Você não pode selecionar mais de 25 tópicos Os tópicos devem começar com uma letra ou um número, podem incluir traços ('-') e podem ter até 35 caracteres.

101 linhas
3.2KB

  1. <?php
  2. require_once('common.php');
  3. function formatCode($string)
  4. {
  5. return
  6. str_replace(
  7. array("\t", '»', '\0(null)'),
  8. array('<strong>\t</strong>', '<span class="linebreak">»</span>', '<strong>\0</strong>'),
  9. escapeHTML(
  10. str_replace("\0", '\0(null)',
  11. wordwrap($string, 28, " »\n", true)
  12. )
  13. )
  14. );
  15. }
  16. ?><!DOCTYPE html
  17. PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
  18. "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
  19. <html>
  20. <head>
  21. <title>HTML Purifier XSS Attacks Smoketest</title>
  22. <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
  23. <style type="text/css">
  24. .scroll {overflow:auto; width:100%;}
  25. .even {background:#EAEAEA;}
  26. thead th {border-bottom:1px solid #000;}
  27. pre strong {color:#00C;}
  28. pre .linebreak {color:#AAA;font-weight:100;}
  29. </style>
  30. </head>
  31. <body>
  32. <h1>HTML Purifier XSS Attacks Smoketest</h1>
  33. <p>XSS attacks are from
  34. <a href="http://ha.ckers.org/xss.html">http://ha.ckers.org/xss.html</a>.</p>
  35. <p><strong>Caveats:</strong>
  36. <tt>Google.com</tt> has been programatically disallowed, but as you can
  37. see, there are ways of getting around that, so coverage in this area
  38. is not complete. Most XSS broadcasts its presence by spawning an alert dialogue.
  39. The displayed code is not strictly correct, as linebreaks have been forced for
  40. readability. Linewraps have been marked with <tt>»</tt>. Some tests are
  41. omitted for your convenience. Not all control characters are displayed.</p>
  42. <h2>Test</h2>
  43. <?php
  44. if (version_compare(PHP_VERSION, '5', '<')) exit('<p>Requires PHP 5.</p>');
  45. $xml = simplexml_load_file('xssAttacks.xml');
  46. // programatically disallow google.com for URI evasion tests
  47. // not complete
  48. $config = HTMLPurifier_Config::createDefault();
  49. $config->set('URI.HostBlacklist', array('google.com'));
  50. $purifier = new HTMLPurifier($config);
  51. ?>
  52. <table cellspacing="0" cellpadding="2">
  53. <thead><tr><th>Name</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead>
  54. <tbody>
  55. <?php
  56. $i = 0;
  57. foreach ($xml->attack as $attack) {
  58. $code = $attack->code;
  59. // custom code for null byte injection tests
  60. if (substr($code, 0, 7) == 'perl -e') {
  61. $code = substr($code, $i=strpos($code, '"')+1, strrpos($code, '"') - $i);
  62. $code = str_replace('\0', "\0", $code);
  63. }
  64. // disable vectors we cannot test in any meaningful way
  65. if ($code == 'See Below') continue; // event handlers, whitelist defeats
  66. if ($attack->name == 'OBJECT w/Flash 2') continue; // requires ActionScript
  67. if ($attack->name == 'IMG Embedded commands 2') continue; // is an HTTP response
  68. // custom code for US-ASCII, which couldn't be expressed in XML without encoding
  69. if ($attack->name == 'US-ASCII encoding') $code = urldecode($code);
  70. ?>
  71. <tr<?php if ($i++ % 2) {echo ' class="even"';} ?>>
  72. <td><?php echo escapeHTML($attack->name); ?></td>
  73. <td><pre><?php echo formatCode($code); ?></pre></td>
  74. <?php $pure_html = $purifier->purify($code); ?>
  75. <td><pre><?php echo formatCode($pure_html); ?></pre></td>
  76. <td><div class="scroll"><?php echo $pure_html ?></div></td>
  77. </tr>
  78. <?php
  79. }
  80. ?>
  81. </tbody>
  82. </table>
  83. </body>
  84. </html>
  85. <?php
  86. // vim: et sw=4 sts=4