diff options
| author | Aleksander Machniak <alec@alec.pl> | 2018-05-05 18:12:18 +0300 |
|---|---|---|
| committer | Aleksander Machniak <alec@alec.pl> | 2018-05-05 18:17:46 +0300 |
| commit | d9eed3625bf06cd2946b0efb6d88ff9986ba4864 (patch) | |
| tree | 5bce107a9e1039cc5470da3c3b159750cdaa4656 /tests | |
| parent | 13b35e3c0eb0920ee19e3aaacb5e79845e45225e (diff) | |
Fix bug where some escape sequences in html styles could bypass security checks
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/Framework/Utils.php | 8 | ||||
| -rw-r--r-- | tests/MailFunc.php | 2 |
2 files changed, 8 insertions, 2 deletions
diff --git a/tests/Framework/Utils.php b/tests/Framework/Utils.php index dc28907be..8543fe991 100644 --- a/tests/Framework/Utils.php +++ b/tests/Framework/Utils.php @@ -203,12 +203,15 @@ class Framework_Utils extends PHPUnit_Framework_TestCase $mod = rcube_utils::mod_css_styles("left:exp/* */ression( alert('xss3') )", 'rcmbody'); $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks"); - $mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\006c( javascript:alert('xss') )", 'rcmbody'); + $mod = rcube_utils::mod_css_styles("background:\\0075\\0072\\00006c( javascript:alert('xss') )", 'rcmbody'); $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (2)"); $mod = rcube_utils::mod_css_styles("background: \\75 \\72 \\6C ('/images/img.png')", 'rcmbody'); $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (3)"); + $mod = rcube_utils::mod_css_styles("background: u\\r\\l('/images/img.png')", 'rcmbody'); + $this->assertEquals("/* evil! */", $mod, "Don't allow encoding quirks (4)"); + // position: fixed (#5264) $mod = rcube_utils::mod_css_styles(".test { position: fixed; }", 'rcmbody'); $this->assertEquals("#rcmbody .test { position: absolute; }", $mod, "Replace position:fixed with position:absolute (0)"); @@ -234,6 +237,9 @@ class Framework_Utils extends PHPUnit_Framework_TestCase $mod = rcube_utils::xss_entity_decode('#foo:after{content:"\003Cimg/src=x onerror=alert(2)>";}'); $this->assertNotContains('<img', $mod, "Strip (encoded) tags from content property"); + $mod = rcube_utils::xss_entity_decode("background: u\\r\\00006c('/images/img.png')"); + $this->assertContains("url(", $mod, "Escape sequences resolving"); + // #5747 $mod = rcube_utils::xss_entity_decode('<!-- #foo { content:css; } -->'); $this->assertContains('#foo', $mod, "Strip HTML comments from content, but not the content"); diff --git a/tests/MailFunc.php b/tests/MailFunc.php index 69b8a3517..bccdb5f2a 100644 --- a/tests/MailFunc.php +++ b/tests/MailFunc.php @@ -215,7 +215,7 @@ class MailFunc extends PHPUnit_Framework_TestCase $body = rcmail_print_body($html, $this->get_html_part(), array('safe' => false, 'plain' => false)); $this->assertNotContains('onerror=alert(1)//">test', $body); - $this->assertContains('<a style="x: ><img src=x onerror=alert(1)//"', $body); + $this->assertContains('<a style="x: >"', $body); } /** |