HTMLPurifier XSS Attacks Smoketest

XSS attacks are from http://ha.ckers.org/xss.html.

The last segment of tests regarding blacklisted websites is not applicable at the moment, but when we add that functionality they'll be relevant.

Most of the XSS broadcasts its presence by spawning an alert dialogue.

Test

Requires PHP 5.

'); $xml = simplexml_load_file('xssAttacks.xml'); $purifier = new HTMLPurifier(); ?>

attack as $attack) { $code = $attack->code; // custom code for US-ASCII, which couldn't be expressed in XML without encoding if ($attack->name == 'US-ASCII encoding') $code = urldecode($code); ?> purify($code); ?>

Name	Raw	Output	Render
name); ?>	<?php echo escapeHTML($code); ?>	<?php echo escapeHTML($pure_html); ?>