/', '', $html); } /** * Test the elimination of some XSS vulnerabilities */ function test_html_xss() { // #1488850 $html = 'Firefox' .'Internet Explorer
' .'Firefox' .'Internet Explorer' .'CLICK ME'; // #6896 $washer = new rcube_washtml; $washed = $washer->wash($html); $this->assertNotRegExp('/data:text/', $washed, "Remove data:text/html links"); $this->assertNotRegExp('/vbscript:/', $washed, "Remove vbscript: links"); $this->assertNotRegExp('/data:application/', $washed, "Remove data:application links"); } /** * Test fixing of invalid href (#1488940) */ function test_href() { $html = "Firefox"; $washer = new rcube_washtml; $washed = $washer->wash($html); $this->assertRegExp('|href="http://test.com">|', $washed, "Link href with newlines (#1488940)"); } /** * Test XSS in area's href (#5240) */ function test_href_area() { $html = '
' . 'Internet Explorer
' . '' . '' . 'Internet Explorer
' . ''; $washer = new rcube_washtml; $washed = $washer->wash($html); $this->assertNotRegExp('/data:text/', $washed, "data:text/html in area href"); $this->assertNotRegExp('/vbscript:/', $washed, "vbscript: in area href"); $this->assertNotRegExp('/javascript:/', $washed, "javascript: in area href"); } /** * Test handling HTML comments */ function test_comments() { $washer = new rcube_washtml; $html = "p2
"; $washed = $this->cleanupResult($washer->wash($html)); $this->assertEquals('p2
', $washed, "HTML conditional comments (#1489004)"); $html = "para2
"; $washed = $this->cleanupResult($washer->wash($html)); $this->assertEquals('para1
para2
', $washed, "HTML comments - simple comment"); $html = "para1
para2
"; $washed = $this->cleanupResult($washer->wash($html)); $this->assertEquals('para1
para2
', $washed, "HTML comments - tags inside (#1489904)"); $html = "para1
para2
"; $washed = $this->cleanupResult($washer->wash($html)); $this->assertEquals('para1
para2
', $washed, "HTML comments - bracket inside"); $html = "\n2\n4
"; $washed = $this->cleanupResult($washer->wash($html)); $this->assertEquals("\n2\n4
", $washed, "HTML comments (#6464)"); } /** * Test fixing of invalid self-closing elements (#1489137) */ function test_self_closing() { $html = "