HTML-Defang
1 match

 view release on metacpan or  search on metacpan

t/01_basic.t  view on Meta::CPAN 

24:<![endif]-->
25:<![if gte IE 4]>
26:<SCRIPT>alert('XSS');</SCRIPT>
27:<![endif]>
27a:<!--[if gte IE 4]--><foo>
28:<XML ID=I><X><C>
29:<![CDATA[<IMG SRC="javas]]>
30:<![CDATA[cript:alert('XSS');">
31:]]>
32:</C></X></xml>
33:<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
34:<xss:xss>XSS</xss:xss>
35:<?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"?>
36:<xss:xss>XSS</xss:xss>
37:<a href=`javascript:alert("Surprise");`>
38:<img border=`3` vspace=`3px` >
39:<H1>
40:<IMG SRC="HTTP://SOMESITE.COM" WIDTH=30>
41:<BR />
42:<UNKNOWN>
43:<UNKNOWN UNKNOWNATTRIBUTE="1">
44:<UNKNOWN UNKNOWNATTRIBUTE1="1" UNKNOWNATTRIBUTE2="2">
45:<UNKNOWN/>
EOF
$Res = $Defang->defang($H);

like($Res, qr{1:<h1>}, "Skip known attrib-incapable h1 tag");
like($Res, qr{2:<img>}, "Skip known attrib-capable img opening tag");
like($Res, qr{3:</img>}, "Skip known attrib-capable img closing tag");
like($Res, qr{4:<img />}, "Skip known attrib-capable img self-closing tag");
like($Res, qr{5:<!--${DefangString}unknownTag-->}, "Defang unknown opening tag");
like($Res, qr{6:<!--/${DefangString}unknownTag-->}, "Defang unknown closing tag");
like($Res, qr{7:<!--${DefangString}anotherUnknownTag /-->}, "Defang unknown self-closing tag");
like($Res, qr{8:<!--${DefangString}unknownTagWithAttrib defang_attrib="a"-->}, "Defang unknown tag with attrib");
like($Res, qr{9:<!--${DefangString}unknownTagWithAttribs defang_attrib1="a" defang_attrib2="b"-->}, "Defang unknown tag with attribs");
like($Res, qr{10:<img border="3" vspace="3px" >}, "Skip known tag with known attribs");
like($Res, qr{11:<img border="30%" vspace="3.5px" />}, "Skip known tag with known attribs");
like($Res, qr{12:<img defang_unknownAttrib="a">}, "Defang unknown attrib of known tag");
like($Res, qr{13:<img defang_unknownAttrib1="a" defang_unknownAttrib2="b">}, "Defang unknown attrib of known tag");
like($Res, qr{14:<img defang_border="a@">}, "Defang invalid value in known attrib in known tag");
like($Res, qr{15:<img defang_border="a@" defang_vspace="a@">}, "Defang multiple invalid values in known attrib in known tag");
like($Res, qr{16:<!--${DefangString}applet-->}, "Defang known vulnerable tag");

like($Res, qr{17:<!--${CommentStartText} single line comment with spaces ${CommentEndText}-->}, "Single line comment with spaces");
like($Res, qr{18:<!--${CommentStartText}single line comment without spaces${CommentEndText}-->}, "Single line comment without spaces");
like($Res, qr{19:<!--${CommentStartText} multi-line}, "Multi-line comment start");
like($Res, qr{20:}, "Multi-line comment content");
like($Res, qr{21: comment ${CommentEndText}-->}, "Multi-line comment end");

# IE conditional comments
# Refer http://msdn.microsoft.com/en-us/library/ms537512.aspx for IE conditional comment information
like($Res, qr{22:<!--${CommentStartText}\[if gte IE 4\]>}, "IE conditional downlevel-hidden comment start");
like($Res, qr{23:<SCRIPT>alert\('XSS'\);</SCRIPT>}, "IE conditional downlevel-hidden comment body");
like($Res, qr{24:<!\[endif\]${CommentEndText}-->}, "IE conditional downlevel-hidden comment end");
like($Res, qr{25:<!--${CommentStartText}\[if gte IE 4\]${CommentEndText}-->}, "IE conditional downlevel-revealed comment start");
like($Res, qr{26:<!--defang_SCRIPT--><!-- alert\('XSS'\); --><!--/defang_SCRIPT-->}, "IE conditional downlevel-revealed comment body");
like($Res, qr{27:<!--${CommentStartText}\[endif\]${CommentEndText}-->}, "IE conditional downlevel-revealed comment end");
like($Res, qr{27a:<!--${CommentStartText}\[if gte IE 4\]${CommentEndText}--><!--${DefangString}foo-->}, "IE conditional defang content");

# Some XML tests
# Refer http://www.w3schools.com/XML/xml_cdata.asp for information on CDATA
like($Res, qr{28:<!--${DefangString}XML ID=I--><!--${DefangString}X--><!--${DefangString}C-->}, "Defang unknown xml and other opening tags");
like($Res, qr{29:<!--${CommentStartText}\[CDATA\[<IMG SRC="javas]]${CommentEndText}-->}, "Comment out single-line cdata section");
like($Res, qr{30:<!--${CommentStartText}\[CDATA\[cript:alert\('XSS'\);">}, "Comment out multi-line cdata section start");
like($Res, qr{31:]]${CommentEndText}-->}, "Comment out multi-line cdata section end");
like($Res, qr{32:<!--/${DefangString}C--><!--/${DefangString}X--><!--/${DefangString}xml-->}, "Defang unknown xml and other closing tags");
# Make sure xss:xss tag comes after each import in the original html for the below checks
# HTML::Defang.pm tended to dump all HTML output without defanging if a '<?' tag was closed by just '>'
like($Res, qr{33:<!--\?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"-->}, "Defang <?import tag");
like($Res, qr{34:<!--${DefangString}xss:xss-->XSS<!--/${DefangString}xss:xss-->}, "Defang xss:xss");
like($Res, qr{35:<!--\?import namespace="xss" implementation="http://ha.ckers.org/xss.htc"\?-->}, "Defang <?import tag with ending ?");
like($Res, qr{36:<!--${DefangString}xss:xss-->XSS<!--/${DefangString}xss:xss-->}, "Defang xss:xss");

# Attributes surrounded by backticks
like($Res, qr{37:<a defang_href="javascript:alert\(&quot;Surprise&quot;\);">}, "Defang invalid attribute surrounded by backticks");
like($Res, qr{38:<img border="3" vspace="3px" >}, "Skip valid attribute surrounded by backticks");

# Case tests
like($Res, qr{39:<H1>}, "Skip known tag in upper case with no attributes");
like($Res, qr{40:<IMG SRC="HTTP://SOMESITE.COM" WIDTH=30>}, "Skip known tag in upper case with attributes");
like($Res, qr{41:<BR />}, "Skip known self-closing tag in upper case");
like($Res, qr{42:<!--${DefangString}UNKNOWN-->}, "Defang unknown tag in upper case");
like($Res, qr{43:<!--${DefangString}UNKNOWN defang_UNKNOWNATTRIBUTE="1"-->}, "Defang unknown tag in upper case with attribute");
like($Res, qr{44:<!--${DefangString}UNKNOWN defang_UNKNOWNATTRIBUTE1="1" defang_UNKNOWNATTRIBUTE2="2"-->}, "Defang unknown tag in upper case with multiple attributes");
like($Res, qr{45:<!--${DefangString}UNKNOWN/-->}, "Defang unknown self-closing tag in upper case");

$H = <<EOF;
1:<table border="0" cellpadding="2" cellspacing="0">
EOF
$Res = $Defang->defang($H);

like($Res, qr{1:<table border="0" cellpadding="2" cellspacing="0">}, "Skip known attributes of <table> tag");

$H = <<EOF;
1:<img style="width: some's">
2:<img style='width: some"s'>
3:<img style='width: some`s'>
EOF
$Res = $Defang->defang($H);

like($Res, qr{1:<img style="width: some's">}, "Attribute containing single quote");
like($Res, qr{2:<img style='width: some"s'>}, "Attribute containing double quote");
like($Res, qr{3:<img style='width: some`s'>}, "Attribute containing backtick");

$H = <<EOF;
<img width="1" /  = "/">
EOF
$Res = $Defang->defang($H);

like($Res, qr{<img width="1" defang_/  = "/">}, "Use '/' as an attribute key");

$H = <<'EOF';
1:<img width="1" / style="color: red">
EOF
$Res = $Defang->defang($H);

like($Res, qr{^1:<img width="1" / style="color: red">$}, "Stray / in tag");

$H = <<EOF;
1:<html><!--
EOF
$Res = $Defang->defang($H);

like($Res, qr{1:<html><!--${CommentStartText}\s${CommentEndText}-->}, "Unclosed HTML comment 1");



( run in 2.202 seconds using v1.01-cache-2.11-cpan-2398b32b56e )