Commit ed622d08 authored by soxofaan's avatar soxofaan

added filtering against XSS on the CAPTCHA description (with test coverage)

parent 82b03ef5
......@@ -151,7 +151,7 @@ function _captcha_get_description($lang_code=NULL) {
else {
$description = variable_get('captcha_description', $default);
}
return $description;
return filter_xss_admin($description);
}
/**
......
......@@ -432,6 +432,29 @@ class CapchaAdminTestCase extends DrupalWebTestCase {
//TODO: more testing for untrusted posts.
}
/**
* Test XSS vulnerability on CAPTCHA description.
*/
function testXssOnCaptchaDescription() {
// Set CAPTCHA on user register form.
captcha_set_form_id_setting('user_register', 'captcha/Math');
// Put Javascript snippet in CAPTCHA description.
$this->drupalLogin($this->admin_user);
$xss = '<script type="text/javascript">alert("xss")</script>';
$edit = array('captcha_description' => $xss);
$this->drupalPost('admin/user/captcha', $edit, 'Save configuration');
// Visit user register form and check if Javascript snippet is there.
$this->drupalLogout();
$this->drupalGet('user/register');
$this->assertNoRaw($xss, 'Javascript should not be allowed in CAPTCHA description.', 'CAPTCHA');
}
}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment