Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[jan] Fix XSS vulnerability in Open Document mime viewer (Reported by…
…: Simon Scannell, SonarSource <simon.scannell@sonarsource.com>).
- Loading branch information
Showing
11 changed files
with
99 additions
and
76 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -12,6 +12,7 @@ nbproject/ | |
*.swp | ||
*.kdev4 | ||
.kdev4/* | ||
.idea/ | ||
|
||
# Ignore ALL config files | ||
conf.php | ||
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
<?php | ||
require_once 'Horde/Test/AllTests.php'; | ||
Horde_Test_AllTests::init(__FILE__)->run(); |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,40 @@ | ||
<?php | ||
/** | ||
* Copyright 2022 Horde LLC (http://www.horde.org/) | ||
* | ||
* @category Horde | ||
* @copyright 2022 Horde LLC | ||
* @license http://www.horde.org/licenses/lgpl21 LGPL 2.1 | ||
* @package Mime | ||
* @subpackage UnitTests | ||
*/ | ||
|
||
/** | ||
* Tests for the Horde_Mime_Viewer_Ooo class. | ||
* | ||
* @author Jan Schneider <jan@horde.org> | ||
* @category Horde | ||
* @copyright 2022 Horde LLC | ||
* @internal | ||
* @license http://www.horde.org/licenses/lgpl21 LGPL 2.1 | ||
* @package Mime | ||
* @subpackage UnitTests | ||
*/ | ||
class Horde_Mime_MimeTest extends \PHPUnit\Framework\TestCase | ||
{ | ||
|
||
public function testXssVulnerability() | ||
{ | ||
$mimePart = new Horde_Mime_Part(); | ||
$mimePart->setContents(file_get_contents(__DIR__ . '/xss.odt')); | ||
$viewer = new Horde_Mime_Viewer_Ooo( | ||
$mimePart, | ||
array('zip' => new Horde_Compress_Zip()) | ||
); | ||
$html = current(@$viewer->render('full')); | ||
|
||
$this->assertNotContains("<script>alert('xss demonstration');</script>", $html['data']); | ||
$this->assertNotContains("javascript:alert('xss')", $html['data']); | ||
} | ||
|
||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,3 @@ | ||
<?php | ||
require_once 'Horde/Test/Bootstrap.php'; | ||
Horde_Test_Bootstrap::bootstrap(dirname(__FILE__)); |
This file was deleted.
Oops, something went wrong.
Binary file not shown.