smoketests/variableWidthAttack.php

   1 <?php
   2
   3 require_once 'common.php';
   4
   5 echo '<?xml version="1.0" encoding="UTF-8" ?>';
   6 ?><!DOCTYPE html
   7      PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
   8      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
   9 <html>
  10 <head>
  11     <title>HTML Purifier Variable Width Attack Smoketest</title>
  12     <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  13 </head>
  14 <body>
  15 <h1>HTML Purifier Variable Width Attack Smoketest</h1>
  16 <p>For more information, see
  17 <a href="http://applesoup.googlepages.com/bypass_filter.txt">Cheng Peng Su's
  18 original advisory.</a>  This particular exploit code appears only to work
  19 in Internet Explorer, if it works at all.</p>
  20 <h2>Test</h2>
  21 <?php
  22
  23 $purifier = new HTMLPurifier();
  24
  25 ?>
  26 <table>
  27 <thead><tr><th>ASCII</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead>
  28 <tbody>
  29 <?php
  30
  31 for ($i = 0; $i < 256; $i++) {
  32     $c = chr($i);
  33     $html = '<img src="" alt="X' . $c . '"';
  34     $html .= '>A"'; // in our out the attribute? ;-)
  35     $html .= "onerror=alert('$i')>O";
  36     $pure_html = $purifier->purify($html);
  37 ?>
  38 <tr>
  39     <td><?php echo $i; ?></td>
  40     <td style="font-size:8pt;"><?php echo escapeHTML($html); ?></td>
  41     <td style="font-size:8pt;"><?php echo escapeHTML($pure_html); ?></td>
  42     <td><?php echo $pure_html; ?></td>
  43 </tr>
  44 <?php } ?>
  45 </tbody>
  46 </table>
  47
  48 <h2>Analysis</h2>
  49
  50 <p>By making sure that UTF-8 is well formed and non-SGML codepoints are
  51 removed, as well as escaping quotes outside of tags, this is a non-threat.</p>
  52
  53 </body>
  54 </html>
  55 <?php
  56
  57 // vim: et sw=4 sts=4