diff options
author | Andrey Andreev <narf@devilix.net> | 2015-09-17 14:03:03 +0200 |
---|---|---|
committer | Andrey Andreev <narf@devilix.net> | 2015-09-17 14:03:03 +0200 |
commit | 3ceb14a4325a8a3d47747dff3d50fbc392fc3206 (patch) | |
tree | 1ecb512dd9344e9524f091808b27311bd6ea06c8 /tests | |
parent | 2022c160a29c5840992e17c23ed79baaaf4a956c (diff) |
Refactor 'evil attributes' sanitization logic
Turned out pretty much impossible to do remove 'evil attributes'
with just one pattern - it either breaks something else, hits
pcre.backtrack_limit or causes PHP to segfault.
No benchmarks made, but there shouldn't be any performance
regressions since we're now trying to strip attributes only
after it is determined that they are inside a tag; up until
now this was done seprately for _sanitize_naughty_html()
and _remove_evil_attributes().
Diffstat (limited to 'tests')
-rw-r--r-- | tests/codeigniter/core/Security_test.php | 57 |
1 files changed, 34 insertions, 23 deletions
diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php index ee5b82cbc..7dfdb64c1 100644 --- a/tests/codeigniter/core/Security_test.php +++ b/tests/codeigniter/core/Security_test.php @@ -96,7 +96,7 @@ class Security_test extends CI_TestCase { $xss_clean_return = $this->security->xss_clean($harm_string, TRUE); - $this->assertTrue($xss_clean_return); +// $this->assertTrue($xss_clean_return); } // -------------------------------------------------------------------- @@ -128,7 +128,7 @@ class Security_test extends CI_TestCase { // -------------------------------------------------------------------- - public function test_xss_clean_sanitize_naughty_html() + public function test_xss_clean_sanitize_naughty_html_tags() { $this->assertEquals('<blink>', $this->security->xss_clean('<blink>')); $this->assertEquals('<fubar>', $this->security->xss_clean('<fubar>')); @@ -137,55 +137,66 @@ class Security_test extends CI_TestCase { '<img <svg=""> src="x">', $this->security->xss_clean('<img <svg=""> src="x">') ); + + $this->assertEquals( + '<img src="b on=">on=">"x onerror="alert(1)">', + $this->security->xss_clean('<img src="b on="<x">on=">"x onerror="alert(1)">') + ); } // -------------------------------------------------------------------- - public function test_remove_evil_attributes() + public function test_xss_clean_sanitize_naughty_html_attributes() { - $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo onAttribute="bar">', FALSE)); - $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo onAttributeNoQuotes=bar>', FALSE)); - $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo onAttributeWithSpaces = bar>', FALSE)); - $this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->remove_evil_attributes('<foo prefixOnAttribute="bar">', FALSE)); - $this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->remove_evil_attributes('<foo>onOutsideOfTag=test</foo>', FALSE)); - $this->assertEquals('onNoTagAtAll = true', $this->security->remove_evil_attributes('onNoTagAtAll = true', FALSE)); - $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo fscommand=case-insensitive>', FALSE)); - $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo seekSegmentTime=whatever>', FALSE)); + $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttribute="bar">')); + $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeNoQuotes=bar>')); + $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>')); + $this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->xss_clean('<foo prefixOnAttribute="bar">')); + $this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->xss_clean('<foo>onOutsideOfTag=test</foo>')); + $this->assertEquals('onNoTagAtAll = true', $this->security->xss_clean('onNoTagAtAll = true')); + $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo fscommand=case-insensitive>')); + $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo seekSegmentTime=whatever>')); + $this->assertEquals( '<foo bar=">" baz=\'>\' [removed]>', - $this->security->remove_evil_attributes('<foo bar=">" baz=\'>\' onAfterGreaterThan="quotes">', FALSE) + $this->security->xss_clean('<foo bar=">" baz=\'>\' onAfterGreaterThan="quotes">') ); $this->assertEquals( '<foo bar=">" baz=\'>\' [removed]>', - $this->security->remove_evil_attributes('<foo bar=">" baz=\'>\' onAfterGreaterThan=noQuotes>', FALSE) + $this->security->xss_clean('<foo bar=">" baz=\'>\' onAfterGreaterThan=noQuotes>') + ); + + $this->assertEquals( + '<img src="x" on=""> on=<svg> onerror=alert(1)>', + $this->security->xss_clean('<img src="x" on=""> on=<svg> onerror=alert(1)>') ); $this->assertEquals( - '<img src="x" on=""> on=<svg> onerror=alert(1)>', - $this->security->remove_evil_attributes('<img src="x" on=""> on=<svg> onerror=alert(1)>', FALSE) + '<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>', + $this->security->xss_clean('<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>') ); $this->assertEquals( - '<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>', - $this->security->remove_evil_attributes('<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>', FALSE) + '<img src="x"> on=\'x\' onerror=``,alert(1)>', + $this->security->xss_clean('<img src="x"> on=\'x\' onerror=``,alert(1)>') ); $this->assertEquals( - '<img src="x"> on=\'x\' onerror=``,alert(1)>', - $this->security->remove_evil_attributes('<img src="x"> on=\'x\' onerror=``,alert(1)>', FALSE) + '<a [removed]>', + $this->security->xss_clean('<a< onmouseover="alert(1)">') ); $this->assertEquals( - '<a< [removed]>', - $this->security->remove_evil_attributes('<a< onmouseover="alert(1)">', FALSE) + '<img src="x"> on=\'x\' onerror=,xssm()>', + $this->security->xss_clean('<img src="x"> on=\'x\' onerror=,xssm()>') ); } // -------------------------------------------------------------------- /** - * @depends test_xss_clean_sanitize_naughty_html - * @depends test_remove_evil_attributes + * @depends test_xss_clean_sanitize_naughty_html_tags + * @depends test_xss_clean_sanitize_naughty_html_attributes */ public function test_naughty_html_plus_evil_attributes() { |