diff options
author | Joey Hess <joey@kodama.kitenet.net> | 2008-02-10 12:21:20 -0500 |
---|---|---|
committer | Joey Hess <joey@kodama.kitenet.net> | 2008-02-10 12:21:20 -0500 |
commit | 5e47db9356e0881d0b0cf5135d6e63a64bcde545 (patch) | |
tree | b13cfc8504c9fa088547a296ab0e924710d23b17 | |
parent | 17246f6b45d02ab41d9c8c1dbe02e45bcab52e81 (diff) | |
download | ikiwiki-5e47db9356e0881d0b0cf5135d6e63a64bcde545.tar ikiwiki-5e47db9356e0881d0b0cf5135d6e63a64bcde545.tar.gz |
improved sanitiser test suite
-rwxr-xr-x | t/htmlize.t | 35 | ||||
-rw-r--r-- | t/javascript.mdwn | 9 |
2 files changed, 30 insertions, 14 deletions
diff --git a/t/htmlize.t b/t/htmlize.t index 670500a67..9e2e3ec59 100755 --- a/t/htmlize.t +++ b/t/htmlize.t @@ -1,7 +1,7 @@ #!/usr/bin/perl use warnings; use strict; -use Test::More tests => 5; +use Test::More tests => 16; use Encode; BEGIN { use_ok("IkiWiki"); } @@ -19,7 +19,32 @@ is(IkiWiki::htmlize("foo", "mdwn", readfile("t/test1.mdwn")), "utf8; bug #373203"); ok(IkiWiki::htmlize("foo", "mdwn", readfile("t/test2.mdwn")), "this file crashes markdown if it's fed in as decoded utf-8"); -my $ret=IkiWiki::htmlize("foo", "mdwn", readfile("t/javascript.mdwn")); -ok($ret !~ /GOTCHA/, - "javascript.mdwn contains a number of attempts at getting - javascript that contains GOTCHA past the html sanitiser."); + +# embedded javascript sanitisation tests +sub gotcha { + my $html=IkiWiki::htmlize("foo", "mdwn", shift); + return $html =~ /GOTCHA/; +} +ok(!gotcha(q{<a href="javascript:alert('GOTCHA')">click me</a>}), + "javascript url"); +ok(!gotcha(q{<a href="javascript:alert('GOTCHA')">click me</a>}), + "partially encoded javascript url"); +ok(!gotcha(q{<a href="jscript:alert('GOTCHA')">click me</a>}), + "jscript url"); +ok(!gotcha(q{<a href="vbscript:alert('GOTCHA')">click me</a>}), + "vbscrpt url"); +ok(!gotcha(q{<a href="java script:alert('GOTCHA')">click me</a>}), + "java-tab-script url"); +ok(!gotcha(q{<span style="any: expressio(GOTCHA)n(window.location='http://example.org/')">foo</span>}), + "entity-encoded CSS script test"); +ok(!gotcha(q{<span style="any: expression(GOTCHA)(window.location='http://example.org/')">foo</span>}), + "another entity-encoded CSS script test"); +ok(!gotcha(q{<script>GOTCHA</script>}), + "script tag"); +ok(!gotcha(q{<span style="background: url(javascript:window.location=GOTCHA)">a</span>}), + "CSS script test"); +ok(gotcha(q{<p>javascript:alert('GOTCHA')</p>}), + "not javascript AFAIK (but perhaps some web browser would like to + be perverse and assume it is?)"); +ok(gotcha(q{<img src="javascript.png?GOTCHA">}), "not javascript"); +ok(gotcha(q{<a href="javascript.png?GOTCHA">foo</a>}), "not javascript"); diff --git a/t/javascript.mdwn b/t/javascript.mdwn deleted file mode 100644 index f768d2939..000000000 --- a/t/javascript.mdwn +++ /dev/null @@ -1,9 +0,0 @@ -<a href="javascript:alert('GOTCHA')">click me</a> -<a href="javascript:alert('GOTCHA')">click me</a> -<a href="jscript:alert('GOTCHA')">click me</a> -<a href="vbscript:alert('GOTCHA')">click me</a> -<a href="java\tscript:alert('GOTCHA')">click me</a> -<span style="any: expressio(GOTCHA)n(window.location='http://example.org/')">entity-encoded CSS script test</span> -<span style="any: expression(GOTCHA)(window.location='http://example.org/')">entity-encoded CSS script test</span> -<script>GOTCHA</script> -<span style="background: url(javascript:window.location=GOTCHA)">CSS script test</span> |