[HippoCMS-scm] [Git][cms-community/hippo-services-htmlprocessor][feature/HHP-24] HHP-24 Add test for removal of data: attribute value on <a> and <object>

Arthur Bogaart pushed to branch feature/HHP-24 at cms-community / 
hippo-services-htmlprocessor



Commits:
5c15c0e9 by Arthur Bogaart at 2018-01-11T12:57:26+01:00
HHP-24 Add test for removal of data: attribute value on &lt;a&gt; and 
&lt;object&gt;

- - - - -


1 changed file:

- 
src/test/java/org/onehippo/cms7/services/htmlprocessor/filter/WhitelistHtmlFilterTest.java


Changes:

=====================================
src/test/java/org/onehippo/cms7/services/htmlprocessor/filter/WhitelistHtmlFilterTest.java
=====================================
--- 
a/src/test/java/org/onehippo/cms7/services/htmlprocessor/filter/WhitelistHtmlFilterTest.java
+++ 
b/src/test/java/org/onehippo/cms7/services/htmlprocessor/filter/WhitelistHtmlFilterTest.java
@@ -1,5 +1,5 @@
 /*
- *  Copyright 2017 Hippo B.V. (http://www.onehippo.com)
+ *  Copyright 2017-2018 Hippo B.V. (http://www.onehippo.com)
  *
  *  Licensed under the Apache License, Version 2.0 (the "License");
  *  you may not use this file except in compliance with the License.
@@ -33,6 +33,9 @@ import static org.junit.Assert.assertTrue;
 
 public class WhitelistHtmlFilterTest {
 
+    private static final String BASE64_ENCODED_XSS = 
"text/html;base64,PGlmcmFtZSBzcmM9ImphdmFzY3JpcHQ6Y29uZmlybSgxKSIgd2lkdGg9IjEwIiBoZWlnaHQ9IjEwIj48L2lmcmFtZT4=";
+    private static final String BASE64_ENCODED_IMG = 
"image/gif;base64,R0lGODlhAQABAIAAAAUEBAAAACwAAAAAAQABAAACAkQBADs=";
+
     private HtmlCleaner parser;
     private HtmlFilter filter;
 
@@ -81,7 +84,7 @@ public class WhitelistHtmlFilterTest {
     }
 
     @Test
-    public void testCleanNonWhiteListedTag() throws Exception {
+    public void testCleanNonWhiteListedTag() {
         TagNode result = filterHtml("<script>alert(\"xss\")</script>");
         // script element is not on whitelist
         assertNull(result.findElementByName("script", true));
@@ -111,13 +114,13 @@ public class WhitelistHtmlFilterTest {
     }
 
     @Test
-    public void testPlainText() throws Exception {
+    public void testPlainText() {
         final TagNode result = filterHtml("simple text");
         assertEquals("simple text", result.getText().toString());
     }
 
     @Test
-    public void testTextInElement() throws Exception {
+    public void testTextInElement() {
         addToWhitelist("p");
 
         final TagNode result = filterHtml("simple text <p>&nbsp;</p>");
@@ -128,7 +131,7 @@ public class WhitelistHtmlFilterTest {
     }
 
     @Test
-    public void testAttributesWhitelisted() throws Exception {
+    public void testAttributesWhitelisted() {
         addToWhitelist(Element.create("img", "src"), Element.create("div", 
"id", "class"));
 
         final TagNode result = filterHtml("<img src=\"img.gif\" 
class=\"img-class\"/>" +
@@ -145,7 +148,7 @@ public class WhitelistHtmlFilterTest {
     }
 
     @Test
-    public void testCleanNonWhiteListedAttributes() throws Exception {
+    public void testCleanNonWhiteListedAttributes() {
         addToWhitelist("p");
         TagNode result = filterHtml("<p foo=\"bar\">&nbsp;</p>");
 
@@ -158,7 +161,7 @@ public class WhitelistHtmlFilterTest {
     }
 
     @Test
-    public void testCleanJavascriptInAttributes() throws Exception {
+    public void testCleanJavascriptInAttributes() {
         addToWhitelist(Element.create("img", "src"));
         final TagNode result = filterHtml("<img src=\"jAvAsCrIpT:alert()\"");
 
@@ -170,7 +173,7 @@ public class WhitelistHtmlFilterTest {
 
     // Verify fix for CMS-7701 - See comment 
https://issues.onehippo.com/browse/CMS-7701?focusedCommentId=274200&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-274200
     @Test
-    public void testCleanEncodedJavascriptInAttributes() throws Exception {
+    public void testCleanEncodedJavascriptInAttributes() {
         addToWhitelist(Element.create("a", "href"));
         // href attribute contains encoded javascript
         final TagNode result = filterHtml("<a 
href=\"&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;" +
@@ -182,7 +185,7 @@ public class WhitelistHtmlFilterTest {
     }
 
     @Test
-    public void testCleanJavascriptProtocolArgumentTrue() throws Exception {
+    public void testCleanJavascriptProtocolArgumentTrue() {
         filter = new WhitelistHtmlFilter(new ArrayList<>(), true);
         addToWhitelist(Element.create("a", "href", "onclick"));
         final TagNode result = filterHtml("<a href=\"#\" 
onclick=\"javascript:lancerPu('XXXcodepuXXX')\">XXXTexteXXX</a>");
@@ -194,7 +197,7 @@ public class WhitelistHtmlFilterTest {
     }
 
     @Test
-    public void testCleanJavascriptProtocolArgumentFalse() throws Exception {
+    public void testCleanJavascriptProtocolArgumentFalse() {
         filter = new WhitelistHtmlFilter(new ArrayList<>(), false);
         addToWhitelist(Element.create("a", "href", "onclick"));
         final TagNode result = filterHtml("<a href=\"#\" 
onclick=\"javascript:lancerPu('XXXcodepuXXX')\">XXXTexteXXX</a>");
@@ -205,6 +208,32 @@ public class WhitelistHtmlFilterTest {
         assertEquals("javascript:lancerPu('XXXcodepuXXX')", 
a.getAttributeByName("onclick"));
     }
 
+    @Test
+    public void testCleanDataAttributeValueOnAnchorAndObjectTags() {
+        filter = new WhitelistHtmlFilter(new ArrayList<>(), true);
+        addToWhitelist(Element.create("a", "href"));
+        addToWhitelist(Element.create("object", "data"));
+        addToWhitelist(Element.create("img", "src"));
+
+        final TagNode result = filterHtml(
+            "<a href=\"data:" + BASE64_ENCODED_XSS + "\">Base64EncodedXSS</a>" 
+
+            "<object data=\"data:" + BASE64_ENCODED_XSS + "\"></object>" +
+            "<img src=\"data:" + BASE64_ENCODED_IMG + "\"/>"
+        );
+
+        final TagNode a = result.findElementByName("a", true);
+        assertNotNull(a);
+        assertEquals("", a.getAttributeByName("href"));
+
+        final TagNode object = result.findElementByName("object", true);
+        assertNotNull(object);
+        assertEquals("", object.getAttributeByName("data"));
+
+        final TagNode img = result.findElementByName("img", true);
+        assertNotNull(img);
+        assertEquals("data:" + BASE64_ENCODED_IMG, 
img.getAttributeByName("src"));
+    }
+
     private TagNode filterHtml(final String html) {
         return filter.apply(parser.clean(html));
     }



View it on GitLab: 
https://code.onehippo.org/cms-community/hippo-services-htmlprocessor/commit/5c15c0e9a1be7e6f8aa31fb22d08518a106f6b6b

---
View it on GitLab: 
https://code.onehippo.org/cms-community/hippo-services-htmlprocessor/commit/5c15c0e9a1be7e6f8aa31fb22d08518a106f6b6b
You're receiving this email because of your account on code.onehippo.org.

_______________________________________________
Hippocms-svn mailing list
Hippocms-svn@lists.onehippo.org
https://lists.onehippo.org/mailman/listinfo/hippocms-svn

[HippoCMS-scm] [Git][cms-community/hippo-services-htmlprocessor][feature/HHP-24] HHP-24 Add test for removal of data: attribute value on and

Reply via email to