|
|
@ -203,12 +203,15 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
|
|
|
|
$mod = rcube_utils::mod_css_styles("left:exp/* */ression( alert('xss3') )", 'rcmbody');
|
|
|
|
$mod = rcube_utils::mod_css_styles("left:exp/* */ression( alert('xss3') )", 'rcmbody');
|
|
|
|
$this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks");
|
|
|
|
$this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks");
|
|
|
|
|
|
|
|
|
|
|
|
$mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\006c( javascript:alert('xss') )", 'rcmbody');
|
|
|
|
$mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\00006c( javascript:alert('xss') )", 'rcmbody');
|
|
|
|
$this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (2)");
|
|
|
|
$this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (2)");
|
|
|
|
|
|
|
|
|
|
|
|
$mod = rcube_utils::mod_css_styles("background: \\75 \\72 \\6C ('/images/img.png')", 'rcmbody');
|
|
|
|
$mod = rcube_utils::mod_css_styles("background: \\75 \\72 \\6C ('/images/img.png')", 'rcmbody');
|
|
|
|
$this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (3)");
|
|
|
|
$this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (3)");
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
$mod = rcube_utils::mod_css_styles("background: u\\r\\l('/images/img.png')", 'rcmbody');
|
|
|
|
|
|
|
|
$this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (4)");
|
|
|
|
|
|
|
|
|
|
|
|
// position: fixed (#5264)
|
|
|
|
// position: fixed (#5264)
|
|
|
|
$mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody');
|
|
|
|
$mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody');
|
|
|
|
$this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)");
|
|
|
|
$this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)");
|
|
|
@ -234,6 +237,9 @@ class Framework_Utils extends PHPUnit_Framework_TestCase
|
|
|
|
$mod = rcube_utils::xss_entity_decode('#foo:after{content:"\003Cimg/src=x onerror=alert(2)>";}');
|
|
|
|
$mod = rcube_utils::xss_entity_decode('#foo:after{content:"\003Cimg/src=x onerror=alert(2)>";}');
|
|
|
|
$this->assertNotContains('<img', $mod, "Strip (encoded) tags from content property");
|
|
|
|
$this->assertNotContains('<img', $mod, "Strip (encoded) tags from content property");
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
$mod = rcube_utils::xss_entity_decode("background: u\\r\\00006c('/images/img.png')");
|
|
|
|
|
|
|
|
$this->assertContains("url(", $mod, "Escape sequences resolving");
|
|
|
|
|
|
|
|
|
|
|
|
// #5747
|
|
|
|
// #5747
|
|
|
|
$mod = rcube_utils::xss_entity_decode('<!-- #foo { content:css; } -->');
|
|
|
|
$mod = rcube_utils::xss_entity_decode('<!-- #foo { content:css; } -->');
|
|
|
|
$this->assertContains('#foo', $mod, "Strip HTML comments from content, but not the content");
|
|
|
|
$this->assertContains('#foo', $mod, "Strip HTML comments from content, but not the content");
|
|
|
|