|
1
|
|
|
<?php |
|
2
|
|
|
|
|
3
|
|
|
namespace devtoolboxuk\soteria; |
|
4
|
|
|
|
|
5
|
|
|
use PHPUnit\Framework\TestCase; |
|
6
|
|
|
|
|
7
|
|
|
class XssTest extends TestCase |
|
8
|
|
|
{ |
|
9
|
|
|
private $security; |
|
10
|
|
|
|
|
11
|
|
|
function __construct($name = null, array $data = [], $dataName = '') |
|
|
|
|
|
|
12
|
|
|
{ |
|
13
|
|
|
parent::__construct($name, $data, $dataName); |
|
14
|
|
|
$this->security = new SoteriaService(); |
|
15
|
|
|
} |
|
16
|
|
|
|
|
17
|
|
|
function testIsXssFoundArray() |
|
|
|
|
|
|
18
|
|
|
{ |
|
19
|
|
|
$xss = $this->security->xss(true); |
|
20
|
|
|
|
|
21
|
|
|
$xss->clean('<a href="http://www.chaos.org/">www.chaos.org</a>'); |
|
|
|
|
|
|
22
|
|
|
|
|
23
|
|
|
// if (!$xss->isCompatible()) { |
|
24
|
|
|
// $this->markTestSkipped('Arrays not supported for PHP 5.4'); |
|
25
|
|
|
// } |
|
26
|
|
|
$testArray = $this->_testArray(); |
|
27
|
|
|
$result = $this->_resultIsFoundArray(); |
|
28
|
|
|
|
|
29
|
|
|
foreach ($testArray as $key => $string) { |
|
30
|
|
|
$xss->clean($string); |
|
31
|
|
|
$this->assertSame($xss->isXssFound(), $result[$key]); |
|
|
|
|
|
|
32
|
|
|
} |
|
33
|
|
|
} |
|
34
|
|
|
|
|
35
|
|
|
private function _testArray() |
|
36
|
|
|
{ |
|
37
|
|
|
return [ |
|
38
|
|
|
'<a href="http://www.chaos.org/">www.chaos.org</a>', |
|
39
|
|
|
'<a name="X">Short \'a name\' tag</a>', |
|
40
|
|
|
'<td colspan="3" rowspan="5">Foo</td>', |
|
41
|
|
|
'<td colspan=3 rowspan=5>Foo</td>', |
|
42
|
|
|
'<td colspan=\'3\' rowspan=\'5\'>Foo</td>', |
|
43
|
|
|
'<td rowspan="2" class="mugwump" style="background-color: rgb(255, 204 204);">Bar</td>', |
|
44
|
|
|
'<td nowrap>Very Long String running to 1000 characters...</td>', |
|
45
|
|
|
'<td bgcolor="#00ff00" nowrap>Very Long String with a blue background</td>', |
|
46
|
|
|
'<a href="proto1://www.foo.com">New protocol test</a>', |
|
47
|
|
|
'<img src="proto2://www.foo.com" />', |
|
48
|
|
|
'<a href="javascript:javascript:javascript:javascript:javascript:alert(\'Boo!\');">bleep</a>', |
|
49
|
|
|
'<a href="proto4://abc.xyz.foo.com">Another new protocol</a>', |
|
50
|
|
|
'<a href="proto9://foo.foo.foo.foo.foo.org/">Test of "proto9"</a>', |
|
51
|
|
|
'<td width="75">Bar!</td>', |
|
52
|
|
|
'<td width="200">Long Cell</td>', |
|
53
|
|
|
'search.php?q=%22%3Balert(%22XSS%22)%3B&n=1093&i=410', |
|
54
|
|
|
'http://localhost/text.php/"><script>alert(“Gehackt!”);</script></form><form action="/...', |
|
55
|
|
|
]; |
|
56
|
|
|
} |
|
57
|
|
|
|
|
58
|
|
|
private function _resultIsFoundArray() |
|
59
|
|
|
{ |
|
60
|
|
|
return [ |
|
61
|
|
|
false, |
|
62
|
|
|
false, |
|
63
|
|
|
false, |
|
64
|
|
|
false, |
|
65
|
|
|
false, |
|
66
|
|
|
true, |
|
67
|
|
|
false, |
|
68
|
|
|
false, |
|
69
|
|
|
false, |
|
70
|
|
|
false, |
|
71
|
|
|
true, |
|
72
|
|
|
false, |
|
73
|
|
|
false, |
|
74
|
|
|
false, |
|
75
|
|
|
false, |
|
76
|
|
|
true, |
|
77
|
|
|
true |
|
78
|
|
|
]; |
|
79
|
|
|
} |
|
80
|
|
|
|
|
81
|
|
|
function testArray() |
|
|
|
|
|
|
82
|
|
|
{ |
|
83
|
|
|
|
|
84
|
|
|
$xss = $this->security->xss(true); |
|
85
|
|
|
|
|
86
|
|
|
$testArray = $this->_testArray(); |
|
87
|
|
|
$resultArray = $this->_resultArray(); |
|
88
|
|
|
|
|
89
|
|
|
$this->assertSame($resultArray, $xss->clean($testArray)); |
|
|
|
|
|
|
90
|
|
|
} |
|
91
|
|
|
|
|
92
|
|
|
private function _resultArray() |
|
93
|
|
|
{ |
|
94
|
|
|
return [ |
|
95
|
|
|
'<a href="http://www.chaos.org/">www.chaos.org</a>', |
|
96
|
|
|
'<a name="X">Short \'a name\' tag</a>', |
|
97
|
|
|
'<td colspan="3" rowspan="5">Foo</td>', |
|
98
|
|
|
'<td colspan=3 rowspan=5>Foo</td>', |
|
99
|
|
|
'<td colspan=\'3\' rowspan=\'5\'>Foo</td>', |
|
100
|
|
|
'<td rowspan="2" class="mugwump" >Bar</td>', |
|
101
|
|
|
'<td nowrap>Very Long String running to 1000 characters...</td>', |
|
102
|
|
|
'<td bgcolor="#00ff00" nowrap>Very Long String with a blue background</td>', |
|
103
|
|
|
'<a href="proto1://www.foo.com">New protocol test</a>', |
|
104
|
|
|
'<img src="proto2://www.foo.com" />', |
|
105
|
|
|
'<a href="">bleep</a>', |
|
106
|
|
|
'<a href="proto4://abc.xyz.foo.com">Another new protocol</a>', |
|
107
|
|
|
'<a href="proto9://foo.foo.foo.foo.foo.org/">Test of "proto9"</a>', |
|
108
|
|
|
'<td width="75">Bar!</td>', |
|
109
|
|
|
'<td width="200">Long Cell</td>', |
|
110
|
|
|
'search.php?q=";alert("XSS");&n=1093&i=410', |
|
111
|
|
|
'http://localhost/text.php/">alert(Gehackt!);</form><form action="/...', |
|
112
|
|
|
]; |
|
113
|
|
|
} |
|
114
|
|
|
|
|
115
|
|
|
/** |
|
116
|
|
|
* Test is from voku/anti-xss |
|
117
|
|
|
*/ |
|
118
|
|
|
public function testFromJsXss() |
|
119
|
|
|
{ |
|
120
|
|
|
|
|
121
|
|
|
// 兼容各种奇葩输入 |
|
122
|
|
|
$this->assertSame('', $this->security->xss(true)->clean('')); |
|
|
|
|
|
|
123
|
|
|
$this->assertNull($this->security->xss(true)->clean(null)); |
|
124
|
|
|
$this->assertSame(123, $this->security->xss(true)->clean(123)); |
|
125
|
|
|
$this->assertSame('{a: 1111}', $this->security->xss(true)->clean('{a: 1111}')); |
|
126
|
|
|
// 清除不可见字符 |
|
127
|
|
|
// if (!$this->security->xss(true)->isCompatible()) { |
|
128
|
|
|
$this->assertSame("a\u0000\u0001\u0002\u0003\r\n b", $this->security->xss(true)->clean("a\u0000\u0001\u0002\u0003\r\n b")); |
|
129
|
|
|
// } |
|
130
|
|
|
// 过滤不在白名单的标签 |
|
131
|
|
|
$this->assertSame('<b>abcd</b>', $this->security->xss(true)->clean('<b>abcd</b>')); |
|
132
|
|
|
$this->assertSame('<o>abcd</o>', $this->security->xss(true)->clean('<o>abcd</o>')); |
|
133
|
|
|
$this->assertSame('<b>abcd</o>', $this->security->xss(true)->clean('<b>abcd</o>')); |
|
134
|
|
|
$this->assertSame('<b><o>abcd</b></o>', $this->security->xss(true)->clean('<b><o>abcd</b></o>')); |
|
135
|
|
|
$this->assertSame('<hr>', $this->security->xss(true)->clean('<hr>')); |
|
136
|
|
|
$this->assertSame('<xss>', $this->security->xss(true)->clean('<xss>')); |
|
137
|
|
|
$this->assertSame('<xss o="x">', $this->security->xss(true)->clean('<xss o="x">')); |
|
138
|
|
|
$this->assertSame('<a><b>c</b></a>', $this->security->xss(true)->clean('<a><b>c</b></a>')); |
|
139
|
|
|
$this->assertSame('<a><c>b</c></a>', $this->security->xss(true)->clean('<a><c>b</c></a>')); |
|
140
|
|
|
// 过滤不是标签的<> |
|
141
|
|
|
$this->assertSame('<>>', $this->security->xss(true)->clean('<>>')); |
|
142
|
|
|
$this->assertSame("''", $this->security->xss(true)->clean("'<scri' + 'pt>'")); |
|
143
|
|
|
$this->assertSame("''", $this->security->xss(true)->clean("'<script' + '>'")); |
|
144
|
|
|
$this->assertSame('<<a>b>', $this->security->xss(true)->clean('<<a>b>')); |
|
145
|
|
|
$this->assertSame('<<<a>>b</a><x>', $this->security->xss(true)->clean('<<<a>>b</a><x>')); |
|
146
|
|
|
// 过滤不在白名单中的属性 |
|
147
|
|
|
$this->assertSame('<a oo="1" xx="2" title="3">yy</a>', $this->security->xss(true)->clean('<a oo="1" xx="2" title="3">yy</a>')); |
|
148
|
|
|
$this->assertSame('<a >pp</a>', $this->security->xss(true)->clean('<a title xx oo>pp</a>')); |
|
149
|
|
|
$this->assertSame('<a >pp</a>', $this->security->xss(true)->clean('<a title "">pp</a>')); |
|
150
|
|
|
$this->assertSame('<a t="">', $this->security->xss(true)->clean('<a t="">')); |
|
151
|
|
|
// 属性内的特殊字符 |
|
152
|
|
|
$this->assertSame('<a >>">', $this->security->xss(true)->clean('<a title="\'<<>>">')); |
|
153
|
|
|
$this->assertSame('<a title="">', $this->security->xss(true)->clean('<a title=""">')); |
|
154
|
|
|
$this->assertSame('<a title="oo">', $this->security->xss(true)->clean('<a h=title="oo">')); |
|
155
|
|
|
$this->assertSame('<a title="oo">', $this->security->xss(true)->clean('<a h= title="oo">')); |
|
156
|
|
|
$this->assertSame('<a title="alert(/xss/)">', $this->security->xss(true)->clean('<a title="javascript:alert(/xss/)">')); |
|
157
|
|
|
// 自动将属性值的单引号转为双引号 |
|
158
|
|
|
$this->assertSame('<a title=\'abcd\'>', $this->security->xss(true)->clean('<a title=\'abcd\'>')); |
|
159
|
|
|
$this->assertSame('<a title=\'"\'>', $this->security->xss(true)->clean('<a title=\'"\'>')); |
|
160
|
|
|
// 没有双引号括起来的属性值 |
|
161
|
|
|
$this->assertSame('<a >', $this->security->xss(true)->clean('<a title=home>')); |
|
162
|
|
|
$this->assertSame('<a >', $this->security->xss(true)->clean('<a title=abc("d")>')); |
|
163
|
|
|
$this->assertSame('<a >', $this->security->xss(true)->clean('<a title=abc(\'d\')>')); |
|
164
|
|
|
// 单个闭合标签 |
|
165
|
|
|
$this->assertSame('<img />', $this->security->xss(true)->clean('<img src/>')); |
|
166
|
|
|
$this->assertSame('<img />', $this->security->xss(true)->clean('<img src />')); |
|
167
|
|
|
$this->assertSame('<img />', $this->security->xss(true)->clean('<img src//>')); |
|
168
|
|
|
$this->assertSame('<br />', $this->security->xss(true)->clean('<br />')); |
|
169
|
|
|
$this->assertSame('<br/>', $this->security->xss(true)->clean('<br/>')); |
|
170
|
|
|
// 畸形属性格式 |
|
171
|
|
|
$this->assertSame('<a target = "_blank" title ="bbb">', $this->security->xss(true)->clean('<a target = "_blank" title ="bbb">')); |
|
172
|
|
|
$this->assertSame('<a target = \'_blank\' title =\'bbb\'>', $this->security->xss(true)->clean("<a target = '_blank' title ='bbb'>")); |
|
173
|
|
|
$this->assertSame('<a >', $this->security->xss(true)->clean('<a target=_blank title=bbb>')); |
|
174
|
|
|
$this->assertSame('<a target = "_blank" title = "bbb">', $this->security->xss(true)->clean('<a target = "_blank" title = title = "bbb">')); |
|
175
|
|
|
$this->assertSame('<a target = " _blank " title = "bbb">', $this->security->xss(true)->clean('<a target = " _blank " title = title = "bbb">')); |
|
176
|
|
|
$this->assertSame('<a title = "bbb">', $this->security->xss(true)->clean('<a target = _blank title = title = "bbb">')); |
|
177
|
|
|
$this->assertSame('<a title = "bbb">', $this->security->xss(true)->clean('<a target = ' . 0x42 . '_blank' . 0x42 . ' title = title = "bbb">')); |
|
178
|
|
|
$this->assertSame('<img title="xxx">', $this->security->xss(true)->clean('<img width = 100 height =200 title="xxx">')); |
|
179
|
|
|
$this->assertSame('<img >', $this->security->xss(true)->clean('<img width = 100 height =200 title=xxx>')); |
|
180
|
|
|
$this->assertSame('<img >', $this->security->xss(true)->clean('<img width = 100 height =200 title= xxx>')); |
|
181
|
|
|
$this->assertSame('<img title= "xxx">', $this->security->xss(true)->clean('<img width = 100 height =200 title= "xxx">')); |
|
182
|
|
|
$this->assertSame('<img title= \'xxx\'>', $this->security->xss(true)->clean('<img width = 100 height =200 title= \'xxx\'>')); |
|
183
|
|
|
$this->assertSame('<img title = \'xxx\'>', $this->security->xss(true)->clean('<img width = 100 height =200 title = \'xxx\'>')); |
|
184
|
|
|
$this->assertSame('<img title= "xxx" alt="yyy">', $this->security->xss(true)->clean('<img width = 100 height =200 title= "xxx" no=yes alt="yyy">')); |
|
185
|
|
|
$this->assertSame('<img title= "xxx" alt="\'yyy\'">', $this->security->xss(true)->clean('<img width = 100 height =200 title= "xxx" no=yes alt="\'yyy\'">')); |
|
186
|
|
|
// 过滤所有标签 |
|
187
|
|
|
$this->assertSame('<a title="xx">bb</a>', $this->security->xss(true)->clean('<a title="xx">bb</a>')); |
|
188
|
|
|
$this->assertSame('<hr>', $this->security->xss(true)->clean('<hr>')); |
|
189
|
|
|
// 增加白名单标签及属性 |
|
190
|
|
|
$this->assertSame('<ooxx yy="ok" cc="no">uu</ooxx>', $this->security->xss(true)->clean('<ooxx yy="ok" cc="no">uu</ooxx>')); |
|
191
|
|
|
$this->assertSame('>">\'>alert(String.fromCharCode(88,83,83))', $this->security->xss(true)->clean('></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>')); |
|
192
|
|
|
$this->assertSame(';!--"<XSS>=', $this->security->xss(true)->clean(';!--"<XSS>=&{()}')); |
|
193
|
|
|
$this->assertSame('', $this->security->xss(true)->clean('<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>')); |
|
194
|
|
|
$this->assertSame('<IMG src="">', $this->security->xss(true)->clean('<IMG SRC="javascript:alert(\'XSS\');">')); |
|
195
|
|
|
$this->assertSame('<IMG >', $this->security->xss(true)->clean('<IMG SRC=javascript:alert(\'XSS\')>')); |
|
196
|
|
|
$this->assertSame('<IMG >', $this->security->xss(true)->clean('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>')); |
|
197
|
|
|
$this->assertSame('<IMG >', $this->security->xss(true)->clean('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>')); |
|
198
|
|
|
$this->assertSame('<IMG """><>>', $this->security->xss(true)->clean('<IMG """><SCRIPT>alert("XSS")</SCRIPT>">')); |
|
199
|
|
|
$this->assertSame('<IMG >', $this->security->xss(true)->clean('<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>')); |
|
200
|
|
|
$this->assertSame('<IMG >', $this->security->xss(true)->clean('<IMG SRC=javascript:alert('XSS')>')); |
|
201
|
|
|
$this->assertSame('<IMG >', $this->security->xss(true)->clean('<IMG SRC=javascript:alert('XSS')>')); |
|
202
|
|
|
$this->assertSame('<IMG >', $this->security->xss(true)->clean('<IMG SRC=javascript:alert('XSS')>')); |
|
203
|
|
|
$this->assertSame('<IMG src="">', $this->security->xss(true)->clean('<IMG SRC="jav ascript:alert(\'XSS\');">')); |
|
204
|
|
|
$this->assertSame('<IMG src="">', $this->security->xss(true)->clean('<IMG SRC="jav	ascript:alert(\'XSS\');">')); |
|
205
|
|
|
$this->assertSame('<IMG src="">', $this->security->xss(true)->clean('<IMG SRC="jav\nascript:alert(\'XSS\');">')); |
|
206
|
|
|
$this->assertSame('<IMG >', $this->security->xss(true)->clean('<IMG SRC=java\0script:alert(\"XSS\")>')); |
|
207
|
|
|
$this->assertSame('<IMG src="">', $this->security->xss(true)->clean('<IMG SRC="  javascript:alert(\'XSS\');">')); |
|
208
|
|
|
$this->assertSame('', $this->security->xss(true)->clean('<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>')); |
|
209
|
|
|
$this->assertSame('<BODY !#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>', $this->security->xss(true)->clean('<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>')); |
|
210
|
|
|
$this->assertSame('<BODY !#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>', $this->security->xss(true)->clean('<BODY onload !#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>')); |
|
211
|
|
|
$this->assertSame('<alert("XSS");//<', $this->security->xss(true)->clean('<<SCRIPT>alert("XSS");//<</SCRIPT>')); |
|
212
|
|
|
$this->assertSame('', $this->security->xss(true)->clean('<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >')); |
|
213
|
|
|
$this->assertSame('<SCRIPT SRC=//ha.ckers.org/.j', $this->security->xss(true)->clean('<SCRIPT SRC=//ha.ckers.org/.j')); |
|
214
|
|
|
$this->assertSame('<IMG src=""', $this->security->xss(true)->clean('<IMG SRC="javascript:alert(\'XSS\')"')); |
|
215
|
|
|
$this->assertSame('<iframe src=http://ha.ckers.org/scriptlet.html <', $this->security->xss(true)->clean('<iframe src=http://ha.ckers.org/scriptlet.html <')); |
|
216
|
|
|
// 过滤 javascript: |
|
217
|
|
|
$this->assertSame('<a >', $this->security->xss(true)->clean('<a style="url(\'javascript:alert(1)\')">')); |
|
218
|
|
|
$this->assertSame('<td background="url(\'alert(1)\')">', $this->security->xss(true)->clean('<td background="url(\'javascript:alert(1)\')">')); |
|
219
|
|
|
// 过滤 style |
|
220
|
|
|
$this->assertSame('<DIV >', $this->security->xss(true)->clean('<DIV STYLE="width: \nexpression(alert(1));">')); |
|
221
|
|
|
$this->assertSame('<DIV >', $this->security->xss(true)->clean('<DIV STYLE="width: \n expressionexpression((alert(1));">')); |
|
222
|
|
|
// 不正常的url |
|
223
|
|
|
$this->assertSame('<DIV >', $this->security->xss(true)->clean('<DIV STYLE="background:\n url (javascript:ooxx);">')); |
|
224
|
|
|
$this->assertSame('<DIV >', $this->security->xss(true)->clean('<DIV STYLE="background:url (javascript:ooxx);">')); |
|
225
|
|
|
// 正常的url |
|
226
|
|
|
$this->assertSame('<DIV >', $this->security->xss(true)->clean('<DIV STYLE="background: url (ooxx);">')); |
|
227
|
|
|
$this->assertSame('<IMG src="">', $this->security->xss(true)->clean('<IMG SRC=\'vbscript:msgbox("XSS")\'>')); |
|
228
|
|
|
$this->assertSame('<IMG SRC="[code]">', $this->security->xss(true)->clean('<IMG SRC="livescript:[code]">')); |
|
229
|
|
|
$this->assertSame('<IMG SRC="[code]">', $this->security->xss(true)->clean('<IMG SRC="mocha:[code]">')); |
|
230
|
|
|
$this->assertSame('<a href="">', $this->security->xss(true)->clean('<a href="javas/**/cript:alert(\'XSS\');">')); |
|
231
|
|
|
$this->assertSame('<a href="test">', $this->security->xss(true)->clean('<a href="javascript:test">')); |
|
232
|
|
|
$this->assertSame('<a href="/javascript/a">', $this->security->xss(true)->clean('<a href="/javascript/a">')); |
|
233
|
|
|
$this->assertSame('<a href="/javascript/a">', $this->security->xss(true)->clean('<a href="/javascript/a">')); |
|
234
|
|
|
$this->assertSame('<a href="http://aa.com">', $this->security->xss(true)->clean('<a href="http://aa.com">')); |
|
235
|
|
|
$this->assertSame('<a href="https://aa.com">', $this->security->xss(true)->clean('<a href="https://aa.com">')); |
|
236
|
|
|
$this->assertSame('<a href="mailto:[email protected]">', $this->security->xss(true)->clean('<a href="mailto:[email protected]">')); |
|
237
|
|
|
$this->assertSame('<a href="#hello">', $this->security->xss(true)->clean('<a href="#hello">')); |
|
238
|
|
|
$this->assertSame('<a href="other">', $this->security->xss(true)->clean('<a href="other">')); |
|
239
|
|
|
// 这个暂时不知道怎么处理 |
|
240
|
|
|
//self::assertSame($this->security->xss(true)->clean('¼script¾alert(¢XSS¢)¼/script¾'), ''); |
|
241
|
|
|
$this->assertSame('<!--[if gte IE 4]>alert(\'XSS\');<![endif]--> END', $this->security->xss(true)->clean('<!--[if gte IE 4]><SCRIPT>alert(\'XSS\');</SCRIPT><![endif]--> END')); |
|
242
|
|
|
$this->assertSame('<!--[if gte IE 4]>alert(\'XSS\');<![endif]--> END', $this->security->xss(true)->clean('<!--[if gte IE 4]><SCRIPT >alert(\'XSS\');</SCRIPT><![endif]--> END')); |
|
243
|
|
|
// HTML5新增实体编码 冒号: 换行
 |
|
244
|
|
|
$this->assertSame('<a href="">', $this->security->xss(true)->clean('<a href="javascript:alert(/xss/)">')); |
|
245
|
|
|
$this->assertSame('<a href="">', $this->security->xss(true)->clean('<a href="javascript&colonalert(/xss/)">')); |
|
246
|
|
|
$this->assertSame('<a href="a
b">', $this->security->xss(true)->clean('<a href="a
b">')); |
|
247
|
|
|
$this->assertSame('<a href="a&NewLineb">', $this->security->xss(true)->clean('<a href="a&NewLineb">')); |
|
248
|
|
|
$this->assertSame('<a href="">', $this->security->xss(true)->clean('<a href="javasc
ript:alert(1)">')); |
|
249
|
|
|
// data URI 协议过滤 |
|
250
|
|
|
$this->assertSame('<a href="">', $this->security->xss(true)->clean('<a href="data:">')); |
|
251
|
|
|
$this->assertSame('<a href="">', $this->security->xss(true)->clean('<a href="d a t a : ">')); |
|
252
|
|
|
$this->assertSame('<a href="">', $this->security->xss(true)->clean('<a href="data: html/text;">')); |
|
253
|
|
|
$this->assertSame('<a href="">', $this->security->xss(true)->clean('<a href="data:html/text;">')); |
|
254
|
|
|
$this->assertSame('<a href="">', $this->security->xss(true)->clean('<a href="data:html /text;">')); |
|
255
|
|
|
$this->assertSame('<a href="">', $this->security->xss(true)->clean('<a href="data: image/text;">')); |
|
256
|
|
|
$this->assertSame('<img src="">', $this->security->xss(true)->clean('<img src="data: aaa/text;">')); |
|
257
|
|
|
$this->assertSame('<img src="">', $this->security->xss(true)->clean('<img src="data:image/png; base64; ofdkofiodiofl">')); |
|
258
|
|
|
$this->assertSame('<img src="PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">', $this->security->xss(true)->clean('<img src="data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">')); |
|
259
|
|
|
// HTML备注处理 |
|
260
|
|
|
$this->assertSame('<!-- -->', $this->security->xss(true)->clean('<!-- -->')); |
|
261
|
|
|
$this->assertSame('<!-- a -->', $this->security->xss(true)->clean('<!-- a -->')); |
|
262
|
|
|
$this->assertSame('<!--sa -->ss', $this->security->xss(true)->clean('<!--sa -->ss')); |
|
263
|
|
|
$this->assertSame('<!-- ', $this->security->xss(true)->clean('<!-- ')); |
|
264
|
|
|
} |
|
265
|
|
|
|
|
266
|
|
|
} |
|
267
|
|
|
|
devtoolboxuk /
soteria
Loading history...
Adding explicit visibility (
private,protected, orpublic) is generally recommend to communicate to other developers how, and from where this method is intended to be used.