diff options
author | Aleksander Machniak <alec@alec.pl> | 2019-08-27 16:57:47 +0300 |
---|---|---|
committer | Aleksander Machniak <alec@alec.pl> | 2019-08-27 16:57:47 +0300 |
commit | 21ebf3ff5a1f014fef6ad0b9d684ea625b0fae94 (patch) | |
tree | 6af34331b506ae7d998442f2b1f187b946819da3 /tests | |
parent | 63730cf84229cede81792c6dbeb84c169bafd193 (diff) |
Fix bug where it was possible to bypass href URI check with data:application/xhtml+xml URIs (#6896)
Diffstat (limited to 'tests')
-rw-r--r-- | tests/Framework/Washtml.php | 10 |
1 files changed, 6 insertions, 4 deletions
diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php index 2ffebec27..0f38495ed 100644 --- a/tests/Framework/Washtml.php +++ b/tests/Framework/Washtml.php @@ -19,19 +19,21 @@ class Framework_Washtml extends PHPUnit_Framework_TestCase /** * Test the elimination of some XSS vulnerabilities */ - function test_html_xss3() + function test_html_xss() { // #1488850 - $html = '<p><a href="data:text/html,<script>alert(document.cookie)</script>">Firefox</a>' + $html = '<a href="data:text/html,<script>alert(document.cookie)</script>">Firefox</a>' .'<a href="vbscript:alert(document.cookie)">Internet Explorer</a></p>' - .'<p><A href="data:text/html,<script>alert(document.cookie)</script>">Firefox</a>' - .'<A HREF="vbscript:alert(document.cookie)">Internet Explorer</a></p>'; + .'<A href="data:text/html,<script>alert(document.cookie)</script>">Firefox</a>' + .'<A HREF="vbscript:alert(document.cookie)">Internet Explorer</a>' + .'<a href="data:application/xhtml+xml;base64,PGh0bW">CLICK ME</a>'; // #6896 $washer = new rcube_washtml; $washed = $washer->wash($html); $this->assertNotRegExp('/data:text/', $washed, "Remove data:text/html links"); $this->assertNotRegExp('/vbscript:/', $washed, "Remove vbscript: links"); + $this->assertNotRegExp('/data:application/', $washed, "Remove data:application links"); } /** |