You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

58 lines
1.5KB

  1. <?php
  2. require_once 'common.php';
  3. echo '<?xml version="1.0" encoding="UTF-8" ?>';
  4. ?><!DOCTYPE html
  5. PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  6. "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  7. <html>
  8. <head>
  9. <title>HTML Purifier Variable Width Attack Smoketest</title>
  10. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  11. </head>
  12. <body>
  13. <h1>HTML Purifier Variable Width Attack Smoketest</h1>
  14. <p>For more information, see
  15. <a href="http://applesoup.googlepages.com/bypass_filter.txt">Cheng Peng Su's
  16. original advisory.</a> This particular exploit code appears only to work
  17. in Internet Explorer, if it works at all.</p>
  18. <h2>Test</h2>
  19. <?php
  20. $purifier = new HTMLPurifier();
  21. ?>
  22. <table>
  23. <thead><tr><th>ASCII</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead>
  24. <tbody>
  25. <?php
  26. for ($i = 0; $i < 256; $i++) {
  27. $c = chr($i);
  28. $html = '<img src="" alt="X' . $c . '"';
  29. $html .= '>A"'; // in our out the attribute? ;-)
  30. $html .= "onerror=alert('$i')>O";
  31. $pure_html = $purifier->purify($html);
  32. ?>
  33. <tr>
  34. <td><?php echo $i; ?></td>
  35. <td style="font-size:8pt;"><?php echo escapeHTML($html); ?></td>
  36. <td style="font-size:8pt;"><?php echo escapeHTML($pure_html); ?></td>
  37. <td><?php echo $pure_html; ?></td>
  38. </tr>
  39. <?php } ?>
  40. </tbody>
  41. </table>
  42. <h2>Analysis</h2>
  43. <p>By making sure that UTF-8 is well formed and non-SGML codepoints are
  44. removed, as well as escaping quotes outside of tags, this is a non-threat.</p>
  45. </body>
  46. </html>
  47. <?php
  48. // vim: et sw=4 sts=4