\t', '»', '\0'),
escapeHTML(
str_replace("\0", '\0(null)',
wordwrap($string, 28, " »\n", true)
)
)
);
}
?>
HTMLPurifier XSS Attacks Smoketest
HTMLPurifier XSS Attacks Smoketest
XSS attacks are from
http://ha.ckers.org/xss.html.
Caveats:
The last segment of tests regarding blacklisted websites is not
applicable at the moment, but when we add that functionality they'll be
relevant. Most XSS broadcasts its presence by spawning an alert dialogue.
The displayed code is not strictly correct, as linebreaks have been forced for
readability. Linewraps have been marked with ». Some tests are
omitted for your convenience. Not all control characters are displayed.
Test
Requires PHP 5.');
$xml = simplexml_load_file('xssAttacks.xml');
$purifier = new HTMLPurifier();
?>
| Name | Raw | Output | Render |
|---|
attack as $attack) {
$code = $attack->code;
// custom code for null byte injection tests
if (substr($code, 0, 7) == 'perl -e') {
$code = substr($code, $i=strpos($code, '"')+1, strrpos($code, '"') - $i);
$code = str_replace('\0', "\0", $code);
}
// disable vectors we cannot test in any meaningful way
if ($code == 'See Below') continue; // event handlers, whitelist defeats
if ($attack->name == 'OBJECT w/Flash 2') continue; // requires ActionScript
if ($attack->name == 'IMG Embedded commands 2') continue; // is an HTTP response
// custom code for US-ASCII, which couldn't be expressed in XML without encoding
if ($attack->name == 'US-ASCII encoding') $code = urldecode($code);
?>
>
name); ?> |
|
purify($code); ?>
|
|