\t',
'»',
'\0'
), escapeHTML ( str_replace ( "\0", '\0(null)', wordwrap ( $string, 28, " »\n", true ) ) ) );
}
?>
HTML Purifier XSS Attacks Smoketest
HTML Purifier XSS Attacks Smoketest
XSS attacks are from http://ha.ckers.org/xss.html.
Caveats:
Google.com
has been programatically disallowed, but as you can see, there are
ways of getting around that, so coverage in this area is not
complete. Most XSS broadcasts its presence by spawning an alert
dialogue. The displayed code is not strictly correct, as linebreaks
have been forced for readability. Linewraps have been marked with
»
. Some tests are omitted for your convenience. Not all control
characters are displayed.
Test
Requires PHP 5.' );
$xml = simplexml_load_file ( 'xssAttacks.xml' );
// programatically disallow google.com for URI evasion tests
// not complete
$config = HTMLPurifier_Config::createDefault ();
$config->set ( 'URI.HostBlacklist', array (
'google.com'
) );
$purifier = new HTMLPurifier ( $config );
?>
| Name |
Raw |
Output |
Render |
attack as $attack ) {
$code = $attack->code;
// custom code for null byte injection tests
if (substr ( $code, 0, 7 ) == 'perl -e') {
$code = substr ( $code, $i = strpos ( $code, '"' ) + 1, strrpos ( $code, '"' ) - $i );
$code = str_replace ( '\0', "\0", $code );
}
// disable vectors we cannot test in any meaningful way
if ($code == 'See Below')
continue; // event handlers, whitelist defeats
if ($attack->name == 'OBJECT w/Flash 2')
continue; // requires ActionScript
if ($attack->name == 'IMG Embedded commands 2')
continue; // is an HTTP response
// custom code for US-ASCII, which couldn't be expressed in XML without encoding
if ($attack->name == 'US-ASCII encoding')
$code = urldecode ( $code );
?>
>
| name); ?> |
|
purify($code); ?>
|
|