [InlineData("<div><a href=\"http://example.com\">safe</a></div>")]
+        [InlineData("<div><a href=\"#section1\">anchor</a></div>")]
+        [InlineData("<div><a href=\"mypage.html\">relative</a></div>")]
+        [InlineData("<div><a href=\"mailto:user@example.com\">email</a></div>")]
+        public void GivenHtmlWithSafeHref_WhenValidating_ThenValidationIsSuccessful(string html)
+        {
+            var results = _sanitizer.Validate(html);
+
+            Assert.Empty(results);
+        }
+
+        [Theory]
+        [InlineData("<div><a href=\"javascript:alert('XSS')\">click</a></div>", "<div><a>click</a></div>")]
+        [InlineData("<div><a href=\"data:text/html,<script>alert(1)</script>\">click</a></div>", "<div><a>click</a></div>")]
+        [InlineData("<div><a href=\"https://example.com\">safe</a></div>", "<div><a href=\"https://example.com\">safe</a></div>")]
+        public void GivenHtmlWithMaliciousHref_WhenSanitizing_ThenHrefIsRemoved(string input, string output)
+        {
+            var results = _sanitizer.Sanitize(input);
+
+            Assert.Equal(output, results);
+        }
     }
 }