Skip to content
Permalink
Browse files

add test for XSS from twitter

  • Loading branch information...
mikesamuel committed Apr 20, 2019
1 parent e4eff4f commit 659ab22922de7597793971fc90a5313e41f6538f
Showing with 17 additions and 0 deletions.
  1. +17 −0 src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java
@@ -941,6 +941,23 @@ public String apply(String elementName, List<String> attrs) {
scriptSanitizer.sanitize(htmlMetaCharsEscaped));
}

@Test
public static final void testNoscriptInAttribute() {
PolicyFactory pf = new HtmlPolicyBuilder()
.allowElements("img", "p", "noscript")
.allowAttributes("title").globally()
.allowAttributes("img").onElements("img")
.toFactory();

assertEquals(
"<noscript>"
+ "<p title=\"&lt;/noscript&gt;&lt;img src&#61;x onerror&#61;alert(1)&gt;\">"
+ "</p>"
+ "</noscript>",
pf.sanitize(
"<noscript><p title=\"</noscript><img src=x onerror=alert(1)>\">"));
}

private static String apply(HtmlPolicyBuilder b) {
return apply(b, EXAMPLE);
}

0 comments on commit 659ab22

Please sign in to comment.
You can’t perform that action at this time.