summaryrefslogtreecommitdiffstats
path: root/tests/codeigniter/core
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2015-09-21 15:17:48 +0200
committerAndrey Andreev <narf@devilix.net>2015-09-21 15:17:48 +0200
commit4fbf2d1a8e2b6d33e92f3f353b05388fd3229bd7 (patch)
tree591cf443d0a498dd75f83f30595d13f53752c053 /tests/codeigniter/core
parent088e57db3808f78ee89def94c6ce95b571a88427 (diff)
More XSS stuff
Diffstat (limited to 'tests/codeigniter/core')
-rw-r--r--tests/codeigniter/core/Security_test.php16
1 files changed, 16 insertions, 0 deletions
diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index b04d25891..ca111c3bf 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -120,6 +120,17 @@ class Security_test extends CI_TestCase {
// --------------------------------------------------------------------
+ public function text_xss_clean_js_link_removal()
+ {
+ // This one is to prevent a false positive
+ $this->assertEquals(
+ "<a href=\"javascrip\n<t\n:alert\n&#40;1&#41;\"\n>",
+ $this->security->xss_clean("<a href=\"javascrip\n<t\n:alert\n(1)\"\n>")
+ );
+ }
+
+ // --------------------------------------------------------------------
+
public function test_xss_clean_js_img_removal()
{
$input = '<img src="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere';
@@ -191,6 +202,11 @@ class Security_test extends CI_TestCase {
'<img src="x"> on=\'x\' onerror=,xssm()>',
$this->security->xss_clean('<img src="x"> on=\'x\' onerror=,xssm()>')
);
+
+ $this->assertEquals(
+ '<image src="<>" [removed]>',
+ $this->security->xss_clean('<image src="<>" onerror=\'alert(1)\'>')
+ );
}
// --------------------------------------------------------------------