\t', '»', '\0'), escapeHTML( str_replace("\0", '\0(null)', wordwrap($string, 28, " »\n", true) ) ) ); } ?> HTML Purifier XSS Attacks Smoketest

HTML Purifier XSS Attacks Smoketest

XSS attacks are from http://ha.ckers.org/xss.html.

Caveats: The last segment of tests regarding blacklisted websites is not applicable at the moment, but when we add that functionality they'll be relevant. Most XSS broadcasts its presence by spawning an alert dialogue. The displayed code is not strictly correct, as linebreaks have been forced for readability. Linewraps have been marked with ». Some tests are omitted for your convenience. Not all control characters are displayed.

Test

Requires PHP 5.

'); $xml = simplexml_load_file('xssAttacks.xml'); $purifier = new HTMLPurifier(); ?> attack as $attack) { $code = $attack->code; // custom code for null byte injection tests if (substr($code, 0, 7) == 'perl -e') { $code = substr($code, $i=strpos($code, '"')+1, strrpos($code, '"') - $i); $code = str_replace('\0', "\0", $code); } // disable vectors we cannot test in any meaningful way if ($code == 'See Below') continue; // event handlers, whitelist defeats if ($attack->name == 'OBJECT w/Flash 2') continue; // requires ActionScript if ($attack->name == 'IMG Embedded commands 2') continue; // is an HTTP response // custom code for US-ASCII, which couldn't be expressed in XML without encoding if ($attack->name == 'US-ASCII encoding') $code = urldecode($code); ?> > purify($code); ?>
NameRawOutputRender
name); ?>