Пример #1
0
)
"
>
END
, 'output' => ''), 'Firefox Lookups' => array('input' => '<A HREF="http://google:ha.ckers.org">XSS</A>', 'output' => '<a href="http://google">XSS</a>'), 'Content Replace' => array('input' => '<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>', 'output' => '<a href="http://www.gohttp//www.google.com/ogle.com/">XSS</a>'), 'Mixed Encoding' => array('input' => <<<END
<A HREF="htt\tp://6&#09;6.000146.0x7.147/">XSS</A>
END
, 'output' => '<a>XSS</a>'));
$miscellaneous_tests = array('YouTube Filter' => array('input' => '<object width="425" height="355"><param name="movie" value="http://www.youtube.com/v/HLHKgepRZ8M&hl=fr"></param><param name="wmode" value="transparent"></param><embed src="http://www.youtube.com/v/HLHKgepRZ8M&hl=fr" type="application/x-shockwave-flash" wmode="transparent" width="425" height="355"></embed></object>', 'output' => '<object width="425" height="350" type="application/x-shockwave-flash" data="http://www.youtube.com/v/HLHKgepRZ8M"><param name="movie" value="http://www.youtube.com/v/HLHKgepRZ8M"></param><!--[if IE]><embed src="http://www.youtube.com/v/HLHKgepRZ8M"type="application/x-shockwave-flash"wmode="transparent" width="425" height="350" /><![endif]--></object>', 'filter' => true), 'Allowed Frame Targets Filter' => array('input' => '<a href="" target="_blank"></a>', 'output' => '<a href="" target="_blank"></a>', 'filter' => true), 'Enable ID' => array('input' => '<div id="test"></div>', 'output' => '<div id="test"></div>', 'filter' => true), 'Host Blacklist' => array('input' => '<a href="http://www.symfony-project.org/">Symfony Project</a>', 'output' => '<a>Symfony Project</a>', 'filter' => true), 'Enable Object' => array('input' => '<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://download.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0" id="video_small" align="middle" height="370" width="417">
<param name="allowScriptAccess" value="sameDomain">
<param name="allowFullScreen" value="true">
<param name="FlashVars" value="video=http://www.toppeo.com/flv/demospectacle4473EE7B_8003221.flv">
<param name="movie" value="/player/player.swf"><param name="quality" value="high">
<param name="bgcolor" value="#000000">
<embed src="/player/player.swf" flashvars="video=http://www.toppeo.com/flv/demospectacle4473EE7B_8003221.flv" quality="high" bgcolor="#000000" name="video_small" allowscriptaccess="sameDomain" allowfullscreen="true" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" align="middle" height="370" width="417">
</object>', 'output' => '<embed src="/player/player.swf" flashvars="video=http://www.toppeo.com/flv/demospectacle4473EE7B_8003221.flv" quality="high" bgcolor="#000000" name="video_small" allowfullscreen="true" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" align="middle" height="370" width="417" />', 'filter' => true));
$t = new lime_test(count($xsssafe_tests) + count($miscellaneous_tests) + 2, new lime_output_color());
// XssSafe Helper
$t->diag('XssSafe Helper');
$t->include_ok(sfConfig::get('sf_plugins_dir') . '/sfXssSafePlugin/lib/helper/XssSafeHelper.php', 'XssSafe Helper include');
$t->is(class_exists('HTMLPurifier_Config'), true, 'HTML Purifier autoload');
// XSS Attacks Smoketest
$t->diag('XSS Attacks Smoketest');
foreach ($xsssafe_tests as $name => $test) {
    $t->is(esc_xsssafe($test['input']), $test['output'], $name . sprintf('%s', isset($test['filter']) ? ' is properly filtered' : ' is properly escaped'));
}
// HTML Purifier Config
$t->diag('HTML Purifier Config');
foreach ($miscellaneous_tests as $name => $test) {
    $t->is(trim(esc_xsssafe($test['input'])), $test['output'], $name . sprintf('%s', isset($test['filter']) ? ' is properly filtered' : ' is properly escaped'));
}