From af04ac92e2ff852309891ebc767fa5a6bf179f39 Mon Sep 17 00:00:00 2001 From: Aidan Woods Date: Mon, 1 May 2017 03:33:49 +0100 Subject: [PATCH] add xss tests --- test/ParsedownTest.php | 2 ++ test/data/xss_attribute_encoding.html | 6 ++++++ test/data/xss_attribute_encoding.md | 11 ++++++++++ test/data/xss_bad_url.html | 16 ++++++++++++++ test/data/xss_bad_url.md | 31 +++++++++++++++++++++++++++ test/data/xss_text_encoding.html | 7 ++++++ test/data/xss_text_encoding.md | 12 +++++++++++ 7 files changed, 85 insertions(+) create mode 100644 test/data/xss_attribute_encoding.html create mode 100644 test/data/xss_attribute_encoding.md create mode 100644 test/data/xss_bad_url.html create mode 100644 test/data/xss_bad_url.md create mode 100644 test/data/xss_text_encoding.html create mode 100644 test/data/xss_text_encoding.md diff --git a/test/ParsedownTest.php b/test/ParsedownTest.php index 323dace..5fbf7f1 100644 --- a/test/ParsedownTest.php +++ b/test/ParsedownTest.php @@ -46,6 +46,8 @@ class ParsedownTest extends PHPUnit_Framework_TestCase $expectedMarkup = str_replace("\r\n", "\n", $expectedMarkup); $expectedMarkup = str_replace("\r", "\n", $expectedMarkup); + $this->Parsedown->setMarkupEscaped($test === 'xss_text_encoding'); + $actualMarkup = $this->Parsedown->text($markdown); $this->assertEquals($expectedMarkup, $actualMarkup); diff --git a/test/data/xss_attribute_encoding.html b/test/data/xss_attribute_encoding.html new file mode 100644 index 0000000..287ff51 --- /dev/null +++ b/test/data/xss_attribute_encoding.html @@ -0,0 +1,6 @@ +

xss

+

xss

+

xss

+

xss

+

xss"

+

xss'

\ No newline at end of file diff --git a/test/data/xss_attribute_encoding.md b/test/data/xss_attribute_encoding.md new file mode 100644 index 0000000..3d8e0c8 --- /dev/null +++ b/test/data/xss_attribute_encoding.md @@ -0,0 +1,11 @@ +[xss](https://www.example.com") + +![xss](https://www.example.com") + +[xss](https://www.example.com') + +![xss](https://www.example.com') + +![xss"](https://www.example.com) + +![xss'](https://www.example.com) \ No newline at end of file diff --git a/test/data/xss_bad_url.html b/test/data/xss_bad_url.html new file mode 100644 index 0000000..93dd0d8 --- /dev/null +++ b/test/data/xss_bad_url.html @@ -0,0 +1,16 @@ +

xss

+

xss

+

xss

+

xss

+

xss

+

xss

+

xss

+

xss

+

xss

+

xss

+

xss

+

xss

+

xss

+

xss

+

xss

+

xss

\ No newline at end of file diff --git a/test/data/xss_bad_url.md b/test/data/xss_bad_url.md new file mode 100644 index 0000000..a730952 --- /dev/null +++ b/test/data/xss_bad_url.md @@ -0,0 +1,31 @@ +[xss](javascript:alert(1)) + +[xss]( javascript:alert(1)) + +[xss](javascript://alert(1)) + +[xss](javascript:alert(1)) + +![xss](javascript:alert(1)) + +![xss]( javascript:alert(1)) + +![xss](javascript://alert(1)) + +![xss](javascript:alert(1)) + +[xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) + +[xss]( data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) + +[xss](data://text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) + +[xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) + +![xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) + +![xss]( data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) + +![xss](data://text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) + +![xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==) \ No newline at end of file diff --git a/test/data/xss_text_encoding.html b/test/data/xss_text_encoding.html new file mode 100644 index 0000000..e6b3fc5 --- /dev/null +++ b/test/data/xss_text_encoding.html @@ -0,0 +1,7 @@ +

<script>alert(1)</script>

+

<script>

+

alert(1)

+

</script>

+

<script> +alert(1) +</script>

\ No newline at end of file diff --git a/test/data/xss_text_encoding.md b/test/data/xss_text_encoding.md new file mode 100644 index 0000000..b1051a2 --- /dev/null +++ b/test/data/xss_text_encoding.md @@ -0,0 +1,12 @@ + + + + + + \ No newline at end of file