mirrors/htmlpurifier
0
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2024-09-19 10:45:18 +00:00
Code Releases Activity

[1.2.0] XSS attacks smoketest given facelift.

Browse Source 
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@516 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang 2006-11-08 01:31:38 +00:00
parent 9668ac1e38
commit e1b29d7c25
2 changed files with 46 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
NEWS
View File

@ -11,6 +11,7 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
1.2.0, unknown projected release date 1.2.0, unknown projected release date
! Added MODx plugin <http://modxcms.com/forums/index.php/topic,6604.0.html> ! Added MODx plugin <http://modxcms.com/forums/index.php/topic,6604.0.html>
! Added percent encoding normalization ! Added percent encoding normalization
! XSS attacks smoketest given facelift
- Documentation updated - Documentation updated
+ TODO added request Phalanger + TODO added request Phalanger
+ TODO added request Native compression + TODO added request Native compression

56
smoketests/xssAttacks.php
View File

@ -2,6 +2,19 @@
require_once('common.php'); require_once('common.php');
function formatCode($string) {
return
str_replace(
array("\t", '»', '\0(null)'),
array('<strong>\t</strong>', '<span class="linebreak">»</span>', '<strong>\0</strong>'),
escapeHTML(
str_replace("\0", '\0(null)',
wordwrap($string, 28, " »\n", true)
)
)
);
}
?><!DOCTYPE html ?><!DOCTYPE html
PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
@ -9,15 +22,26 @@ require_once('common.php');
<head> <head>
<title>HTMLPurifier XSS Attacks Smoketest</title> <title>HTMLPurifier XSS Attacks Smoketest</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" /> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<style type="text/css">
.scroll {overflow:auto; width:100%;}
.even {background:#EAEAEA;}
thead th {border-bottom:1px solid #000;}
pre strong {color:#00C;}
pre .linebreak {color:#AAA;font-weight:100;}
</style>
</head> </head>
<body> <body>
<h1>HTMLPurifier XSS Attacks Smoketest</h1> <h1>HTMLPurifier XSS Attacks Smoketest</h1>
<p>XSS attacks are from <p>XSS attacks are from
<a href="http://ha.ckers.org/xss.html">http://ha.ckers.org/xss.html</a>.</p> <a href="http://ha.ckers.org/xss.html">http://ha.ckers.org/xss.html</a>.</p>
<p>The last segment of tests regarding blacklisted websites is not <p><strong>Caveats:</strong>
The last segment of tests regarding blacklisted websites is not
applicable at the moment, but when we add that functionality they'll be applicable at the moment, but when we add that functionality they'll be
relevant.</p> relevant. Most XSS broadcasts its presence by spawning an alert dialogue.
<p>Most of the XSS broadcasts its presence by spawning an alert dialogue.</p> The displayed code is not strictly correct, as linebreaks have been forced for
readability. Linewraps have been marked with <tt>»</tt>. Some tests are
omitted for your convenience. Not all control characters are displayed.</p>
<h2>Test</h2> <h2>Test</h2>
<?php <?php
@ -27,24 +51,35 @@ $xml = simplexml_load_file('xssAttacks.xml');
$purifier = new HTMLPurifier(); $purifier = new HTMLPurifier();
?> ?>
<!-- form is used so that we can use textareas and stay valid --> <table cellspacing="0" cellpadding="2">
<form method="post" action="xssAttacks.php">
<table>
<thead><tr><th>Name</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead> <thead><tr><th>Name</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead>
<tbody> <tbody>
<?php <?php
$i = 0;
foreach ($xml->attack as $attack) { foreach ($xml->attack as $attack) {
$code = $attack->code; $code = $attack->code;
// custom code for null byte injection tests
if (substr($code, 0, 7) == 'perl -e') {
$code = substr($code, $i=strpos($code, '"')+1, strrpos($code, '"') - $i);
$code = str_replace('\0', "\0", $code);
}
// disable vectors we cannot test in any meaningful way
if ($code == 'See Below') continue; // event handlers, whitelist defeats
if ($attack->name == 'OBJECT w/Flash 2') continue; // requires ActionScript
if ($attack->name == 'IMG Embedded commands 2') continue; // is an HTTP response
// custom code for US-ASCII, which couldn't be expressed in XML without encoding // custom code for US-ASCII, which couldn't be expressed in XML without encoding
if ($attack->name == 'US-ASCII encoding') $code = urldecode($code); if ($attack->name == 'US-ASCII encoding') $code = urldecode($code);
?> ?>
<tr> <tr<?php if ($i++ % 2) {echo ' class="even"';} ?>>
<td><?php echo escapeHTML($attack->name); ?></td> <td><?php echo escapeHTML($attack->name); ?></td>
<td><textarea readonly="readonly" cols="20" rows="2"><?php echo escapeHTML($code); ?></textarea></td> <td><pre><?php echo formatCode($code); ?></pre></td>
<?php $pure_html = $purifier->purify($code); ?> <?php $pure_html = $purifier->purify($code); ?>
<td><textarea readonly="readonly" cols="20" rows="2"><?php echo escapeHTML($pure_html); ?></textarea></td> <td><pre><?php echo formatCode($pure_html); ?></pre></td>
<td><?php echo $pure_html ?></td> <td><div class="scroll"><?php echo $pure_html ?></div></td>
</tr> </tr>
<?php <?php
} }
@ -52,6 +87,5 @@ foreach ($xml->attack as $attack) {
?> ?>
</tbody> </tbody>
</table> </table>
</form>
</body> </body>
</html> </html>