Add 4.0.0 release information.
[htmlpurifier/darkodev.git] / smoketests / xssAttacks.php
blob0c0b5dcb1995a556b6b8f9770f3beee4dece49eb
1 <?php
3 require_once('common.php');
5 function formatCode($string) {
6 return
7 str_replace(
8 array("\t", '»', '\0(null)'),
9 array('<strong>\t</strong>', '<span class="linebreak">»</span>', '<strong>\0</strong>'),
10 escapeHTML(
11 str_replace("\0", '\0(null)',
12 wordwrap($string, 28, " »\n", true)
18 ?><!DOCTYPE html
19 PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
20 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
21 <html>
22 <head>
23 <title>HTML Purifier XSS Attacks Smoketest</title>
24 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
25 <style type="text/css">
26 .scroll {overflow:auto; width:100%;}
27 .even {background:#EAEAEA;}
28 thead th {border-bottom:1px solid #000;}
29 pre strong {color:#00C;}
30 pre .linebreak {color:#AAA;font-weight:100;}
31 </style>
32 </head>
33 <body>
34 <h1>HTML Purifier XSS Attacks Smoketest</h1>
35 <p>XSS attacks are from
36 <a href="http://ha.ckers.org/xss.html">http://ha.ckers.org/xss.html</a>.</p>
37 <p><strong>Caveats:</strong>
38 <tt>Google.com</tt> has been programatically disallowed, but as you can
39 see, there are ways of getting around that, so coverage in this area
40 is not complete. Most XSS broadcasts its presence by spawning an alert dialogue.
41 The displayed code is not strictly correct, as linebreaks have been forced for
42 readability. Linewraps have been marked with <tt>»</tt>. Some tests are
43 omitted for your convenience. Not all control characters are displayed.</p>
45 <h2>Test</h2>
46 <?php
48 if (version_compare(PHP_VERSION, '5', '<')) exit('<p>Requires PHP 5.</p>');
50 $xml = simplexml_load_file('xssAttacks.xml');
52 // programatically disallow google.com for URI evasion tests
53 // not complete
54 $config = HTMLPurifier_Config::createDefault();
55 $config->set('URI', 'HostBlacklist', array('google.com'));
56 $purifier = new HTMLPurifier($config);
59 <table cellspacing="0" cellpadding="2">
60 <thead><tr><th>Name</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead>
61 <tbody>
62 <?php
64 $i = 0;
65 foreach ($xml->attack as $attack) {
66 $code = $attack->code;
68 // custom code for null byte injection tests
69 if (substr($code, 0, 7) == 'perl -e') {
70 $code = substr($code, $i=strpos($code, '"')+1, strrpos($code, '"') - $i);
71 $code = str_replace('\0', "\0", $code);
74 // disable vectors we cannot test in any meaningful way
75 if ($code == 'See Below') continue; // event handlers, whitelist defeats
76 if ($attack->name == 'OBJECT w/Flash 2') continue; // requires ActionScript
77 if ($attack->name == 'IMG Embedded commands 2') continue; // is an HTTP response
79 // custom code for US-ASCII, which couldn't be expressed in XML without encoding
80 if ($attack->name == 'US-ASCII encoding') $code = urldecode($code);
82 <tr<?php if ($i++ % 2) {echo ' class="even"';} ?>>
83 <td><?php echo escapeHTML($attack->name); ?></td>
84 <td><pre><?php echo formatCode($code); ?></pre></td>
85 <?php $pure_html = $purifier->purify($code); ?>
86 <td><pre><?php echo formatCode($pure_html); ?></pre></td>
87 <td><div class="scroll"><?php echo $pure_html ?></div></td>
88 </tr>
89 <?php
93 </tbody>
94 </table>
95 </body>
96 </html>
97 <?php
99 // vim: et sw=4 sts=4