From acf633c73bc8df9a5036bc52d7568f4213ab73c7 Mon Sep 17 00:00:00 2001 From: Aleksander Machniak <alec@alec.pl> Date: Fri, 06 May 2016 02:32:01 -0400 Subject: [PATCH] Fix XSS issue in href attribute on area tag (#5240, #5241) --- tests/Framework/Washtml.php | 86 +++++++++++++++++++++++++++++++++++++++++-- 1 files changed, 82 insertions(+), 4 deletions(-) diff --git a/tests/Framework/Washtml.php b/tests/Framework/Washtml.php index f041504..fc7a61e 100644 --- a/tests/Framework/Washtml.php +++ b/tests/Framework/Washtml.php @@ -38,6 +38,23 @@ } /** + * Test XSS in area's href (#5240) + */ + function test_href_area() + { + $html = '<p><area href="data:text/html,<script>alert(document.cookie)</script>">' + . '<area href="vbscript:alert(document.cookie)">Internet Explorer</p>' + . '<area href="javascript:alert(document.domain)" shape=default>'; + + $washer = new rcube_washtml; + $washed = $washer->wash($html); + + $this->assertNotRegExp('/data:text/', $washed, "data:text/html in area href"); + $this->assertNotRegExp('/vbscript:/', $washed, "vbscript: in area href"); + $this->assertNotRegExp('/javascript:/', $washed, "javascript: in area href"); + } + + /** * Test handling HTML comments */ function test_comments() @@ -47,7 +64,7 @@ $html = "<!--[if gte mso 10]><p>p1</p><!--><p>p2</p>"; $washed = $washer->wash($html); - $this->assertEquals('<!-- node type 8 --><!-- html ignored --><!-- body ignored --><p>p2</p>', $washed, "HTML conditional comments (#1489004)"); + $this->assertEquals('<!-- html ignored --><!-- body ignored --><p>p2</p>', $washed, "HTML conditional comments (#1489004)"); $html = "<!--TestCommentInvalid><p>test</p>"; $washed = $washer->wash($html); @@ -57,12 +74,12 @@ $html = "<p>para1</p><!-- comment --><p>para2</p>"; $washed = $washer->wash($html); - $this->assertEquals('<!-- html ignored --><!-- body ignored --><p>para1</p><!-- node type 8 --><p>para2</p>', $washed, "HTML comments - simple comment"); + $this->assertEquals('<!-- html ignored --><!-- body ignored --><p>para1</p><p>para2</p>', $washed, "HTML comments - simple comment"); $html = "<p>para1</p><!-- <hr> comment --><p>para2</p>"; $washed = $washer->wash($html); - $this->assertEquals('<!-- html ignored --><!-- body ignored --><p>para1</p><!-- node type 8 --><p>para2</p>', $washed, "HTML comments - tags inside (#1489904)"); + $this->assertEquals('<!-- html ignored --><!-- body ignored --><p>para1</p><p>para2</p>', $washed, "HTML comments - tags inside (#1489904)"); } /** @@ -159,7 +176,7 @@ $washer = new rcube_washtml; $washed = $washer->wash($html); - $this->assertRegExp('|style=\'font-family: "新細明體","serif"; color: red\'|', $washed, "Unicode chars in style attribute - quoted (#1489697)"); + $this->assertRegExp('|style="font-family: \"新細明體\",\"serif\"; color: red"|', $washed, "Unicode chars in style attribute - quoted (#1489697)"); $html = "<html><meta http-equiv=\"Content-Type\" content=\"text/html; charset=utf-8\" /> <body><span style='font-family:新細明體;color:red'>test</span></body></html>"; @@ -183,4 +200,65 @@ $this->assertRegExp('|line-height: 1;|', $washed, "Untouched line-height (#1489917)"); $this->assertRegExp('|; height: 10px|', $washed, "Fixed height units"); } + + /** + * Test invalid style cleanup - XSS prevention (#1490227) + */ + function test_style_wash_xss() + { + $html = "<img style=aaa:'\"/onerror=alert(1)//'>"; + $exp = "<img style=\"aaa: '"/onerror=alert(1)//'\" />"; + + $washer = new rcube_washtml; + $washed = $washer->wash($html); + + $this->assertTrue(strpos($washed, $exp) !== false, "Style quotes XSS issue (#1490227)"); + + $html = "<img style=aaa:'"/onerror=alert(1)//'>"; + $exp = "<img style=\"aaa: '"/onerror=alert(1)//'\" />"; + + $washer = new rcube_washtml; + $washed = $washer->wash($html); + + $this->assertTrue(strpos($washed, $exp) !== false, "Style quotes XSS issue (#1490227)"); + } + + /** + * Test SVG cleanup + */ + function test_style_wash_svg() + { + $svg = '<?xml version="1.0" standalone="no"?> +<!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> +<svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:cc="http://creativecommons.org/ns#" viewBox="0 0 100 100"> + <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400" onmouseover="alert(1)" /> + <text x="50" y="68" font-size="48" fill="#FFF" text-anchor="middle"><![CDATA[410]]></text> + <script type="text/javascript"> + alert(document.cookie); + </script> + <text x="10" y="25" >An example text</text> + <a xlink:href="http://www.w.pl"><rect width="100%" height="100%" /></a> + <foreignObject xlink:href="data:text/xml,%3Cscript xmlns=\'http://www.w3.org/1999/xhtml\'%3Ealert(1)%3C/script%3E"/> + <set attributeName="onmouseover" to="alert(1)"/> + <animate attributeName="onunload" to="alert(1)"/> + <animate attributeName="xlink:href" begin="0" from="javascript:alert(1)" /> +</svg>'; + + $exp = '<svg xmlns:cc="http://creativecommons.org/ns#" xmlns:dc="http://purl.org/dc/elements/1.1/" xmlns:xlink="http://www.w3.org/1999/xlink" xmlns="http://www.w3.org/2000/svg" version="1.1" baseProfile="full" viewBox="0 0 100 100"> + <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400" x-washed="onmouseover" /> + <text x="50" y="68" font-size="48" fill="#FFF" text-anchor="middle">410</text> + <!-- script not allowed --> + <text x="10" y="25">An example text</text> + <a xlink:href="http://www.w.pl"><rect width="100%" height="100%" /></a> + <!-- foreignObject ignored --> + <set attributeName="onmouseover" x-washed="to" /> + <animate attributeName="onunload" x-washed="to" /> + <animate attributeName="xlink:href" begin="0" x-washed="from" /> +</svg>'; + + $washer = new rcube_washtml; + $washed = $washer->wash($svg); + + $this->assertSame($washed, $exp, "SVG content"); + } } -- Gitblit v1.9.1