From e1b29d7c25572dd8c557bfe415880f917fdaae0b Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <edwardzyang@thewritingpot.com>
Date: Wed, 8 Nov 2006 01:31:38 +0000
Subject: [PATCH] [1.2.0] XSS attacks smoketest given facelift.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@516 48356398-32a2-884e-a903-53898d9a118a
---
 NEWS                      |  1 +
 smoketests/xssAttacks.php | 56 +++++++++++++++++++++++++++++++--------
 2 files changed, 46 insertions(+), 11 deletions(-)

diff --git a/NEWS b/NEWS
index f01b4f67..db4cfcb3 100644
--- a/NEWS
+++ b/NEWS
@@ -11,6 +11,7 @@ NEWS ( CHANGELOG and HISTORY )                                     HTMLPurifier
 1.2.0, unknown projected release date
 ! Added MODx plugin <http://modxcms.com/forums/index.php/topic,6604.0.html>
 ! Added percent encoding normalization
+! XSS attacks smoketest given facelift
 - Documentation updated
   + TODO added request Phalanger
   + TODO added request Native compression
diff --git a/smoketests/xssAttacks.php b/smoketests/xssAttacks.php
index 48d020a1..4fdace29 100644
--- a/smoketests/xssAttacks.php
+++ b/smoketests/xssAttacks.php
@@ -2,6 +2,19 @@
 
 require_once('common.php');
 
+function formatCode($string) {
+    return 
+        str_replace(
+            array("\t", '»', '\0(null)'),
+            array('<strong>\t</strong>', '<span class="linebreak">»</span>', '<strong>\0</strong>'),
+            escapeHTML(
+                str_replace("\0", '\0(null)',
+                    wordwrap($string, 28, " »\n", true)
+                )
+            )
+        );
+}
+
 ?><!DOCTYPE html 
      PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
@@ -9,15 +22,26 @@ require_once('common.php');
 <head>
     <title>HTMLPurifier XSS Attacks Smoketest</title>
     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <style type="text/css">
+        .scroll {overflow:auto; width:100%;}
+        .even {background:#EAEAEA;}
+        thead th {border-bottom:1px solid #000;}
+        pre strong {color:#00C;}
+        pre .linebreak {color:#AAA;font-weight:100;}
+    </style>
 </head>
 <body>
 <h1>HTMLPurifier XSS Attacks Smoketest</h1>
 <p>XSS attacks are from
 <a href="http://ha.ckers.org/xss.html">http://ha.ckers.org/xss.html</a>.</p>
-<p>The last segment of tests regarding blacklisted websites is not
+<p><strong>Caveats:</strong>
+The last segment of tests regarding blacklisted websites is not
 applicable at the moment, but when we add that functionality they'll be
-relevant.</p>
-<p>Most of the XSS broadcasts its presence by spawning an alert dialogue.</p>
+relevant. Most XSS broadcasts its presence by spawning an alert dialogue.
+The displayed code is not strictly correct, as linebreaks have been forced for
+readability. Linewraps have been marked with <tt>»</tt>.  Some tests are
+omitted for your convenience. Not all control characters are displayed.</p>
+
 <h2>Test</h2>
 <?php
 
@@ -27,24 +51,35 @@ $xml = simplexml_load_file('xssAttacks.xml');
 $purifier = new HTMLPurifier();
 
 ?>
-<!-- form is used so that we can use textareas and stay valid -->
-<form method="post" action="xssAttacks.php">
-<table>
+<table cellspacing="0" cellpadding="2">
 <thead><tr><th>Name</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead>
 <tbody>
 <?php
 
+$i = 0;
 foreach ($xml->attack as $attack) {
     $code = $attack->code;
+    
+    // custom code for null byte injection tests
+    if (substr($code, 0, 7) == 'perl -e') {
+        $code = substr($code, $i=strpos($code, '"')+1, strrpos($code, '"') - $i);
+        $code = str_replace('\0', "\0", $code);
+    }
+    
+    // disable vectors we cannot test in any meaningful way
+    if ($code == 'See Below') continue; // event handlers, whitelist defeats
+    if ($attack->name == 'OBJECT w/Flash 2') continue; // requires ActionScript
+    if ($attack->name == 'IMG Embedded commands 2') continue; // is an HTTP response
+    
     // custom code for US-ASCII, which couldn't be expressed in XML without encoding
     if ($attack->name == 'US-ASCII encoding') $code = urldecode($code);
 ?>
-    <tr>
+    <tr<?php if ($i++ % 2) {echo ' class="even"';} ?>>
         <td><?php echo escapeHTML($attack->name); ?></td>
-        <td><textarea readonly="readonly" cols="20" rows="2"><?php echo escapeHTML($code); ?></textarea></td>
+        <td><pre><?php echo formatCode($code); ?></pre></td>
         <?php $pure_html = $purifier->purify($code); ?>
-        <td><textarea readonly="readonly" cols="20" rows="2"><?php echo escapeHTML($pure_html); ?></textarea></td>
-        <td><?php echo $pure_html ?></td>
+        <td><pre><?php echo formatCode($pure_html); ?></pre></td>
+        <td><div class="scroll"><?php echo $pure_html ?></div></td>
     </tr>
 <?php
 }
@@ -52,6 +87,5 @@ foreach ($xml->attack as $attack) {
 ?>
 </tbody>
 </table>
-</form>
 </body>
 </html>
\ No newline at end of file