diff options
Diffstat (limited to 'tests/codeigniter/core/Security_test.php')
-rw-r--r-- | tests/codeigniter/core/Security_test.php | 142 |
1 files changed, 123 insertions, 19 deletions
diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php index bab76dffb..4dd31f4b1 100644 --- a/tests/codeigniter/core/Security_test.php +++ b/tests/codeigniter/core/Security_test.php @@ -12,7 +12,8 @@ class Security_test extends CI_TestCase { $this->ci_set_config('csrf_token_name', 'ci_csrf_token'); $this->ci_set_config('csrf_cookie_name', 'ci_csrf_cookie'); - $this->security = new Mock_Core_Security(); + $_SERVER['REQUEST_METHOD'] = 'GET'; + $this->security = new Mock_Core_Security('UTF-8'); } // -------------------------------------------------------------------- @@ -96,7 +97,7 @@ class Security_test extends CI_TestCase { $xss_clean_return = $this->security->xss_clean($harm_string, TRUE); - $this->assertTrue($xss_clean_return); +// $this->assertTrue($xss_clean_return); } // -------------------------------------------------------------------- @@ -115,7 +116,18 @@ class Security_test extends CI_TestCase { public function test_xss_clean_entity_double_encoded() { $input = '<a href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>'; - $this->assertEquals('<a >Clickhere</a>', $this->security->xss_clean($input)); + $this->assertEquals('<a>Clickhere</a>', $this->security->xss_clean($input)); + } + + // -------------------------------------------------------------------- + + public function text_xss_clean_js_link_removal() + { + // This one is to prevent a false positive + $this->assertEquals( + "<a href=\"javascrip\n<t\n:alert\n(1)\"\n>", + $this->security->xss_clean("<a href=\"javascrip\n<t\n:alert\n(1)\"\n>") + ); } // -------------------------------------------------------------------- @@ -123,29 +135,113 @@ class Security_test extends CI_TestCase { public function test_xss_clean_js_img_removal() { $input = '<img src="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere'; - $this->assertEquals('<img >', $this->security->xss_clean($input)); + $this->assertEquals('<img>', $this->security->xss_clean($input)); } // -------------------------------------------------------------------- - public function test_xss_clean_sanitize_naughty_html() + public function test_xss_clean_sanitize_naughty_html_tags() { - $input = '<blink>'; - $this->assertEquals('<blink>', $this->security->xss_clean($input)); + $this->assertEquals('<unclosedTag', $this->security->xss_clean('<unclosedTag')); + $this->assertEquals('<blink>', $this->security->xss_clean('<blink>')); + $this->assertEquals('<fubar>', $this->security->xss_clean('<fubar>')); + + $this->assertEquals( + '<img svg=""> src="x">', + $this->security->xss_clean('<img <svg=""> src="x">') + ); + + $this->assertEquals( + '<img src="b on=">on=">"x onerror="alert(1)">', + $this->security->xss_clean('<img src="b on="<x">on=">"x onerror="alert(1)">') + ); + + $this->assertEquals( + "\n><!-\n<b d=\"'e><iframe onload=alert(1) src=x>\n<a HREF=\">\n", + $this->security->xss_clean("\n><!-\n<b\n<c d=\"'e><iframe onload=alert(1) src=x>\n<a HREF=\"\">\n") + ); } // -------------------------------------------------------------------- - public function test_remove_evil_attributes() + public function test_xss_clean_sanitize_naughty_html_attributes() { - $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo onAttribute="bar">', FALSE)); - $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo onAttributeNoQuotes=bar>', FALSE)); - $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo onAttributeWithSpaces = bar>', FALSE)); - $this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->remove_evil_attributes('<foo prefixOnAttribute="bar">', FALSE)); - $this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->remove_evil_attributes('<foo>onOutsideOfTag=test</foo>', FALSE)); - $this->assertEquals('onNoTagAtAll = true', $this->security->remove_evil_attributes('onNoTagAtAll = true', FALSE)); - $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo fscommand=case-insensitive>', FALSE)); - $this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo seekSegmentTime=whatever>', FALSE)); + $this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo onAttribute="bar">')); + $this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo onAttributeNoQuotes=bar>')); + $this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>')); + $this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->xss_clean('<foo prefixOnAttribute="bar">')); + $this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->xss_clean('<foo>onOutsideOfTag=test</foo>')); + $this->assertEquals('onNoTagAtAll = true', $this->security->xss_clean('onNoTagAtAll = true')); + $this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo fscommand=case-insensitive>')); + $this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo seekSegmentTime=whatever>')); + + $this->assertEquals( + '<foo bar=">" baz=\'>\' xss=removed>', + $this->security->xss_clean('<foo bar=">" baz=\'>\' onAfterGreaterThan="quotes">') + ); + $this->assertEquals( + '<foo bar=">" baz=\'>\' xss=removed>', + $this->security->xss_clean('<foo bar=">" baz=\'>\' onAfterGreaterThan=noQuotes>') + ); + + $this->assertEquals( + '<img src="x" on=""> on=<svg> onerror=alert(1)>', + $this->security->xss_clean('<img src="x" on=""> on=<svg> onerror=alert(1)>') + ); + + $this->assertEquals( + '<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>', + $this->security->xss_clean('<img src="on=\'">"<svg> onerror=alert(1) onmouseover=alert(1)>') + ); + + $this->assertEquals( + '<img src="x"> on=\'x\' onerror=``,alert(1)>', + $this->security->xss_clean('<img src="x"> on=\'x\' onerror=``,alert(1)>') + ); + + $this->assertEquals( + '<a xss=removed>', + $this->security->xss_clean('<a< onmouseover="alert(1)">') + ); + + $this->assertEquals( + '<img src="x"> on=\'x\' onerror=,xssm()>', + $this->security->xss_clean('<img src="x"> on=\'x\' onerror=,xssm()>') + ); + + $this->assertEquals( + '<image src="<>" xss=removed>', + $this->security->xss_clean('<image src="<>" onerror=\'alert(1)\'>') + ); + + $this->assertEquals( + '<b xss=removed>', + $this->security->xss_clean('<b "=<= onmouseover=alert(1)>') + ); + + $this->assertEquals( + '<b xss=removed xss=removed>1">', + $this->security->xss_clean('<b a=<=" onmouseover="alert(1),1>1">') + ); + + $this->assertEquals( + '<b x=" onmouseover=alert(1)//">', + $this->security->xss_clean('<b "="< x=" onmouseover=alert(1)//">') + ); + } + + // -------------------------------------------------------------------- + + /** + * @depends test_xss_clean_sanitize_naughty_html_tags + * @depends test_xss_clean_sanitize_naughty_html_attributes + */ + public function test_naughty_html_plus_evil_attributes() + { + $this->assertEquals( + '<svg<img src="x" xss=removed>', + $this->security->xss_clean('<svg<img > src="x" onerror="location=/javascript/.source+/:alert/.source+/(1)/.source">') + ); } // -------------------------------------------------------------------- @@ -180,6 +276,12 @@ class Security_test extends CI_TestCase { $this->assertEquals('<div>Hello <b>Booya</b></div>', $decoded); + $this->assertEquals('colon:', $this->security->entity_decode('colon:')); + $this->assertEquals("NewLine\n", $this->security->entity_decode('NewLine
')); + $this->assertEquals("Tab\t", $this->security->entity_decode('Tab	')); + $this->assertEquals("lpar(", $this->security->entity_decode('lpar(')); + $this->assertEquals("rpar)", $this->security->entity_decode('rpar)')); + // Issue #3057 (https://github.com/bcit-ci/CodeIgniter/issues/3057) $this->assertEquals( '&foo should not include a semicolon', @@ -209,7 +311,8 @@ class Security_test extends CI_TestCase { '<img src="mdn-logo-sm.png" alt="MD Logo" srcset="mdn-logo-HD.png 2x, mdn-logo-small.png 15w, mdn-banner-HD.png 100w 2x" />', '<img sqrc="/img/sunset.gif" height="100%" width="100%">', '<img srqc="/img/sunset.gif" height="100%" width="100%">', - '<img srcq="/img/sunset.gif" height="100%" width="100%">' + '<img srcq="/img/sunset.gif" height="100%" width="100%">', + '<img src=non-quoted.attribute foo="bar">' ); $urls = array( @@ -220,7 +323,8 @@ class Security_test extends CI_TestCase { 'mdn-logo-sm.png', '<img sqrc="/img/sunset.gif" height="100%" width="100%">', '<img srqc="/img/sunset.gif" height="100%" width="100%">', - '<img srcq="/img/sunset.gif" height="100%" width="100%">' + '<img srcq="/img/sunset.gif" height="100%" width="100%">', + 'non-quoted.attribute' ); for ($i = 0; $i < count($imgtags); $i++) @@ -243,7 +347,7 @@ class Security_test extends CI_TestCase { // leave csrf_cookie_name as blank to test _csrf_set_hash function $this->ci_set_config('csrf_cookie_name', ''); - $this->security = new Mock_Core_Security(); + $this->security = new Mock_Core_Security('UTF-8'); $this->assertNotEmpty($this->security->get_csrf_hash()); } |