MojoMojo
16 results

 view release on metacpan or  search on metacpan

t/defang_xss.t  view on Meta::CPAN 

#!/usr/bin/env perl
use strict;
use warnings;
use MojoMojo::Formatter::Defang;
use Test::More tests => 11;
use Test::Differences;

my ( $content, $got, $expected, $test );

$test    = 'unclosed iframe src http not allowed';
$content = <<'HTML';
<iframe src=http://dandascalescu.com/bugs/mojomojo/scriptlet.html 
HTML
$expected =
'<!--defang_iframe defang_src=http://dandascalescu.com/bugs/mojomojo/scriptlet.html 
-->';
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );

$test    = 'img src javascript not allowed';
$content = <<'HTML';
<IMG SRC="javascript:alert('XSS');">
HTML
$expected = <<'HTML';
<IMG defang_SRC="javascript:alert('XSS');">
HTML
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );

$test    = 'unclosed img src javascript not allowed';
$content = <<'HTML';
<img src=javascript:alert('XSS') 
HTML
$expected = "<img defang_src=javascript:alert('XSS') 
>";
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );

$test    = 'script src http not allowed';
$content = <<'HTML';
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
HTML
$expected =
'<!--defang_SCRIPT SRC=http://ha.ckers.org/xss.js--><!--  --><!--/defang_SCRIPT-->
';
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );

 # This test will fails when allowing img and src at default Defang (return 2) setting.
$test    = 'img src http not allowed';
$content = <<'HTML';
<img src="http://malicious.com/foto.jpg" />
HTML
$expected = '<img defang_src="http://malicious.com/foto.jpg" />
'; 
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );

 # This test will fails when allowing img and src at default Defang (return 2) setting.
$test    = 'unclosed src http not allowed';
$content = <<'HTML';
<img src=http://malicious.com/xss.js 
HTML
$expected = '<img defang_src=http://malicious.com/xss.js 
>';
MojoMojo::Formatter::Defang->format_content( \$content );



( run in 0.895 second using v1.01-cache-2.11-cpan-5a3173703d6 )