1
0
mirror of https://github.com/erusev/parsedown.git synced 2023-08-10 21:13:06 +03:00

add xss tests

This commit is contained in:
Aidan Woods 2017-05-01 03:33:49 +01:00
parent 6bb66db00f
commit af04ac92e2
No known key found for this signature in database
GPG Key ID: 9A6A8EFAA512BBB9
7 changed files with 85 additions and 0 deletions

View File

@ -46,6 +46,8 @@ class ParsedownTest extends PHPUnit_Framework_TestCase
$expectedMarkup = str_replace("\r\n", "\n", $expectedMarkup); $expectedMarkup = str_replace("\r\n", "\n", $expectedMarkup);
$expectedMarkup = str_replace("\r", "\n", $expectedMarkup); $expectedMarkup = str_replace("\r", "\n", $expectedMarkup);
$this->Parsedown->setMarkupEscaped($test === 'xss_text_encoding');
$actualMarkup = $this->Parsedown->text($markdown); $actualMarkup = $this->Parsedown->text($markdown);
$this->assertEquals($expectedMarkup, $actualMarkup); $this->assertEquals($expectedMarkup, $actualMarkup);

View File

@ -0,0 +1,6 @@
<p><a href="https://www.example.com&quot;">xss</a></p>
<p><img src="https://www.example.com&quot;" alt="xss" /></p>
<p><a href="https://www.example.com&#039;">xss</a></p>
<p><img src="https://www.example.com&#039;" alt="xss" /></p>
<p><img src="https://www.example.com" alt="xss&quot;" /></p>
<p><img src="https://www.example.com" alt="xss&#039;" /></p>

View File

@ -0,0 +1,11 @@
[xss](https://www.example.com")
![xss](https://www.example.com")
[xss](https://www.example.com')
![xss](https://www.example.com')
![xss"](https://www.example.com)
![xss'](https://www.example.com)

View File

@ -0,0 +1,16 @@
<p><a>xss</a></p>
<p><a>xss</a></p>
<p><a>xss</a></p>
<p><a>xss</a></p>
<p><img alt="xss" /></p>
<p><img alt="xss" /></p>
<p><img alt="xss" /></p>
<p><img alt="xss" /></p>
<p><a>xss</a></p>
<p><a>xss</a></p>
<p><a>xss</a></p>
<p><a>xss</a></p>
<p><img alt="xss" /></p>
<p><img alt="xss" /></p>
<p><img alt="xss" /></p>
<p><img alt="xss" /></p>

31
test/data/xss_bad_url.md Normal file
View File

@ -0,0 +1,31 @@
[xss](javascript:alert(1))
[xss]( javascript:alert(1))
[xss](javascript://alert(1))
[xss](javascript&colon;alert(1))
![xss](javascript:alert(1))
![xss]( javascript:alert(1))
![xss](javascript://alert(1))
![xss](javascript&colon;alert(1))
[xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
[xss]( data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
[xss](data://text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
[xss](data&colon;text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
![xss](data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
![xss]( data:text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
![xss](data://text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)
![xss](data&colon;text/html;base64,PHNjcmlwdD5hbGVydCgxKTwvc2NyaXB0Pg==)

View File

@ -0,0 +1,7 @@
<p>&lt;script&gt;alert(1)&lt;/script&gt;</p>
<p>&lt;script&gt;</p>
<p>alert(1)</p>
<p>&lt;/script&gt;</p>
<p>&lt;script&gt;
alert(1)
&lt;/script&gt;</p>

View File

@ -0,0 +1,12 @@
<script>alert(1)</script>
<script>
alert(1)
</script>
<script>
alert(1)
</script>