Back to index

plone3  3.1.7
test_xss.py
Go to the documentation of this file.
00001 """
00002 """
00003 import os, sys
00004 if __name__ == '__main__':
00005    execfile(os.path.join(sys.path[0], 'framework.py'))
00006 
00007 from Testing import ZopeTestCase
00008 from Products.Archetypes.tests.atsitetestcase import ATSiteTestCase
00009 
00010 
00011 class TestXSSFilter(ATSiteTestCase):
00012 
00013    def afterSetUp(self):
00014        ATSiteTestCase.afterSetUp(self)
00015        self.engine = self.portal.portal_transforms
00016 
00017    def doTest(self, data_in, data_out):
00018        html = self.engine.convertTo('text/x-html-safe', data_in, mimetype="text/html")
00019        assert(html.getData())
00020        self.assertEqual (data_out,html.getData())
00021 
00022 
00023 
00024    def test_1(self):
00025        data_in = """<html><body><img src="javascript:Alert('XSS');" /></body></html>"""
00026        data_out = """<img />"""
00027        self.doTest(data_in, data_out)
00028 
00029    def test_2(self):
00030        data_in = """<img src="javascript:Alert('XSS');" />"""
00031        data_out = """<img />"""
00032        self.doTest(data_in, data_out)
00033 
00034    def test_3(self):
00035        data_in = """<html><body><IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;></body></html>"""
00036        data_out = """<img />"""
00037        self.doTest(data_in, data_out)
00038 
00039    def test_4(self):
00040        data_in = """<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>"""
00041        data_out = """<img />"""
00042 
00043        self.doTest(data_in, data_out)
00044 
00045    def test_5(self):
00046        data_in = """<img src="jav
00047        asc
00048        ript:Alert('XSS');" />"""
00049        data_out = """<img />"""
00050        self.doTest(data_in, data_out)
00051 
00052 
00053    def test_6(self):
00054        data_in = """<img src="jav asc ript:Alert('XSS');"/>"""
00055        data_out = """<img />"""
00056        self.doTest(data_in, data_out)
00057 
00058    def test_7(self):
00059        data_in = """<a href=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>test med a-tag</a>"""
00060        data_out = """<a>test med a-tag</a>"""
00061        self.doTest(data_in, data_out)
00062 
00063    def test_8(self):
00064        data_in = """<div style="bacground:url(jav asc ript:Alert('XSS')">test</div>"""
00065        data_out = """<div>test</div>"""
00066        self.doTest(data_in, data_out)
00067 
00068    def test_9(self):
00069        data_in = """<div style="bacground:url(jav
00070        asc
00071        ript:
00072        Alert('XSS')">test</div>"""
00073        data_out = """<div>test</div>"""
00074        self.doTest(data_in, data_out)
00075 
00076    def test_10(self):
00077        data_in = """<div style="bacground:url(&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;">test</div>"""
00078        data_out = """<div>test</div>"""
00079        self.doTest(data_in, data_out)
00080 
00081    def test_11(self):
00082        data_in = """<div style="bacground:url(v b  sc  ript:msgbox('XSS')">test</div>"""
00083        data_out = """<div>test</div>"""
00084        self.doTest(data_in, data_out)
00085 
00086    def test_12(self):
00087        data_in = """<img src="vbscript:msgbox('XSS')"/>"""
00088        data_out = """<img />"""
00089        self.doTest(data_in, data_out)
00090 
00091    def test_13(self):
00092        data_in = """<img src="vb
00093        sc
00094        ript:msgbox('XSS')"/>"""
00095        data_out = """<img />"""
00096        self.doTest(data_in, data_out)
00097 
00098    def test_14(self):
00099        data_in = """<a href="vbscript:Alert('XSS')">test</a>"""
00100        data_out = """<a>test</a>"""
00101        self.doTest(data_in, data_out)
00102 
00103    def test_15(self):
00104        data_in = """<div STYLE="width: expression(window.location='http://www.dr.dk';);">div</div>"""
00105        data_out = """<div>div</div>"""
00106        self.doTest(data_in, data_out)
00107 
00108    def test_16(self):
00109        data_in = """<div STYLE="width: ex pre ss   io n(window.location='http://www.dr.dk';);">div</div>"""
00110        data_out = """<div>div</div>"""
00111        self.doTest(data_in, data_out)
00112 
00113    def test_17(self):
00114        data_in = """<div STYLE="width: ex
00115        pre
00116        ss
00117        io
00118        n(window.location='http://www.dr.dk';);">div</div>"""
00119        data_out = """<div>div</div>"""
00120        self.doTest(data_in, data_out)
00121 
00122    def test_18(self):
00123        data_in = """<div style="width: 14px;">div</div>"""
00124        data_out = data_in
00125        self.doTest(data_in, data_out)
00126 
00127    def test_19(self):
00128        data_in = """<a href="http://www.headnet.dk">headnet</a>"""
00129        data_out = data_in
00130        self.doTest(data_in, data_out)
00131 
00132    def test_20(self):
00133        data_in = """<img src="http://www.headnet.dk/log.jpg" />"""
00134        data_out = data_in
00135        self.doTest(data_in, data_out)
00136 
00137    def test_21(self):
00138        data_in = """<mustapha name="mustap" tlf="11 11 11 11" address="unknown">bla bla bla</mustapha>"""
00139        data_out = """bla bla bla"""
00140        self.doTest(data_in, data_out)
00141 
00142    def test_22(self):
00143        data_in = '<<frame></frame>script>alert("XSS");<<frame></frame>/script>'
00144        data_out = '&lt;script&gt;alert("XSS");&lt;/script&gt;'
00145        self.doTest(data_in, data_out)
00146 
00147 def test_suite():
00148    from unittest import TestSuite, makeSuite
00149    suite = TestSuite()
00150    suite.addTest(makeSuite(TestXSSFilter))
00151    return suite
00152 
00153 if __name__ == '__main__':
00154    framework()