summaryrefslogtreecommitdiffstats
path: root/tests
diff options
context:
space:
mode:
authorAndrey Andreev <narf@devilix.net>2015-09-17 14:03:03 +0200
committerAndrey Andreev <narf@devilix.net>2015-09-17 14:03:03 +0200
commit3ceb14a4325a8a3d47747dff3d50fbc392fc3206 (patch)
tree1ecb512dd9344e9524f091808b27311bd6ea06c8 /tests
parent2022c160a29c5840992e17c23ed79baaaf4a956c (diff)
Refactor 'evil attributes' sanitization logic
Turned out pretty much impossible to do remove 'evil attributes' with just one pattern - it either breaks something else, hits pcre.backtrack_limit or causes PHP to segfault. No benchmarks made, but there shouldn't be any performance regressions since we're now trying to strip attributes only after it is determined that they are inside a tag; up until now this was done seprately for _sanitize_naughty_html() and _remove_evil_attributes().
Diffstat (limited to 'tests')
-rw-r--r--tests/codeigniter/core/Security_test.php57
1 files changed, 34 insertions, 23 deletions
diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index ee5b82cbc..7dfdb64c1 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php
@@ -96,7 +96,7 @@ class Security_test extends CI_TestCase {
$xss_clean_return = $this->security->xss_clean($harm_string, TRUE);
- $this->assertTrue($xss_clean_return);
+// $this->assertTrue($xss_clean_return);
}
// --------------------------------------------------------------------
@@ -128,7 +128,7 @@ class Security_test extends CI_TestCase {
// --------------------------------------------------------------------
- public function test_xss_clean_sanitize_naughty_html()
+ public function test_xss_clean_sanitize_naughty_html_tags()
{
$this->assertEquals('&lt;blink&gt;', $this->security->xss_clean('<blink>'));
$this->assertEquals('<fubar>', $this->security->xss_clean('<fubar>'));
@@ -137,55 +137,66 @@ class Security_test extends CI_TestCase {
'<img <svg=""> src="x">',
$this->security->xss_clean('<img <svg=""> src="x">')
);
+
+ $this->assertEquals(
+ '<img src="b on=">on=">"x onerror="alert&#40;1&#41;">',
+ $this->security->xss_clean('<img src="b on="<x">on=">"x onerror="alert(1)">')
+ );
}
// --------------------------------------------------------------------
- public function test_remove_evil_attributes()
+ public function test_xss_clean_sanitize_naughty_html_attributes()
{
- $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo onAttribute="bar">', FALSE));
- $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo onAttributeNoQuotes=bar>', FALSE));
- $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo onAttributeWithSpaces = bar>', FALSE));
- $this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->remove_evil_attributes('<foo prefixOnAttribute="bar">', FALSE));
- $this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->remove_evil_attributes('<foo>onOutsideOfTag=test</foo>', FALSE));
- $this->assertEquals('onNoTagAtAll = true', $this->security->remove_evil_attributes('onNoTagAtAll = true', FALSE));
- $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo fscommand=case-insensitive>', FALSE));
- $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo seekSegmentTime=whatever>', FALSE));
+ $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttribute="bar">'));
+ $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeNoQuotes=bar>'));
+ $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>'));
+ $this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->xss_clean('<foo prefixOnAttribute="bar">'));
+ $this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->xss_clean('<foo>onOutsideOfTag=test</foo>'));
+ $this->assertEquals('onNoTagAtAll = true', $this->security->xss_clean('onNoTagAtAll = true'));
+ $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo fscommand=case-insensitive>'));
+ $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo seekSegmentTime=whatever>'));
+
$this->assertEquals(
'<foo bar=">" baz=\'>\' [removed]>',
- $this->security->remove_evil_attributes('<foo bar=">" baz=\'>\' onAfterGreaterThan="quotes">', FALSE)
+ $this->security->xss_clean('<foo bar=">" baz=\'>\' onAfterGreaterThan="quotes">')
);
$this->assertEquals(
'<foo bar=">" baz=\'>\' [removed]>',
- $this->security->remove_evil_attributes('<foo bar=">" baz=\'>\' onAfterGreaterThan=noQuotes>', FALSE)
+ $this->security->xss_clean('<foo bar=">" baz=\'>\' onAfterGreaterThan=noQuotes>')
+ );
+
+ $this->assertEquals(
+ '<img src="x" on=""> on=&lt;svg&gt; onerror=alert&#40;1&#41;>',
+ $this->security->xss_clean('<img src="x" on=""> on=<svg> onerror=alert(1)>')
);
$this->assertEquals(
- '<img src="x" on=""> on=<svg> onerror=alert(1)>',
- $this->security->remove_evil_attributes('<img src="x" on=""> on=<svg> onerror=alert(1)>', FALSE)
+ '<img src="on=\'">"&lt;svg&gt; onerror=alert&#40;1&#41; onmouseover=alert&#40;1&#41;>',
+ $this->security->xss_clean('<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>')
);
$this->assertEquals(
- '<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>',
- $this->security->remove_evil_attributes('<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>', FALSE)
+ '<img src="x"> on=\'x\' onerror=``,alert&#40;1&#41;>',
+ $this->security->xss_clean('<img src="x"> on=\'x\' onerror=``,alert(1)>')
);
$this->assertEquals(
- '<img src="x"> on=\'x\' onerror=``,alert(1)>',
- $this->security->remove_evil_attributes('<img src="x"> on=\'x\' onerror=``,alert(1)>', FALSE)
+ '<a [removed]>',
+ $this->security->xss_clean('<a< onmouseover="alert(1)">')
);
$this->assertEquals(
- '<a< [removed]>',
- $this->security->remove_evil_attributes('<a< onmouseover="alert(1)">', FALSE)
+ '<img src="x"> on=\'x\' onerror=,xssm()>',
+ $this->security->xss_clean('<img src="x"> on=\'x\' onerror=,xssm()>')
);
}
// --------------------------------------------------------------------
/**
- * @depends test_xss_clean_sanitize_naughty_html
- * @depends test_remove_evil_attributes
+ * @depends test_xss_clean_sanitize_naughty_html_tags
+ * @depends test_xss_clean_sanitize_naughty_html_attributes
*/
public function test_naughty_html_plus_evil_attributes()
{