From 768e3e1b09f2d9eeb906854cc2b3348f101f771a Mon Sep 17 00:00:00 2001
From: Aleksander Machniak <alec@alec.pl>
Date: Mon, 18 Jan 2016 03:55:44 -0500
Subject: [PATCH] Improved SVG cleanup code
---
tests/Framework/Washtml.php | 116 +++++++++++++++++++++++++++++++++++++++++++++++++++++++++
1 files changed, 115 insertions(+), 1 deletions(-)
diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php
index 08cf147..9515f0d 100644
--- a/tests/Framework/Washtml.php
+++ b/tests/Framework/Washtml.php
@@ -47,12 +47,22 @@
$html = "<!--[if gte mso 10]><p>p1</p><!--><p>p2</p>";
$washed = $washer->wash($html);
- $this->assertEquals('<!-- node type 8 --><!-- html ignored --><!-- body ignored --><p>p2</p>', $washed, "HTML conditional comments (#1489004)");
+ $this->assertEquals('<!-- html ignored --><!-- body ignored --><p>p2</p>', $washed, "HTML conditional comments (#1489004)");
$html = "<!--TestCommentInvalid><p>test</p>";
$washed = $washer->wash($html);
$this->assertEquals('<!-- html ignored --><!-- body ignored --><p>test</p>', $washed, "HTML invalid comments (#1487759)");
+
+ $html = "<p>para1</p><!-- comment --><p>para2</p>";
+ $washed = $washer->wash($html);
+
+ $this->assertEquals('<!-- html ignored --><!-- body ignored --><p>para1</p><p>para2</p>', $washed, "HTML comments - simple comment");
+
+ $html = "<p>para1</p><!-- <hr> comment --><p>para2</p>";
+ $washed = $washer->wash($html);
+
+ $this->assertEquals('<!-- html ignored --><!-- body ignored --><p>para1</p><p>para2</p>', $washed, "HTML comments - tags inside (#1489904)");
}
/**
@@ -138,4 +148,108 @@
$this->assertRegExp('|font-size: 10px|', $washed, "Font-size style");
}
+ /**
+ * Test handling of unicode chars in style (#1489777)
+ */
+ function test_style_unicode()
+ {
+ $html = "<html><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />
+ <body><span style='font-family:\"新細明體\",\"serif\";color:red'>test</span></body></html>";
+
+ $washer = new rcube_washtml;
+ $washed = $washer->wash($html);
+
+ $this->assertRegExp('|style="font-family: \"新細明體\",\"serif\"; color: red"|', $washed, "Unicode chars in style attribute - quoted (#1489697)");
+
+ $html = "<html><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" />
+ <body><span style='font-family:新細明體;color:red'>test</span></body></html>";
+
+ $washer = new rcube_washtml;
+ $washed = $washer->wash($html);
+
+ $this->assertRegExp('|style="font-family: 新細明體; color: red"|', $washed, "Unicode chars in style attribute (#1489697)");
+ }
+
+ /**
+ * Test style item fixes
+ */
+ function test_style_wash()
+ {
+ $html = "<p style=\"line-height: 1; height: 10\">a</p>";
+
+ $washer = new rcube_washtml;
+ $washed = $washer->wash($html);
+
+ $this->assertRegExp('|line-height: 1;|', $washed, "Untouched line-height (#1489917)");
+ $this->assertRegExp('|; height: 10px|', $washed, "Fixed height units");
+
+ $html = "<div style=\"padding: 0px\n 20px;border:1px solid #000;\"></div>";
+ $expected = "<div style=\"padding: 0px 20px; border: 1px solid #000\"></div>";
+
+ $washer = new rcube_washtml;
+ $washed = $washer->wash($html);
+
+ $this->assertTrue(strpos($washed, $expected) !== false, "White-space and new-line characters handling");
+ }
+
+ /**
+ * Test invalid style cleanup - XSS prevention (#1490227)
+ */
+ function test_style_wash_xss()
+ {
+ $html = "<img style=aaa:'\"/onerror=alert(1)//'>";
+ $exp = "<img style=\"aaa: '"/onerror=alert(1)//'\" />";
+
+ $washer = new rcube_washtml;
+ $washed = $washer->wash($html);
+
+ $this->assertTrue(strpos($washed, $exp) !== false, "Style quotes XSS issue (#1490227)");
+
+ $html = "<img style=aaa:'"/onerror=alert(1)//'>";
+ $exp = "<img style=\"aaa: '"/onerror=alert(1)//'\" />";
+
+ $washer = new rcube_washtml;
+ $washed = $washer->wash($html);
+
+ $this->assertTrue(strpos($washed, $exp) !== false, "Style quotes XSS issue (#1490227)");
+ }
+
+ /**
+ * Test SVG cleanup
+ */
+ function test_style_wash_svg()
+ {
+ $svg = '<?xml version="1.0" standalone="no"?>
+<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd">
+<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cc="http://creativecommons.org/ns#" viewBox="0 0 100 100">
+ <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400" onmouseover="alert(1)" />
+ <text x="50" y="68" font-size="48" fill="#FFF" text-anchor="middle"><![CDATA[410]]></text>
+ <script type="text/javascript">
+ alert(document.cookie);
+ </script>
+ <text x="10" y="25" >An example text</text>
+ <a xlink:href="http://www.w.pl"><rect width="100%" height="100%" /></a>
+ <foreignObject xlink:href="data:text/xml,%3Cscript xmlns=\'http://www.w3.org/1999/xhtml\'%3Ealert(1)%3C/script%3E"/>
+ <set attributeName="onmouseover" to="alert(1)"/>
+ <animate attributeName="onunload" to="alert(1)"/>
+ <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" />
+</svg>';
+
+ $exp = '<svg xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" version="1.1" baseProfile="full" viewBox="0 0 100 100">
+ <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400" x-washed="onmouseover" />
+ <text x="50" y="68" font-size="48" fill="#FFF" text-anchor="middle">410</text>
+ <!-- script not allowed -->
+ <text x="10" y="25">An example text</text>
+ <a xlink:href="http://www.w.pl"><rect width="100%" height="100%" /></a>
+ <!-- foreignObject ignored -->
+ <set attributeName="onmouseover" x-washed="to" />
+ <animate attributeName="onunload" x-washed="to" />
+ <animate attributeName="xlink:href" begin="0" x-washed="from" />
+</svg>';
+
+ $washer = new rcube_washtml;
+ $washed = $washer->wash($svg);
+
+ $this->assertSame($washed, $exp, "SVG content");
+ }
}
--
Gitblit v1.9.1