1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
"""More advanced security tests"""
from nose.tools import eq_
from bleach import clean
def test_nested_script_tag():
eq_('<<script>script>evil()<</script>/script>',
clean('<<script>script>evil()<</script>/script>'))
eq_('<<x>script>evil()<</x>/script>',
clean('<<x>script>evil()<</x>/script>'))
def test_nested_script_tag_r():
eq_('<script<script>>evil()</script<>>',
clean('<script<script>>evil()</script</script>>'))
def test_invalid_attr():
IMG = ['img', ]
IMG_ATTR = ['src']
eq_('<a href="test">test</a>',
clean('<a onclick="evil" href="test">test</a>'))
eq_('<img src="test">',
clean('<img onclick="evil" src="test" />',
tags=IMG, attributes=IMG_ATTR))
eq_('<img src="test">',
clean('<img href="invalid" src="test" />',
tags=IMG, attributes=IMG_ATTR))
def test_unquoted_attr():
eq_('<abbr title="mytitle">myabbr</abbr>',
clean('<abbr title=mytitle>myabbr</abbr>'))
def test_unquoted_event_handler():
eq_('<a href="http://xx.com">xx.com</a>',
clean('<a href="http://xx.com" onclick=foo()>xx.com</a>'))
def test_invalid_attr_value():
eq_('<img src="javascript:alert(\'XSS\');">',
clean('<img src="javascript:alert(\'XSS\');">'))
def test_invalid_href_attr():
eq_('<a>xss</a>',
clean('<a href="javascript:alert(\'XSS\')">xss</a>'))
def test_invalid_filter_attr():
IMG = ['img', ]
IMG_ATTR = {'img': lambda n, v: n == 'src' and v == "http://example.com/"}
eq_('<img src="http://example.com/">',
clean('<img onclick="evil" src="http://example.com/" />',
tags=IMG, attributes=IMG_ATTR))
eq_('<img>', clean('<img onclick="evil" src="http://badhost.com/" />',
tags=IMG, attributes=IMG_ATTR))
def test_invalid_tag_char():
eq_('<script xss="" src="http://xx.com/xss.js"></script>',
clean('<script/xss src="http://xx.com/xss.js"></script>'))
eq_('<script src="http://xx.com/xss.js"></script>',
clean('<script/src="http://xx.com/xss.js"></script>'))
def test_unclosed_tag():
eq_('<script src="http://xx.com/xss.js&lt;b">',
clean('<script src=http://xx.com/xss.js<b>'))
eq_('<script src="http://xx.com/xss.js" <b="">',
clean('<script src="http://xx.com/xss.js"<b>'))
eq_('<script src="http://xx.com/xss.js" <b="">',
clean('<script src="http://xx.com/xss.js" <b>'))
def test_strip():
"""Using strip=True shouldn't result in malicious content."""
s = '<scri<script>pt>alert(1)</scr</script>ipt>'
eq_('pt>alert(1)ipt>', clean(s, strip=True))
s = '<scri<scri<script>pt>pt>alert(1)</script>'
eq_('pt>pt>alert(1)', clean(s, strip=True))
def test_nasty():
"""Nested, broken up, multiple tags, are still foiled!"""
test = ('<scr<script></script>ipt type="text/javascript">alert("foo");</'
'<script></script>script<del></del>>')
expect = ('<scr<script></script>ipt type="text/javascript"'
'>alert("foo");</script>script<del></del>'
'>')
eq_(expect, clean(test))
def test_poster_attribute():
"""Poster attributes should not allow javascript."""
tags = ['video']
attrs = {'video': ['poster']}
test = '<video poster="javascript:alert(1)"></video>'
expect = '<video></video>'
eq_(expect, clean(test, tags=tags, attributes=attrs))
ok = '<video poster="/foo.png"></video>'
eq_(ok, clean(ok, tags=tags, attributes=attrs))
def test_feed_protocol():
eq_('<a>foo</a>', clean('<a href="feed:file:///tmp/foo">foo</a>'))
|