-
Notifications
You must be signed in to change notification settings - Fork 127
/
XssTest.php
198 lines (187 loc) · 24.3 KB
/
XssTest.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
<?php
/**
* Horde_Text_Filter_Xss tests.
*
* @author Michael Slusarz <slusarz@horde.org>
* @category Horde
* @license http://www.horde.org/licenses/lgpl21 LGPL 2.1
* @package Text_Filter
* @subpackage UnitTests
*/
class Horde_Text_Filter_XssTest extends PHPUnit_Framework_TestCase
{
/**
* Test cases from http://ha.ckers.org/xss.html
*
* @dataProvider xssProvider
*/
public function testXss($key, $val)
{
$this->assertEquals(
$val,
trim(Horde_Text_Filter::filter($key, 'xss'))
);
}
public function xssProvider()
{
$framedata = <<<EOT
<frameset rows="15,15,15,15,15,15,15,15,15,*">
<frame src="mailbox.php?page=1&actionID=delete_messages&targetMbox=&newMbox=0&flag=&indices%5B%5D=199&indices%5B%5D=200&indices%5B%5D=201&indices%5B%5D=202&indices%5B%5D=203&indices%5B%5D=204&indices%5B%5D=205&indices%5B%5D=206&indices%5B%5D=207&indices%5B%5D=208&indices%5B%5D=209&indices%5B%5D=210&indices%5B%5D=211&indices%5B%5D=212&indices%5B%5D=213&indices%5B%5D=214&indices%5B%5D=215&indices%5B%5D=216&indices%5B%5D=217&indices%5B%5D=218&indices%5B%5D=219&indices%5B%5D=220&indices%5B%5D=221&indices%5B%5D=222&indices%5B%5D=223&indices%5B%5D=224&indices%5B%5D=225&indices%5B%5D=226&indices%5B%5D=227&indices%5B%5D=228&indices%5B%5D=229&indices%5B%5D=230&indices%5B%5D=231&indices%5B%5D=232&indices%5B%5D=233&indices%5B%5D=234&indices%5B%5D=235&indices%5B%5D=236&indices%5B%5D=237&indices%5B%5D=238&indices%5B%5D=239&indices%5B%5D=240&indices%5B%5D=241&indices%5B%5D=242&indices%5B%5D=243&indices%5B%5D=244&indices%5B%5D=245&indices%5B%5D=246&indices%5B%5D=247&indices%5B%5D=248&indices%5B%5D=249&indices%5B%5D=250&indices%5B%5D=251&indices%5B%5D=252&indices%5B%5D=253&indices%5B%5D=254&indices%5B%5D=255&indices%5B%5D=256&indices%5B%5D=257&indices%5B%5D=258&indices%5B%5D=259&indices%5B%5D=260&indices%5B%5D=261&indices%5B%5D=262&indices%5B%5D=263&indices%5B%5D=264&indices%5B%5D=265&indices%5B%5D=266&indices%5B%5D=267&indices%5B%5D=268&indices%5B%5D=269&indices%5B%5D=270&indices%5B%5D=271&indices%5B%5D=272&indices%5B%5D=273&indices%5B%5D=274&indices%5B%5D=275&indices%5B%5D=276&indices%5B%5D=277&indices%5B%5D=278&indices%5B%5D=279&indices%5B%5D=280&indices%5B%5D=281&indices%5B%5D=282&indices%5B%5D=283&indices%5B%5D=284&indices%5B%5D=285&indices%5B%5D=286&indices%5B%5D=287&indices%5B%5D=288&indices%5B%5D=289&indices%5B%5D=290&indices%5B%5D=291&indices%5B%5D=292&indices%5B%5D=293&indices%5B%5D=294&indices%5B%5D=295&indices%5B%5D=296&indices%5B%5D=297&indices%5B%5D=298">
<frame src="mailbox.php?page=1&actionID=delete_messages&targetMbox=&newMbox=0&flag=&indices%5B%5D=299&indices%5B%5D=300&indices%5B%5D=301&indices%5B%5D=302&indices%5B%5D=303&indices%5B%5D=304&indices%5B%5D=305&indices%5B%5D=306&indices%5B%5D=307&indices%5B%5D=308&indices%5B%5D=309&indices%5B%5D=310&indices%5B%5D=311&indices%5B%5D=312&indices%5B%5D=313&indices%5B%5D=314&indices%5B%5D=315&indices%5B%5D=316&indices%5B%5D=317&indices%5B%5D=318&indices%5B%5D=319&indices%5B%5D=320&indices%5B%5D=321&indices%5B%5D=322&indices%5B%5D=323&indices%5B%5D=324&indices%5B%5D=325&indices%5B%5D=326&indices%5B%5D=327&indices%5B%5D=328&indices%5B%5D=329&indices%5B%5D=330&indices%5B%5D=331&indices%5B%5D=332&indices%5B%5D=333&indices%5B%5D=334&indices%5B%5D=335&indices%5B%5D=336&indices%5B%5D=337&indices%5B%5D=338&indices%5B%5D=339&indices%5B%5D=340&indices%5B%5D=341&indices%5B%5D=342&indices%5B%5D=343&indices%5B%5D=344&indices%5B%5D=345&indices%5B%5D=346&indices%5B%5D=347&indices%5B%5D=348&indices%5B%5D=349&indices%5B%5D=350&indices%5B%5D=351&indices%5B%5D=352&indices%5B%5D=353&indices%5B%5D=354&indices%5B%5D=355&indices%5B%5D=356&indices%5B%5D=357&indices%5B%5D=358&indices%5B%5D=359&indices%5B%5D=360&indices%5B%5D=361&indices%5B%5D=362&indices%5B%5D=363&indices%5B%5D=364&indices%5B%5D=365&indices%5B%5D=366&indices%5B%5D=367&indices%5B%5D=368&indices%5B%5D=369&indices%5B%5D=370&indices%5B%5D=371&indices%5B%5D=372&indices%5B%5D=373&indices%5B%5D=374&indices%5B%5D=375&indices%5B%5D=376&indices%5B%5D=377&indices%5B%5D=378&indices%5B%5D=379&indices%5B%5D=380&indices%5B%5D=381&indices%5B%5D=382&indices%5B%5D=383&indices%5B%5D=384&indices%5B%5D=385&indices%5B%5D=386&indices%5B%5D=387&indices%5B%5D=388&indices%5B%5D=389&indices%5B%5D=390&indices%5B%5D=391&indices%5B%5D=392&indices%5B%5D=393&indices%5B%5D=394&indices%5B%5D=395&indices%5B%5D=396&indices%5B%5D=397&indices%5B%5D=398">
<frame src="mailbox.php?page=1&actionID=delete_messages&targetMbox=&newMbox=0&flag=&indices%5B%5D=399&indices%5B%5D=400&indices%5B%5D=401&indices%5B%5D=402&indices%5B%5D=403&indices%5B%5D=404&indices%5B%5D=405&indices%5B%5D=406&indices%5B%5D=407&indices%5B%5D=408&indices%5B%5D=409&indices%5B%5D=410&indices%5B%5D=411&indices%5B%5D=412&indices%5B%5D=413&indices%5B%5D=414&indices%5B%5D=415&indices%5B%5D=416&indices%5B%5D=417&indices%5B%5D=418&indices%5B%5D=419&indices%5B%5D=420&indices%5B%5D=421&indices%5B%5D=422&indices%5B%5D=423&indices%5B%5D=424&indices%5B%5D=425&indices%5B%5D=426&indices%5B%5D=427&indices%5B%5D=428&indices%5B%5D=429&indices%5B%5D=430&indices%5B%5D=431&indices%5B%5D=432&indices%5B%5D=433&indices%5B%5D=434&indices%5B%5D=435&indices%5B%5D=436&indices%5B%5D=437&indices%5B%5D=438&indices%5B%5D=439&indices%5B%5D=440&indices%5B%5D=441&indices%5B%5D=442&indices%5B%5D=443&indices%5B%5D=444&indices%5B%5D=445&indices%5B%5D=446&indices%5B%5D=447&indices%5B%5D=448&indices%5B%5D=449&indices%5B%5D=450&indices%5B%5D=451&indices%5B%5D=452&indices%5B%5D=453&indices%5B%5D=454&indices%5B%5D=455&indices%5B%5D=456&indices%5B%5D=457&indices%5B%5D=458&indices%5B%5D=459&indices%5B%5D=460&indices%5B%5D=461&indices%5B%5D=462&indices%5B%5D=463&indices%5B%5D=464&indices%5B%5D=465&indices%5B%5D=466&indices%5B%5D=467&indices%5B%5D=468&indices%5B%5D=469&indices%5B%5D=470&indices%5B%5D=471&indices%5B%5D=472&indices%5B%5D=473&indices%5B%5D=474&indices%5B%5D=475&indices%5B%5D=476&indices%5B%5D=477&indices%5B%5D=478&indices%5B%5D=479&indices%5B%5D=480&indices%5B%5D=481&indices%5B%5D=482&indices%5B%5D=483&indices%5B%5D=484&indices%5B%5D=485&indices%5B%5D=486&indices%5B%5D=487&indices%5B%5D=488&indices%5B%5D=489&indices%5B%5D=490&indices%5B%5D=491&indices%5B%5D=492&indices%5B%5D=493&indices%5B%5D=494&indices%5B%5D=495&indices%5B%5D=496&indices%5B%5D=497&indices%5B%5D=498">
<frame src="mailbox.php?page=1&actionID=delete_messages&targetMbox=&newMbox=0&flag=&indices%5B%5D=499&indices%5B%5D=500&indices%5B%5D=501&indices%5B%5D=502&indices%5B%5D=503&indices%5B%5D=504&indices%5B%5D=505&indices%5B%5D=506&indices%5B%5D=507&indices%5B%5D=508&indices%5B%5D=509&indices%5B%5D=510&indices%5B%5D=511&indices%5B%5D=512&indices%5B%5D=513&indices%5B%5D=514&indices%5B%5D=515&indices%5B%5D=516&indices%5B%5D=517&indices%5B%5D=518&indices%5B%5D=519&indices%5B%5D=520&indices%5B%5D=521&indices%5B%5D=522&indices%5B%5D=523&indices%5B%5D=524&indices%5B%5D=525&indices%5B%5D=526&indices%5B%5D=527&indices%5B%5D=528&indices%5B%5D=529&indices%5B%5D=530&indices%5B%5D=531&indices%5B%5D=532&indices%5B%5D=533&indices%5B%5D=534&indices%5B%5D=535&indices%5B%5D=536&indices%5B%5D=537&indices%5B%5D=538&indices%5B%5D=539&indices%5B%5D=540&indices%5B%5D=541&indices%5B%5D=542&indices%5B%5D=543&indices%5B%5D=544&indices%5B%5D=545&indices%5B%5D=546&indices%5B%5D=547&indices%5B%5D=548&indices%5B%5D=549&indices%5B%5D=550&indices%5B%5D=551&indices%5B%5D=552&indices%5B%5D=553&indices%5B%5D=554&indices%5B%5D=555&indices%5B%5D=556&indices%5B%5D=557&indices%5B%5D=558&indices%5B%5D=559&indices%5B%5D=560&indices%5B%5D=561&indices%5B%5D=562&indices%5B%5D=563&indices%5B%5D=564&indices%5B%5D=565&indices%5B%5D=566&indices%5B%5D=567&indices%5B%5D=568&indices%5B%5D=569&indices%5B%5D=570&indices%5B%5D=571&indices%5B%5D=572&indices%5B%5D=573&indices%5B%5D=574&indices%5B%5D=575&indices%5B%5D=576&indices%5B%5D=577&indices%5B%5D=578&indices%5B%5D=579&indices%5B%5D=580&indices%5B%5D=581&indices%5B%5D=582&indices%5B%5D=583&indices%5B%5D=584&indices%5B%5D=585&indices%5B%5D=586&indices%5B%5D=587&indices%5B%5D=588&indices%5B%5D=589&indices%5B%5D=590&indices%5B%5D=591&indices%5B%5D=592&indices%5B%5D=593&indices%5B%5D=594&indices%5B%5D=595&indices%5B%5D=596&indices%5B%5D=597&indices%5B%5D=598">
<frame src="mailbox.php?page=1&actionID=delete_messages&targetMbox=&newMbox=0&flag=&indices%5B%5D=599&indices%5B%5D=600&indices%5B%5D=601&indices%5B%5D=602&indices%5B%5D=603&indices%5B%5D=604&indices%5B%5D=605&indices%5B%5D=606&indices%5B%5D=607&indices%5B%5D=608&indices%5B%5D=609&indices%5B%5D=610&indices%5B%5D=611&indices%5B%5D=612&indices%5B%5D=613&indices%5B%5D=614&indices%5B%5D=615&indices%5B%5D=616&indices%5B%5D=617&indices%5B%5D=618&indices%5B%5D=619&indices%5B%5D=620&indices%5B%5D=621&indices%5B%5D=622&indices%5B%5D=623&indices%5B%5D=624&indices%5B%5D=625&indices%5B%5D=626&indices%5B%5D=627&indices%5B%5D=628&indices%5B%5D=629&indices%5B%5D=630&indices%5B%5D=631&indices%5B%5D=632&indices%5B%5D=633&indices%5B%5D=634&indices%5B%5D=635&indices%5B%5D=636&indices%5B%5D=637&indices%5B%5D=638&indices%5B%5D=639&indices%5B%5D=640&indices%5B%5D=641&indices%5B%5D=642&indices%5B%5D=643&indices%5B%5D=644&indices%5B%5D=645&indices%5B%5D=646&indices%5B%5D=647&indices%5B%5D=648&indices%5B%5D=649&indices%5B%5D=650&indices%5B%5D=651&indices%5B%5D=652&indices%5B%5D=653&indices%5B%5D=654&indices%5B%5D=655&indices%5B%5D=656&indices%5B%5D=657&indices%5B%5D=658&indices%5B%5D=659&indices%5B%5D=660&indices%5B%5D=661&indices%5B%5D=662&indices%5B%5D=663&indices%5B%5D=664&indices%5B%5D=665&indices%5B%5D=666&indices%5B%5D=667&indices%5B%5D=668&indices%5B%5D=669&indices%5B%5D=670&indices%5B%5D=671&indices%5B%5D=672&indices%5B%5D=673&indices%5B%5D=674&indices%5B%5D=675&indices%5B%5D=676&indices%5B%5D=677&indices%5B%5D=678&indices%5B%5D=679&indices%5B%5D=680&indices%5B%5D=681&indices%5B%5D=682&indices%5B%5D=683&indices%5B%5D=684&indices%5B%5D=685&indices%5B%5D=686&indices%5B%5D=687&indices%5B%5D=688&indices%5B%5D=689&indices%5B%5D=690&indices%5B%5D=691&indices%5B%5D=692&indices%5B%5D=693&indices%5B%5D=694&indices%5B%5D=695&indices%5B%5D=696&indices%5B%5D=697&indices%5B%5D=698">
<frame src="mailbox.php?page=1&actionID=expunge_mailbox">
<frame src="mailbox.php?page=1&actionID=expunge_mailbox">
<frame src="mailbox.php?page=1&actionID=expunge_mailbox">
<frame src="mailbox.php?page=1&actionID=expunge_mailbox">
<frame src="http://secunia.com/">
</frameset>
EOT;
// Format: Input, expected
return array(
array('<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>', ''),
array('<IMG SRC="javascript:alert(\'XSS\');">', '<img/>'),
array('<IMG SRC=javascript:alert(\'XSS\')>', '<img/>'),
array('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>', '<img/>'),
array('<IMG SRC=javascript:alert("XSS")>', '<img/>'),
array('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>', '<img says=""/>'),
array('<IMG """><SCRIPT>alert("XSS")</SCRIPT>">', '<img/>">'),
array('<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>', '<img/>'),
array('<IMG SRC=javascript:alert('XSS')>', '<img/>'),
array('<IMG SRC=javascript:alert('XSS')>', '<img/>'),
array('<IMG SRC=javascript:alert('XSS')>', '<img/>'),
array('<IMG SRC="jav ascript:alert(\'XSS\');">', '<img/>'),
array('<IMG SRC="jav	ascript:alert(\'XSS\');">', '<img/>'),
array('<IMG SRC="jav
ascript:alert(\'XSS\');">', '<img/>'),
array('<IMG SRC="jav
ascript:alert(\'XSS\');">', '<img/>'),
array("<IMG\nSRC\n=\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n\"\n>", '<img src="j" a="" v="" s="" c="" r="" i="" p="" t="" :="" l="" e="" x=""/>'),
/* Disable these. Handling broke/change as of PHP 5.6.8, 5.5.24,
* and 5.4.40 (https://bugs.php.net/bug.php?id=69353). */
//array("<IMG SRC=java\0script:alert(\"XSS\")>", '<img src="java"/>'),
//array("<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>", '<scr/>'),
array('<IMG SRC="  javascript:alert(\'XSS\');">', '<img src=" "/>'),
array('<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>', ''),
array('<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>', ''),
array('<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>', ''),
array('<<SCRIPT>alert("XSS");//<</SCRIPT>', '<p>alert("XSS");//</p>'),
array('<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>', ''),
array('<SCRIPT SRC=//ha.ckers.org/.j>', ''),
array('<IMG SRC="javascript:alert(\'XSS\')"', '<img/>'),
array('<iframe src=http://ha.ckers.org/scriptlet.html <', ''),
array("<SCRIPT>a=/XSS/\nalert(a.source)</SCRIPT>", ''),
array('</TITLE><SCRIPT>alert("XSS");</SCRIPT>', ''),
array('<INPUT TYPE="IMAGE" SRC="javascript:alert(\'XSS\');">', '<input type="IMAGE"/>'),
array('<BODY BACKGROUND="javascript:alert(\'XSS\')">', ''),
array('<BODY ONLOAD=alert(\'XSS\')>', ''),
array('<IMG DYNSRC="javascript:alert(\'XSS\')">', '<img/>'),
array('<IMG LOWSRC="javascript:alert(\'XSS\')">', '<img/>'),
array('<BGSOUND SRC="javascript:alert(\'XSS\');">', ''),
array('<BR SIZE="&{alert(\'XSS\')}">', '<br/>'),
array('<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>', ''),
array('<LINK REL="stylesheet" HREF="javascript:alert(\'XSS\');">', ''),
array('<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">', ''),
array('<STYLE>@import\'http://ha.ckers.org/xss.css\';</STYLE>', ''),
array('<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">', ''),
array('<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>', ''),
array('<XSS STYLE="behavior: url(xss.htc);">', '<xss/>'),
array('<STYLE>li {list-style-image: url("javascript:alert(\'XSS\')");}</STYLE><UL><LI>XSS', '<ul><li>XSS</li></ul>'),
array('<IMG SRC=\'vbscript:msgbox("XSS")\'>', '<img/>'),
array('<IMG SRC="mocha:[code]">', '<img/>'),
array('<IMG SRC="livescript:[code]">', '<img/>'),
array('<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(\'XSS\');">', ''),
array('<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">', ''),
array('<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(\'XSS\');">', ''),
array('<IFRAME SRC=javascript:alert(\'XSS\')></IFRAME>', ''),
array('<FRAMESET><FRAME SRC=javascript:alert(\'XSS\')></FRAME></FRAMESET>', ''),
array('<TABLE BACKGROUND="javascript:alert(\'XSS\')">', '<table/>'),
array('<TABLE><TD BACKGROUND="javascript:alert(\'XSS\')">', '<table><td/></table>'),
array('<DIV STYLE="background-image: url(javascript:alert(\'XSS\'))">', '<div/>'),
array('<DIV STYLE="background-image:\0075\0072\006C\0028\'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029\'\0029">', '<div/>'),
array('<DIV STYLE="background-image: url(javascript:alert(\'XSS\'))">', '<div/>'),
array('<DIV STYLE="width: expression(alert(\'XSS\'));">', '<div/>'),
array('<STYLE>@im\port\'\ja\vasc\ript:alert("XSS")\';</STYLE>', ''),
array('<IMG STYLE="xss:expr/*XSS*/ession(alert(\'XSS\'))">', '<img/>'),
array('<XSS STYLE="xss:expression(alert(\'XSS\'))">', '<xss/>'),
array("exp/*<A STYLE='no\xss:noxss(\"*//*\");\nxss:ex/*XSS*//*/*/pression(alert(\"XSS\"))'>", '<p>exp/*<a/></p>'),
array('<STYLE TYPE="text/javascript">alert(\'XSS\');</STYLE>', ''),
// This test fails on Travis for some reason. It returns an
// empty string. There is nothing malicious about the A
// tag in and of itself.
// array('<STYLE>.XSS{background-image:url("javascript:alert(\'XSS\')");}</STYLE><A CLASS=XSS></A>', '<a class="XSS"/>'),
array('<STYLE>.XSS{background-image:url("javascript:alert(\'XSS\')");}</STYLE>', ''),
array('<STYLE type="text/css">BODY{background:url("javascript:alert(\'XSS\')")}</STYLE>', ''),
array("<!--[if gte IE 4]>\n<SCRIPT>alert('XSS');</SCRIPT>\n<![endif]-->", ''),
array('<BASE HREF="javascript:alert(\'XSS\');//">', ''),
array('<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>', ''),
array('<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert(\'XSS\')></OBJECT>', ''),
array('<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>', ''),
array('<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>', ''),
array("<HTML xmlns:xss>\n<?import namespace=\"xss\" implementation=\"http://ha.ckers.org/xss.htc\">\n<xss:xss>XSS</xss:xss>\n</HTML>", '<xss>XSS</xss>'),
array("<XML ID=I><X><C><![CDATA[<IMG SRC=\"javas]]><![CDATA[cript:alert('XSS');\">]]>\n</C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>", '<span datasrc="#I" datafld="C" dataformatas="HTML"/>'),
array("<XML ID=\"xss\"><I><B><IMG SRC=\"javas<!-- -->cript:alert('XSS')\"></B></I></XML>\n<SPAN DATASRC=\"#xss\" DATAFLD=\"B\" DATAFORMATAS=\"HTML\"></SPAN>", '<span datasrc="#xss" datafld="B" dataformatas="HTML"/>'),
array("<XML SRC=\"xsstest.xml\" ID=I></XML>\n<SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>", '<span datasrc="#I" datafld="C" dataformatas="HTML"/>'),
array("<HTML><BODY><?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\"><?import namespace=\"t\" implementation=\"#default#time2\">\n<t:set attributeName=\"innerHTML\" to=\"XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>\"></BODY></HTML>", "<?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\"?><?import namespace=\"t\" implementation=\"#default#time2\"?>"),
array('<SCRIPT SRC="http://ha.ckers.org/xss.jpg"><SCRIPT>', ''),
array('<IMG SRC="javascript:alert(\'XSS\')"', '<img/>'),
array('<SCRIPT a=">" SRC="http://xss.com/a.js"></SCRIPT>', ''),
array('<SCRIPT =">" SRC="http://xss.com/a.js"></SCRIPT>', ''),
array('<SCRIPT a=">" \'\' SRC="http://xss.com/a.js"></SCRIPT>', ''),
array('<SCRIPT "a=\'>\'" SRC="http://xss.com/a.js"></SCRIPT>', ''),
array('<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>', ''),
array('<SCRIPT a=">\'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>', ''),
array('<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/a.js"></SCRIPT>', '<p>PT SRC="http://ha.ckers.org/a.js"></p>'),
array('<a href="data:text/html;base64,PGh0bWw+PGhlYWQ+PHRpdGxlPnRlc3Q8L3RpdGxlPjwvaGVhZD48Ym9keT48c2NyaXB0PmFsZXJ0KCd4c3M6ICcgKyBkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+PC9ib2R5PjwvaHRtbD4=" href="data:text/html;base64,PGh0bWw+PGhlYWQ+PHRpdGxlPnRlc3Q8L3RpdGxlPjwvaGVhZD48Ym9keT48c2NyaXB0PmFsZXJ0KCd4c3M6ICcgKyBkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+PC9ib2R5PjwvaHRtbD4=">Click me</a>', '<a>Click me</a>'),
array('<a href="data:text/html;base64,PGh0bWw+PGhlYWQ+PHRpdGxlPnRlc3Q8L3RpdGxlPjwvaGVhZD48Ym9keT48c2NyaXB0PmFsZXJ0KCd4c3M6ICcgKyBkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+PC9ib2R5PjwvaHRtbD4=">Click me</a>', '<a>Click me</a>'),
array('<body/onload=alert(/xss/)>', ''),
array('<img src=""> <BODY ONLOAD="a();"><SCRIPT>function a(){alert(\'XSS\');}</SCRIPT><"" />', '<img src=""/>'),
array('<img src=\'blank.jpg\'style=\'width:expression(alert("xssed"))\'>', '<img src="blank.jpg"/>'),
array($framedata, ''),
array('<svg><a xlink:href="data:text/html,<script>alert(/XSS/)</script>"><rect width="1000" height="1000" fill="white"/></a></svg>', '<svg><a><rect width="1000" height="1000" fill="white"/></a></svg>'),
array('<math><a xlink:href="data:text/html,<script>alert(/XSS/)</script>">click</a></math>', '<math><a>click</a></math>'),
array('<form action="data:text/html,<script>alert(/XSS/)</script>"><button></form>', '<form><button/></form>'),
);
}
public function testStyleXss()
{
$tests = array(
'<BASE HREF="javascript:alert(\'XSS\');//">' => ''
);
foreach ($tests as $key => $val) {
$this->assertEquals(
$val,
Horde_Text_Filter::filter($key, 'xss', array(
'strip_styles' => false
))
);
}
}
public function testBug9567()
{
$text = quoted_printable_decode(
"pr=E9parer =E0 vendre d\342\200\231ao=FBt"
);
$this->assertEquals(
$text,
Horde_Text_Filter::filter('<html><body>' . $text . '</body></html>', 'xss', array(
'charset' => 'iso-8859-1'
))
);
$this->assertEquals(
$text,
Horde_Text_Filter::filter('<html><head><meta http-equiv="Content-Type" content="text/html; charset=iso-8859-1"></head><body>' . $text . '</body></html>', 'xss', array(
'charset' => 'iso-8859-1'
))
);
$text = Horde_String::convertCharset(quoted_printable_decode(
"pr=E9parer =E0 vendre d’ao=FBt ;"
), 'windows-1252', 'UTF-8');
$expected = "pr\303\251parer \303\240 vendre d\342\200\231ao\303\273t\302\240;";
$this->assertEquals(
$expected,
Horde_Text_Filter::filter('<html><body>' . $text . '</body></html>', 'xss', array(
'charset' => 'utf-8'
))
);
}
}