Arthur Bogaart pushed to branch feature/HHP-24 at cms-community / hippo-services-htmlprocessor
Commits: 5c15c0e9 by Arthur Bogaart at 2018-01-11T12:57:26+01:00 HHP-24 Add test for removal of data: attribute value on <a> and <object> - - - - - 1 changed file: - src/test/java/org/onehippo/cms7/services/htmlprocessor/filter/WhitelistHtmlFilterTest.java Changes: ===================================== src/test/java/org/onehippo/cms7/services/htmlprocessor/filter/WhitelistHtmlFilterTest.java ===================================== --- a/src/test/java/org/onehippo/cms7/services/htmlprocessor/filter/WhitelistHtmlFilterTest.java +++ b/src/test/java/org/onehippo/cms7/services/htmlprocessor/filter/WhitelistHtmlFilterTest.java @@ -1,5 +1,5 @@ /* - * Copyright 2017 Hippo B.V. (http://www.onehippo.com) + * Copyright 2017-2018 Hippo B.V. (http://www.onehippo.com) * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. @@ -33,6 +33,9 @@ import static org.junit.Assert.assertTrue; public class WhitelistHtmlFilterTest { + private static final String BASE64_ENCODED_XSS = "text/html;base64,PGlmcmFtZSBzcmM9ImphdmFzY3JpcHQ6Y29uZmlybSgxKSIgd2lkdGg9IjEwIiBoZWlnaHQ9IjEwIj48L2lmcmFtZT4="; + private static final String BASE64_ENCODED_IMG = "image/gif;base64,R0lGODlhAQABAIAAAAUEBAAAACwAAAAAAQABAAACAkQBADs="; + private HtmlCleaner parser; private HtmlFilter filter; @@ -81,7 +84,7 @@ public class WhitelistHtmlFilterTest { } @Test - public void testCleanNonWhiteListedTag() throws Exception { + public void testCleanNonWhiteListedTag() { TagNode result = filterHtml("<script>alert(\"xss\")</script>"); // script element is not on whitelist assertNull(result.findElementByName("script", true)); @@ -111,13 +114,13 @@ public class WhitelistHtmlFilterTest { } @Test - public void testPlainText() throws Exception { + public void testPlainText() { final TagNode result = filterHtml("simple text"); assertEquals("simple text", result.getText().toString()); } @Test - public void testTextInElement() throws Exception { + public void testTextInElement() { addToWhitelist("p"); final TagNode result = filterHtml("simple text <p> </p>"); @@ -128,7 +131,7 @@ public class WhitelistHtmlFilterTest { } @Test - public void testAttributesWhitelisted() throws Exception { + public void testAttributesWhitelisted() { addToWhitelist(Element.create("img", "src"), Element.create("div", "id", "class")); final TagNode result = filterHtml("<img src=\"img.gif\" class=\"img-class\"/>" + @@ -145,7 +148,7 @@ public class WhitelistHtmlFilterTest { } @Test - public void testCleanNonWhiteListedAttributes() throws Exception { + public void testCleanNonWhiteListedAttributes() { addToWhitelist("p"); TagNode result = filterHtml("<p foo=\"bar\"> </p>"); @@ -158,7 +161,7 @@ public class WhitelistHtmlFilterTest { } @Test - public void testCleanJavascriptInAttributes() throws Exception { + public void testCleanJavascriptInAttributes() { addToWhitelist(Element.create("img", "src")); final TagNode result = filterHtml("<img src=\"jAvAsCrIpT:alert()\""); @@ -170,7 +173,7 @@ public class WhitelistHtmlFilterTest { // Verify fix for CMS-7701 - See comment https://issues.onehippo.com/browse/CMS-7701?focusedCommentId=274200&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-274200 @Test - public void testCleanEncodedJavascriptInAttributes() throws Exception { + public void testCleanEncodedJavascriptInAttributes() { addToWhitelist(Element.create("a", "href")); // href attribute contains encoded javascript final TagNode result = filterHtml("<a href=\"javascript" + @@ -182,7 +185,7 @@ public class WhitelistHtmlFilterTest { } @Test - public void testCleanJavascriptProtocolArgumentTrue() throws Exception { + public void testCleanJavascriptProtocolArgumentTrue() { filter = new WhitelistHtmlFilter(new ArrayList<>(), true); addToWhitelist(Element.create("a", "href", "onclick")); final TagNode result = filterHtml("<a href=\"#\" onclick=\"javascript:lancerPu('XXXcodepuXXX')\">XXXTexteXXX</a>"); @@ -194,7 +197,7 @@ public class WhitelistHtmlFilterTest { } @Test - public void testCleanJavascriptProtocolArgumentFalse() throws Exception { + public void testCleanJavascriptProtocolArgumentFalse() { filter = new WhitelistHtmlFilter(new ArrayList<>(), false); addToWhitelist(Element.create("a", "href", "onclick")); final TagNode result = filterHtml("<a href=\"#\" onclick=\"javascript:lancerPu('XXXcodepuXXX')\">XXXTexteXXX</a>"); @@ -205,6 +208,32 @@ public class WhitelistHtmlFilterTest { assertEquals("javascript:lancerPu('XXXcodepuXXX')", a.getAttributeByName("onclick")); } + @Test + public void testCleanDataAttributeValueOnAnchorAndObjectTags() { + filter = new WhitelistHtmlFilter(new ArrayList<>(), true); + addToWhitelist(Element.create("a", "href")); + addToWhitelist(Element.create("object", "data")); + addToWhitelist(Element.create("img", "src")); + + final TagNode result = filterHtml( + "<a href=\"data:" + BASE64_ENCODED_XSS + "\">Base64EncodedXSS</a>" + + "<object data=\"data:" + BASE64_ENCODED_XSS + "\"></object>" + + "<img src=\"data:" + BASE64_ENCODED_IMG + "\"/>" + ); + + final TagNode a = result.findElementByName("a", true); + assertNotNull(a); + assertEquals("", a.getAttributeByName("href")); + + final TagNode object = result.findElementByName("object", true); + assertNotNull(object); + assertEquals("", object.getAttributeByName("data")); + + final TagNode img = result.findElementByName("img", true); + assertNotNull(img); + assertEquals("data:" + BASE64_ENCODED_IMG, img.getAttributeByName("src")); + } + private TagNode filterHtml(final String html) { return filter.apply(parser.clean(html)); } View it on GitLab: https://code.onehippo.org/cms-community/hippo-services-htmlprocessor/commit/5c15c0e9a1be7e6f8aa31fb22d08518a106f6b6b --- View it on GitLab: https://code.onehippo.org/cms-community/hippo-services-htmlprocessor/commit/5c15c0e9a1be7e6f8aa31fb22d08518a106f6b6b You're receiving this email because of your account on code.onehippo.org.
_______________________________________________ Hippocms-svn mailing list Hippocms-svn@lists.onehippo.org https://lists.onehippo.org/mailman/listinfo/hippocms-svn