Commit 81f4bc82 authored by alexpott's avatar alexpott

Issue #2006568 by ParisLiakos, dawehner: Convert filter_xss() tests to unit tests.

parent 466c8c4c
......@@ -112,188 +112,6 @@ function testLineBreakFilter() {
}
}
/**
* Tests limiting allowed tags and XSS prevention.
*
* XSS tests assume that script is disallowed by default and src is allowed
* by default, but on* and style attributes are disallowed.
*
* Script injection vectors mostly adopted from http://ha.ckers.org/xss.html.
*
* Relevant CVEs:
* - CVE-2002-1806, ~CVE-2005-0682, ~CVE-2005-2106, CVE-2005-3973,
* CVE-2006-1226 (= rev. 1.112?), CVE-2008-0273, CVE-2008-3740.
*/
function testFilterXSS() {
// Tag stripping, different ways to work around removal of HTML tags.
$f = filter_xss('<script>alert(0)</script>');
$this->assertNoNormalized($f, 'script', 'HTML tag stripping -- simple script without special characters.');
$f = filter_xss('<script src="http://www.example.com" />');
$this->assertNoNormalized($f, 'script', 'HTML tag stripping -- empty script with source.');
$f = filter_xss('<ScRipt sRc=http://www.example.com/>');
$this->assertNoNormalized($f, 'script', 'HTML tag stripping evasion -- varying case.');
$f = filter_xss("<script\nsrc\n=\nhttp://www.example.com/\n>");
$this->assertNoNormalized($f, 'script', 'HTML tag stripping evasion -- multiline tag.');
$f = filter_xss('<script/a src=http://www.example.com/a.js></script>');
$this->assertNoNormalized($f, 'script', 'HTML tag stripping evasion -- non whitespace character after tag name.');
$f = filter_xss('<script/src=http://www.example.com/a.js></script>');
$this->assertNoNormalized($f, 'script', 'HTML tag stripping evasion -- no space between tag and attribute.');
// Null between < and tag name works at least with IE6.
$f = filter_xss("<\0scr\0ipt>alert(0)</script>");
$this->assertNoNormalized($f, 'ipt', 'HTML tag stripping evasion -- breaking HTML with nulls.');
$f = filter_xss("<scrscriptipt src=http://www.example.com/a.js>");
$this->assertNoNormalized($f, 'script', 'HTML tag stripping evasion -- filter just removing "script".');
$f = filter_xss('<<script>alert(0);//<</script>');
$this->assertNoNormalized($f, 'script', 'HTML tag stripping evasion -- double opening brackets.');
$f = filter_xss('<script src=http://www.example.com/a.js?<b>');
$this->assertNoNormalized($f, 'script', 'HTML tag stripping evasion -- no closing tag.');
// DRUPAL-SA-2008-047: This doesn't seem exploitable, but the filter should
// work consistently.
$f = filter_xss('<script>>');
$this->assertNoNormalized($f, 'script', 'HTML tag stripping evasion -- double closing tag.');
$f = filter_xss('<script src=//www.example.com/.a>');
$this->assertNoNormalized($f, 'script', 'HTML tag stripping evasion -- no scheme or ending slash.');
$f = filter_xss('<script src=http://www.example.com/.a');
$this->assertNoNormalized($f, 'script', 'HTML tag stripping evasion -- no closing bracket.');
$f = filter_xss('<script src=http://www.example.com/ <');
$this->assertNoNormalized($f, 'script', 'HTML tag stripping evasion -- opening instead of closing bracket.');
$f = filter_xss('<nosuchtag attribute="newScriptInjectionVector">');
$this->assertNoNormalized($f, 'nosuchtag', 'HTML tag stripping evasion -- unknown tag.');
$f = filter_xss('<?xml:namespace ns="urn:schemas-microsoft-com:time">');
$this->assertTrue(stripos($f, '<?xml') === FALSE, 'HTML tag stripping evasion -- starting with a question sign (processing instructions).');
$f = filter_xss('<t:set attributeName="innerHTML" to="&lt;script defer&gt;alert(0)&lt;/script&gt;">');
$this->assertNoNormalized($f, 't:set', 'HTML tag stripping evasion -- colon in the tag name (namespaces\' tricks).');
$f = filter_xss('<img """><script>alert(0)</script>', array('img'));
$this->assertNoNormalized($f, 'script', 'HTML tag stripping evasion -- a malformed image tag.');
$f = filter_xss('<blockquote><script>alert(0)</script></blockquote>', array('blockquote'));
$this->assertNoNormalized($f, 'script', 'HTML tag stripping evasion -- script in a blockqoute.');
$f = filter_xss("<!--[if true]><script>alert(0)</script><![endif]-->");
$this->assertNoNormalized($f, 'script', 'HTML tag stripping evasion -- script within a comment.');
// Dangerous attributes removal.
$f = filter_xss('<p onmouseover="http://www.example.com/">', array('p'));
$this->assertNoNormalized($f, 'onmouseover', 'HTML filter attributes removal -- events, no evasion.');
$f = filter_xss('<li style="list-style-image: url(javascript:alert(0))">', array('li'));
$this->assertNoNormalized($f, 'style', 'HTML filter attributes removal -- style, no evasion.');
$f = filter_xss('<img onerror =alert(0)>', array('img'));
$this->assertNoNormalized($f, 'onerror', 'HTML filter attributes removal evasion -- spaces before equals sign.');
$f = filter_xss('<img onabort!#$%&()*~+-_.,:;?@[/|\]^`=alert(0)>', array('img'));
$this->assertNoNormalized($f, 'onabort', 'HTML filter attributes removal evasion -- non alphanumeric characters before equals sign.');
$f = filter_xss('<img oNmediAError=alert(0)>', array('img'));
$this->assertNoNormalized($f, 'onmediaerror', 'HTML filter attributes removal evasion -- varying case.');
// Works at least with IE6.
$f = filter_xss("<img o\0nfocus\0=alert(0)>", array('img'));
$this->assertNoNormalized($f, 'focus', 'HTML filter attributes removal evasion -- breaking with nulls.');
// Only whitelisted scheme names allowed in attributes.
$f = filter_xss('<img src="javascript:alert(0)">', array('img'));
$this->assertNoNormalized($f, 'javascript', 'HTML scheme clearing -- no evasion.');
$f = filter_xss('<img src=javascript:alert(0)>', array('img'));
$this->assertNoNormalized($f, 'javascript', 'HTML scheme clearing evasion -- no quotes.');
// A bit like CVE-2006-0070.
$f = filter_xss('<img src="javascript:confirm(0)">', array('img'));
$this->assertNoNormalized($f, 'javascript', 'HTML scheme clearing evasion -- no alert ;)');
$f = filter_xss('<img src=`javascript:alert(0)`>', array('img'));
$this->assertNoNormalized($f, 'javascript', 'HTML scheme clearing evasion -- grave accents.');
$f = filter_xss('<img dynsrc="javascript:alert(0)">', array('img'));
$this->assertNoNormalized($f, 'javascript', 'HTML scheme clearing -- rare attribute.');
$f = filter_xss('<table background="javascript:alert(0)">', array('table'));
$this->assertNoNormalized($f, 'javascript', 'HTML scheme clearing -- another tag.');
$f = filter_xss('<base href="javascript:alert(0);//">', array('base'));
$this->assertNoNormalized($f, 'javascript', 'HTML scheme clearing -- one more attribute and tag.');
$f = filter_xss('<img src="jaVaSCriPt:alert(0)">', array('img'));
$this->assertNoNormalized($f, 'javascript', 'HTML scheme clearing evasion -- varying case.');
$f = filter_xss('<img src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#48;&#41;>', array('img'));
$this->assertNoNormalized($f, 'javascript', 'HTML scheme clearing evasion -- UTF-8 decimal encoding.');
$f = filter_xss('<img src=&#00000106&#0000097&#00000118&#0000097&#00000115&#0000099&#00000114&#00000105&#00000112&#00000116&#0000058&#0000097&#00000108&#00000101&#00000114&#00000116&#0000040&#0000048&#0000041>', array('img'));
$this->assertNoNormalized($f, 'javascript', 'HTML scheme clearing evasion -- long UTF-8 encoding.');
$f = filter_xss('<img src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x30&#x29>', array('img'));
$this->assertNoNormalized($f, 'javascript', 'HTML scheme clearing evasion -- UTF-8 hex encoding.');
$f = filter_xss("<img src=\"jav\tascript:alert(0)\">", array('img'));
$this->assertNoNormalized($f, 'script', 'HTML scheme clearing evasion -- an embedded tab.');
$f = filter_xss('<img src="jav&#x09;ascript:alert(0)">', array('img'));
$this->assertNoNormalized($f, 'script', 'HTML scheme clearing evasion -- an encoded, embedded tab.');
$f = filter_xss('<img src="jav&#x000000A;ascript:alert(0)">', array('img'));
$this->assertNoNormalized($f, 'script', 'HTML scheme clearing evasion -- an encoded, embedded newline.');
// With &#xD; this test would fail, but the entity gets turned into
// &amp;#xD;, so it's OK.
$f = filter_xss('<img src="jav&#x0D;ascript:alert(0)">', array('img'));
$this->assertNoNormalized($f, 'script', 'HTML scheme clearing evasion -- an encoded, embedded carriage return.');
$f = filter_xss("<img src=\"\n\n\nj\na\nva\ns\ncript:alert(0)\">", array('img'));
$this->assertNoNormalized($f, 'cript', 'HTML scheme clearing evasion -- broken into many lines.');
$f = filter_xss("<img src=\"jav\0a\0\0cript:alert(0)\">", array('img'));
$this->assertNoNormalized($f, 'cript', 'HTML scheme clearing evasion -- embedded nulls.');
$f = filter_xss('<img src=" &#14; javascript:alert(0)">', array('img'));
$this->assertNoNormalized($f, 'javascript', 'HTML scheme clearing evasion -- spaces and metacharacters before scheme.');
$f = filter_xss('<img src="vbscript:msgbox(0)">', array('img'));
$this->assertNoNormalized($f, 'vbscript', 'HTML scheme clearing evasion -- another scheme.');
$f = filter_xss('<img src="nosuchscheme:notice(0)">', array('img'));
$this->assertNoNormalized($f, 'nosuchscheme', 'HTML scheme clearing evasion -- unknown scheme.');
// Netscape 4.x javascript entities.
$f = filter_xss('<br size="&{alert(0)}">', array('br'));
$this->assertNoNormalized($f, 'alert', 'Netscape 4.x javascript entities.');
// DRUPAL-SA-2008-006: Invalid UTF-8, these only work as reflected XSS with
// Internet Explorer 6.
$f = filter_xss("<p arg=\"\xe0\">\" style=\"background-image: url(javascript:alert(0));\"\xe0<p>", array('p'));
$this->assertNoNormalized($f, 'style', 'HTML filter -- invalid UTF-8.');
$f = filter_xss("\xc0aaa");
$this->assertEqual($f, '', 'HTML filter -- overlong UTF-8 sequences.');
$f = filter_xss("Who&#039;s Online");
$this->assertNormalized($f, "who's online", 'HTML filter -- html entity number');
$f = filter_xss("Who&amp;#039;s Online");
$this->assertNormalized($f, "who&#039;s online", 'HTML filter -- encoded html entity number');
$f = filter_xss("Who&amp;amp;#039; Online");
$this->assertNormalized($f, "who&amp;#039; online", 'HTML filter -- double encoded html entity number');
}
/**
* Tests filter settings, defaults, access restrictions and similar.
......@@ -382,21 +200,6 @@ function testNoFollowFilter() {
$this->assertNormalized($f, 'rel="nofollow"', 'Spam deterrent evasion -- with rel set - rel="nofollow" added.');
}
/**
* Tests the loose, admin HTML filter.
*/
function testFilterXSSAdmin() {
// DRUPAL-SA-2008-044
$f = filter_xss_admin('<object />');
$this->assertNoNormalized($f, 'object', 'Admin HTML filter -- should not allow object tag.');
$f = filter_xss_admin('<script />');
$this->assertNoNormalized($f, 'script', 'Admin HTML filter -- should not allow script tag.');
$f = filter_xss_admin('<style /><iframe /><frame /><frameset /><meta /><link /><embed /><applet /><param /><layer />');
$this->assertEqual($f, '', 'Admin HTML filter -- should never allow some tags.');
}
/**
* Tests the HTML escaping filter.
*
......
......@@ -34,16 +34,6 @@ protected function setUp() {
config_install_default_config('module', 'system');
}
/**
* Checks that invalid multi-byte sequences are rejected.
*/
function testInvalidMultiByte() {
$text = filter_xss("Foo\xC0barbaz");
$this->assertEqual($text, '', 'filter_xss() rejects invalid sequence "Foo\xC0barbaz"');
$text = filter_xss("Fooÿñ");
$this->assertEqual($text, "Fooÿñ", 'filter_xss() accepts valid sequence Fooÿñ');
}
/**
* Tests t() functionality.
*/
......
<?php
/**
* @file
* Contains \Drupal\Tests\Component\Utility\XssTest.
*/
namespace Drupal\Tests\Component\Utility;
use Drupal\Component\Utility\String;
use Drupal\Component\Utility\UrlValidator;
use Drupal\Component\Utility\Xss;
use Drupal\Tests\UnitTestCase;
/**
* Tests the Xss utility.
*
* Script injection vectors mostly adopted from http://ha.ckers.org/xss.html.
*
* Relevant CVEs:
* - CVE-2002-1806, ~CVE-2005-0682, ~CVE-2005-2106, CVE-2005-3973,
* CVE-2006-1226 (= rev. 1.112?), CVE-2008-0273, CVE-2008-3740.
*
* @see \Drupal\Component\Utility\Xss
*/
class XssTest extends UnitTestCase {
public static function getInfo() {
return array(
'name' => 'Xss filter tests',
'description' => 'Confirm that Xss::filter() works as expected.',
'group' => 'Common',
);
}
/**
* {@inheritdoc}
*/
protected function setUp() {
parent::setUp();
$allowed_protocols = array(
'http',
'https',
'ftp',
'news',
'nntp',
'telnet',
'mailto',
'irc',
'ssh',
'sftp',
'webcal',
'rtsp',
);
UrlValidator::setAllowedProtocols($allowed_protocols);
}
/**
* Tests limiting allowed tags and XSS prevention.
*
* XSS tests assume that script is disallowed by default and src is allowed
* by default, but on* and style attributes are disallowed.
*
* @param string $value
* The value to filter.
* @param string $expected
* The expected result.
* @param string $message
* The assertion message to display upon failure.
*
* @dataProvider providerTestFilterXssNormalized
*/
public function testFilterXssNormalized($value, $expected, $message) {
$this->assertNormalized(Xss::filter($value), $expected, $message);
}
/**
* Data provider for testFilterXssNormalized().
*
* @see testFilterXssNormalized()
*
* @return array
* An array of arrays containing strings:
* - The value to filter.
* - The value to expect after filtering.
* - The assertion message.
*/
public function providerTestFilterXssNormalized() {
return array(
array(
"Who&#039;s Online",
"who's online",
'HTML filter -- html entity number',
),
array(
"Who&amp;#039;s Online",
"who&#039;s online",
'HTML filter -- encoded html entity number',
),
array(
"Who&amp;amp;#039; Online",
"who&amp;#039; online",
'HTML filter -- double encoded html entity number',
),
);
}
/**
* Tests limiting allowed tags and XSS prevention.
*
* XSS tests assume that script is disallowed by default and src is allowed
* by default, but on* and style attributes are disallowed.
*
* @param string $value
* The value to filter.
* @param string $expected
* The expected result.
* @param string $message
* The assertion message to display upon failure.
* @param array $allowed_tags
* (Optional) The allowed tags to be passed on Xss::filter().
*
* @dataProvider providerTestFilterXssNotNormalized
*/
public function testFilterXssNotNormalized($value, $expected, $message, array $allowed_tags = NULL) {
if ($allowed_tags === NULL) {
$value = Xss::filter($value);
}
else {
$value = Xss::filter($value, $allowed_tags);
}
$this->assertNotNormalized($value, $expected, $message);
}
/**
* Data provider for testFilterXssNotNormalized().
*
* @see testFilterXssNotNormalized()
*
* @return array
* An array of arrays containing the following elements:
* - The value to filter string.
* - The value to expect after filtering string.
* - The assertion message string.
* - (optional) The allowed html tags array that should be passed to
* Xss::filter().
*/
public function providerTestFilterXssNotNormalized() {
$cases = array(
// Tag stripping, different ways to work around removal of HTML tags.
array(
'<script>alert(0)</script>',
'script',
'HTML tag stripping -- simple script without special characters.',
),
array(
'<script src="http://www.example.com" />',
'script',
'HTML tag stripping -- empty script with source.',
),
array(
'<ScRipt sRc=http://www.example.com/>',
'script',
'HTML tag stripping evasion -- varying case.',
),
array(
"<script\nsrc\n=\nhttp://www.example.com/\n>",
'script',
'HTML tag stripping evasion -- multiline tag.',
),
array(
'<script/a src=http://www.example.com/a.js></script>',
'script',
'HTML tag stripping evasion -- non whitespace character after tag name.',
),
array(
'<script/src=http://www.example.com/a.js></script>',
'script',
'HTML tag stripping evasion -- no space between tag and attribute.',
),
// Null between < and tag name works at least with IE6.
array(
"<\0scr\0ipt>alert(0)</script>",
'ipt',
'HTML tag stripping evasion -- breaking HTML with nulls.',
),
array(
"<scrscriptipt src=http://www.example.com/a.js>",
'script',
'HTML tag stripping evasion -- filter just removing "script".',
),
array(
'<<script>alert(0);//<</script>',
'script',
'HTML tag stripping evasion -- double opening brackets.',
),
array(
'<script src=http://www.example.com/a.js?<b>',
'script',
'HTML tag stripping evasion -- no closing tag.',
),
// DRUPAL-SA-2008-047: This doesn't seem exploitable, but the filter should
// work consistently.
array(
'<script>>',
'script',
'HTML tag stripping evasion -- double closing tag.',
),
array(
'<script src=//www.example.com/.a>',
'script',
'HTML tag stripping evasion -- no scheme or ending slash.',
),
array(
'<script src=http://www.example.com/.a',
'script',
'HTML tag stripping evasion -- no closing bracket.',
),
array(
'<script src=http://www.example.com/ <',
'script',
'HTML tag stripping evasion -- opening instead of closing bracket.',
),
array(
'<nosuchtag attribute="newScriptInjectionVector">',
'nosuchtag',
'HTML tag stripping evasion -- unknown tag.',
),
array(
'<t:set attributeName="innerHTML" to="&lt;script defer&gt;alert(0)&lt;/script&gt;">',
't:set',
'HTML tag stripping evasion -- colon in the tag name (namespaces\' tricks).',
),
array(
'<img """><script>alert(0)</script>',
'script',
'HTML tag stripping evasion -- a malformed image tag.',
array('img'),
),
array(
'<blockquote><script>alert(0)</script></blockquote>',
'script',
'HTML tag stripping evasion -- script in a blockqoute.',
array('blockquote'),
),
array(
"<!--[if true]><script>alert(0)</script><![endif]-->",
'script',
'HTML tag stripping evasion -- script within a comment.',
),
// Dangerous attributes removal.
array(
'<p onmouseover="http://www.example.com/">',
'onmouseover',
'HTML filter attributes removal -- events, no evasion.',
array('p'),
),
array(
'<li style="list-style-image: url(javascript:alert(0))">',
'style',
'HTML filter attributes removal -- style, no evasion.',
array('li'),
),
array(
'<img onerror =alert(0)>',
'onerror',
'HTML filter attributes removal evasion -- spaces before equals sign.',
array('img'),
),
array(
'<img onabort!#$%&()*~+-_.,:;?@[/|\]^`=alert(0)>',
'onabort',
'HTML filter attributes removal evasion -- non alphanumeric characters before equals sign.',
array('img'),
),
array(
'<img oNmediAError=alert(0)>',
'onmediaerror',
'HTML filter attributes removal evasion -- varying case.',
array('img'),
),
// Works at least with IE6.
array(
"<img o\0nfocus\0=alert(0)>",
'focus',
'HTML filter attributes removal evasion -- breaking with nulls.',
array('img'),
),
// Only whitelisted scheme names allowed in attributes.
array(
'<img src="javascript:alert(0)">',
'javascript',
'HTML scheme clearing -- no evasion.',
array('img'),
),
array(
'<img src=javascript:alert(0)>',
'javascript',
'HTML scheme clearing evasion -- no quotes.',
array('img'),
),
// A bit like CVE-2006-0070.
array(
'<img src="javascript:confirm(0)">',
'javascript',
'HTML scheme clearing evasion -- no alert ;)',
array('img'),
),
array(
'<img src=`javascript:alert(0)`>',
'javascript',
'HTML scheme clearing evasion -- grave accents.',
array('img'),
),
array(
'<img dynsrc="javascript:alert(0)">',
'javascript',
'HTML scheme clearing -- rare attribute.',
array('img'),
),
array(
'<table background="javascript:alert(0)">',
'javascript',
'HTML scheme clearing -- another tag.',
array('table'),
),
array(
'<base href="javascript:alert(0);//">',
'javascript',
'HTML scheme clearing -- one more attribute and tag.',
array('base'),
),
array(
'<img src="jaVaSCriPt:alert(0)">',
'javascript',
'HTML scheme clearing evasion -- varying case.',
array('img'),
),
array(
'<img src=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#48;&#41;>',
'javascript',
'HTML scheme clearing evasion -- UTF-8 decimal encoding.',
array('img'),
),
array(
'<img src=&#00000106&#0000097&#00000118&#0000097&#00000115&#0000099&#00000114&#00000105&#00000112&#00000116&#0000058&#0000097&#00000108&#00000101&#00000114&#00000116&#0000040&#0000048&#0000041>',
'javascript',
'HTML scheme clearing evasion -- long UTF-8 encoding.',
array('img'),
),
array(
'<img src=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x30&#x29>',
'javascript',
'HTML scheme clearing evasion -- UTF-8 hex encoding.',
array('img'),
),
array(
"<img src=\"jav\tascript:alert(0)\">",
'script',
'HTML scheme clearing evasion -- an embedded tab.',
array('img'),
),
array(
'<img src="jav&#x09;ascript:alert(0)">',
'script',
'HTML scheme clearing evasion -- an encoded, embedded tab.',
array('img'),
),
array(
'<img src="jav&#x000000A;ascript:alert(0)">',
'script',
'HTML scheme clearing evasion -- an encoded, embedded newline.',
array('img'),
),
// With &#xD; this test would fail, but the entity gets turned into
// &amp;#xD;, so it's OK.
array(
'<img src="jav&#x0D;ascript:alert(0)">',
'script',
'HTML scheme clearing evasion -- an encoded, embedded carriage return.',
array('img'),
),
array(
"<img src=\"\n\n\nj\na\nva\ns\ncript:alert(0)\">",
'cript',
'HTML scheme clearing evasion -- broken into many lines.',
array('img'),
),
array(
"<img src=\"jav\0a\0\0cript:alert(0)\">",
'cript',
'HTML scheme clearing evasion -- embedded nulls.',