0
0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-01-05 14:11:52 +00:00

Add a variableWidthAttack smoketest, and add analysis to some smoketests.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@294 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2006-08-17 23:36:35 +00:00
parent 66ddc4cc5a
commit af0de616ae
3 changed files with 83 additions and 4 deletions

View File

@ -1,4 +1,9 @@
<!DOCTYPE html <?php
// there must not be a byte order mark
header('Content-type: text/html; charset=UTF-8');
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html> <html>
@ -27,5 +32,10 @@ $string = '
<?php echo $string; ?> <?php echo $string; ?>
<h2>Purified</h2> <h2>Purified</h2>
<?php echo $purifier->purify($string); ?> <?php echo $purifier->purify($string); ?>
<h2>Analysis</h2>
<p>The content in <strong>Raw</strong> should be equivalent to the content
in <strong>Purified</strong>. If <strong>Purified</strong> is mangled, there
is likely trouble a-brewing in the library. If
both are mangled, check to see that this file was not corrupted.</p>
</body> </body>
</html> </html>

View File

@ -0,0 +1,62 @@
<?php
header('Content-type: text/html; charset=UTF-8');
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html>
<head>
<title>HTMLPurifier Variable Width Attack Smoketest</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
</head>
<body>
<h1>HTMLPurifier Variable Width Attack Smoketest</h1>
<p>For more information, see
<a href="http://applesoup.googlepages.com/bypass_filter.txt">Cheng Peng Su's
original advisory.</a> This particular exploit code appears only to work
in Internet Explorer, if it works at all.</p>
<h2>Test</h2>
<?php
set_include_path('../library' . PATH_SEPARATOR . get_include_path());
require_once 'HTMLPurifier.php';
$purifier = new HTMLPurifier();
function escape($string) {
$string = htmlspecialchars($string, ENT_COMPAT, 'UTF-8');
$string = iconv('UTF-8', 'UTF-8//IGNORE', $string);
return $string;
}
?>
<table>
<thead><tr><th>ASCII</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead>
<tbody>
<?php
for ($i = 0; $i < 256; $i++) {
$c = chr($i);
$html = '<img src="" alt="X' . $c . '"';
$html .= '>A"'; // in our out the attribute? ;-)
$html .= "onerror=alert('$i')>O";
$pure_html = $purifier->purify($html);
?>
<tr>
<td><?php echo $i; ?></td>
<td style="font-size:8pt;"><?php echo escape($html); ?></td>
<td style="font-size:8pt;"><?php echo escape($pure_html); ?></td>
<td><?php echo $pure_html; ?></td>
</tr>
<?php } ?>
</tbody>
</table>
<h2>Analysis</h2>
<p>This test currently passes the XSS aspect but fails the validation aspect
due to generalized encoding issues. An augmented UTF-8 smoketest is
pending, until then, consider this a pass.</p>
</body>
</html>

View File

@ -1,4 +1,8 @@
<!DOCTYPE html <?php
header('Content-type: text/html; charset=UTF-8');
?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html> <html>
@ -13,6 +17,8 @@
<p>The last segment of tests regarding blacklisted websites is not <p>The last segment of tests regarding blacklisted websites is not
applicable at the moment, but when we add that functionality they'll be applicable at the moment, but when we add that functionality they'll be
relevant.</p> relevant.</p>
<p>Most of the XSS broadcasts its presence by spawning an alert dialogue.</p>
<h2>Test</h2>
<?php <?php
if (version_compare(PHP_VERSION, '5', '<')) exit('<p>Requires PHP 5.</p>'); if (version_compare(PHP_VERSION, '5', '<')) exit('<p>Requires PHP 5.</p>');
@ -24,6 +30,7 @@ $xml = simplexml_load_file('xssAttacks.xml');
$purifier = new HTMLPurifier(); $purifier = new HTMLPurifier();
?> ?>
<!-- form is used so that we can use textareas and stay valid -->
<form method="post" action="xssAttacks.php"> <form method="post" action="xssAttacks.php">
<table> <table>
<thead><tr><th>Name</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead> <thead><tr><th>Name</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead>