Changesets can be listed by changeset number.
The Git repository is here.
- Revision:
- 344
- Log:
Massive changeset which brings the old, ROOL customised Instiki
version up to date, but without any ROOL customisations in this
latest checked-in version (which is 0.19.1). This is deliberate,
so that it's easy to see the changes made for the ROOL version
in a subsequent changeset. The 'app/views/shared' directory is not
part of Instiki but is kept to maintain the change history with
updated ROOL customisations, some of which involve the same files
in that same directory.
- Author:
- rool
- Date:
- Sat Mar 19 19:52:13 +0000 2011
- Size:
- 16054 Bytes
1 | [ |
2 | { |
3 | "name": "IE_Comments", |
4 | "input": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->a", |
5 | "output": "a", |
6 | "xhtml": "<!--[if gte IE 4]><script>alert('XSS');</script><![endif]-->a" |
7 | }, |
8 | |
9 | { |
10 | "name": "IE_Comments_2", |
11 | "input": "<![if !IE 5]><script>alert('XSS');</script><![endif]>", |
12 | "output": "<script>alert('XSS');</script>", |
13 | "xhtml": "<![if !IE 5]><script>alert('XSS');</script><![endif]>", |
14 | "rexml": "Ill-formed XHTML!" |
15 | }, |
16 | |
17 | { |
18 | "name": "allow_colons_in_path_component", |
19 | "input": "<a href=\"./this:that\">foo</a>", |
20 | "output": "<a href='./this:that'>foo</a>" |
21 | }, |
22 | |
23 | { |
24 | "name": "background_attribute", |
25 | "input": "<div background=\"javascript:alert('XSS')\"></div>", |
26 | "output": "<div/>", |
27 | "xhtml": "<div></div>", |
28 | "rexml": "<div></div>" |
29 | }, |
30 | |
31 | { |
32 | "name": "bgsound", |
33 | "input": "<bgsound src=\"javascript:alert('XSS');\" />", |
34 | "output": "<bgsound src=\"javascript:alert('XSS');\"/>", |
35 | "xhtml": "<bgsound src='javascript:alert('XSS');'/>", |
36 | "rexml": "<bgsound src=\"javascript:alert('XSS');\"></bgsound>" |
37 | }, |
38 | |
39 | { |
40 | "name": "div_background_image_unicode_encoded", |
41 | "input": "<div style=\"background-image:\u00a5\u00a2\u006C\u0028'\u006a\u0061\u00a6\u0061\u00a3\u0063\u00a2\u0069\u00a0\u00a4\u003a\u0061\u006c\u0065\u00a2\u00a4\u0028.1027\u0058.1053\u0053\u0027\u0029'\u0029\">foo</div>", |
42 | "output": "<div style=''>foo</div>" |
43 | }, |
44 | |
45 | { |
46 | "name": "div_expression", |
47 | "input": "<div style=\"width: expression(alert('XSS'));\">foo</div>", |
48 | "output": "<div style=''>foo</div>" |
49 | }, |
50 | |
51 | { |
52 | "name": "double_open_angle_brackets", |
53 | "input": "<img src=http://ha.ckers.org/scriptlet.html <", |
54 | "output": "<img src='http://ha.ckers.org/scriptlet.html'/>", |
55 | "xhtml": "<img src='http:'/><", |
56 | "rexml": "Ill-formed XHTML!" |
57 | }, |
58 | |
59 | { |
60 | "name": "double_open_angle_brackets_2", |
61 | "input": "<script src=http://ha.ckers.org/scriptlet.html <", |
62 | "output": "<script src=\"http://ha.ckers.org/scriptlet.html\" <=\"\">", |
63 | "xhtml": "<script src='http:'/><", |
64 | "rexml": "Ill-formed XHTML!" |
65 | }, |
66 | |
67 | { |
68 | "name": "grave_accents", |
69 | "input": "<img src=`javascript:alert('XSS')` />", |
70 | "output": "<img/>", |
71 | "rexml": "Ill-formed XHTML!" |
72 | }, |
73 | |
74 | { |
75 | "name": "img_dynsrc_lowsrc", |
76 | "input": "<img dynsrc=\"javascript:alert('XSS')\" />", |
77 | "output": "<img/>", |
78 | "rexml": "<img />" |
79 | }, |
80 | |
81 | { |
82 | "name": "img_vbscript", |
83 | "input": "<img src='vbscript:msgbox(\"XSS\")' />", |
84 | "output": "<img/>", |
85 | "rexml": "<img />" |
86 | }, |
87 | |
88 | { |
89 | "name": "input_image", |
90 | "input": "<input type=\"image\" src=\"javascript:alert('XSS');\" />", |
91 | "output": "<input type='image'/>", |
92 | "rexml": "<input type='image' />" |
93 | }, |
94 | |
95 | { |
96 | "name": "link_stylesheets", |
97 | "input": "<link rel=\"stylesheet\" href=\"javascript:alert('XSS');\" />", |
98 | "output": "<link rel=\"stylesheet\" href=\"javascript:alert('XSS');\"/>", |
99 | "xhtml": "<link href='javascript:alert('XSS');' rel='stylesheet'/>", |
100 | "rexml": "<link href=\"javascript:alert('XSS');\" rel=\"stylesheet\"/>" |
101 | }, |
102 | |
103 | { |
104 | "name": "link_stylesheets_2", |
105 | "input": "<link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\" />", |
106 | "output": "<link rel=\"stylesheet\" href=\"http://ha.ckers.org/xss.css\"/>", |
107 | "xhtml": "<link href='http://ha.ckers.org/xss.css' rel='stylesheet'/>", |
108 | "rexml": "<link href=\"http://ha.ckers.org/xss.css\" rel=\"stylesheet\"/>" |
109 | }, |
110 | |
111 | { |
112 | "name": "list_style_image", |
113 | "input": "<li style=\"list-style-image: url(javascript:alert('XSS'))\">foo</li>", |
114 | "output": "<li style=''>foo</li>" |
115 | }, |
116 | |
117 | { |
118 | "name": "no_closing_script_tags", |
119 | "input": "<script src=http://ha.ckers.org/xss.js?<b>", |
120 | "output": "<script src=\"http://ha.ckers.org/xss.js?&lt;b\">", |
121 | "xhtml": "<script src='http:'/><b>", |
122 | "rexml": "Ill-formed XHTML!" |
123 | }, |
124 | |
125 | { |
126 | "name": "non_alpha_non_digit", |
127 | "input": "<script/XSS src=\"http://ha.ckers.org/xss.js\"></script>", |
128 | "output": "<script XSS=\"\" src=\"http://ha.ckers.org/xss.js\"></script>", |
129 | "xhtml": "<script/></script>", |
130 | "rexml": "Ill-formed XHTML!" |
131 | }, |
132 | |
133 | { |
134 | "name": "non_alpha_non_digit_2", |
135 | "input": "<a onclick!\\#$%&()*~+-_.,:;?@[/|\\]^`=alert(\"XSS\")>foo</a>", |
136 | "output": "<a>foo</a>", |
137 | "rexml": "Ill-formed XHTML!" |
138 | }, |
139 | |
140 | { |
141 | "name": "non_alpha_non_digit_3", |
142 | "input": "<img/src=\"http://ha.ckers.org/xss.js\"/>", |
143 | "output": "<img src='http://ha.ckers.org/xss.js'/>", |
144 | "xhtml": "<img/>", |
145 | "rexml": "Ill-formed XHTML!" |
146 | }, |
147 | |
148 | { |
149 | "name": "non_alpha_non_digit_II", |
150 | "input": "<a href!\\#$%&()*~+-_.,:;?@[/|]^`=alert('XSS')>foo</a>", |
151 | "output": "<a>foo</a>", |
152 | "rexml": "Ill-formed XHTML!" |
153 | }, |
154 | |
155 | { |
156 | "name": "non_alpha_non_digit_III", |
157 | "input": "<a/href=\"javascript:alert('XSS');\">foo</a>", |
158 | "output": "<a>foo</a>", |
159 | "rexml": "Ill-formed XHTML!" |
160 | }, |
161 | |
162 | { |
163 | "name": "platypus", |
164 | "input": "<a href=\"http://www.ragingplatypus.com/\" style=\"display:block; position:absolute; left:0; top:0; width:100%; height:100%; z-index:1; background-color:black; background-image:url(http://www.ragingplatypus.com/i/cam-full.jpg); background-x:center; background-y:center; background-repeat:repeat;\">never trust your upstream platypus</a>", |
165 | "output": "<a href='http://www.ragingplatypus.com/' style='display: block; width: 100%; height: 100%; background-color: black; background-x: center; background-y: center;'>never trust your upstream platypus</a>" |
166 | }, |
167 | |
168 | { |
169 | "name": "protocol_resolution_in_script_tag", |
170 | "input": "<script src=//ha.ckers.org/.j></script>", |
171 | "output": "<script src=\"//ha.ckers.org/.j\"></script>", |
172 | "xhtml": "<script src/></script>", |
173 | "rexml": "Ill-formed XHTML!" |
174 | }, |
175 | |
176 | { |
177 | "name": "should_allow_anchors", |
178 | "input": "<a href='foo' onclick='bar'><script>baz</script></a>", |
179 | "output": "<a href='foo'><script>baz</script></a>", |
180 | "xhtml": "<a href='foo'><script>baz</script></a>" |
181 | }, |
182 | |
183 | { |
184 | "name": "should_allow_image_alt_attribute", |
185 | "input": "<img alt='foo' onclick='bar' />", |
186 | "output": "<img alt='foo'/>", |
187 | "rexml": "<img alt='foo' />" |
188 | }, |
189 | |
190 | { |
191 | "name": "should_allow_image_height_attribute", |
192 | "input": "<img height='foo' onclick='bar' />", |
193 | "output": "<img height='foo'/>", |
194 | "rexml": "<img height='foo' />" |
195 | }, |
196 | |
197 | { |
198 | "name": "should_allow_image_src_attribute", |
199 | "input": "<img src='foo' onclick='bar' />", |
200 | "output": "<img src='foo'/>", |
201 | "rexml": "<img src='foo' />" |
202 | }, |
203 | |
204 | { |
205 | "name": "should_allow_image_width_attribute", |
206 | "input": "<img width='foo' onclick='bar' />", |
207 | "output": "<img width='foo'/>", |
208 | "rexml": "<img width='foo' />" |
209 | }, |
210 | |
211 | { |
212 | "name": "should_handle_blank_text", |
213 | "input": "", |
214 | "output": "<div xmlns='http://www.w3.org/1999/xhtml'/>", |
215 | "xhtml": "" |
216 | }, |
217 | |
218 | { |
219 | "name": "should_handle_malformed_image_tags", |
220 | "input": "<img \"\"\"><script>alert(\"XSS\")</script>\">", |
221 | "output": "<img/><script>alert(\"XSS\")</script>\">", |
222 | "xhtml": "<img/>", |
223 | "rexml": "Ill-formed XHTML!" |
224 | }, |
225 | |
226 | { |
227 | "name": "should_handle_non_html", |
228 | "input": "abc", |
229 | "output": "abc" |
230 | }, |
231 | |
232 | { |
233 | "name": "should_not_fall_for_ridiculous_hack", |
234 | "input": "<img\nsrc\n=\n\"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n\"\n />", |
235 | "output": "<img/>", |
236 | "rexml": "<img />" |
237 | }, |
238 | |
239 | { |
240 | "name": "should_not_fall_for_xss_image_hack_0", |
241 | "input": "<img src=\"javascript:alert('XSS');\" />", |
242 | "output": "<img/>", |
243 | "rexml": "<img />" |
244 | }, |
245 | |
246 | { |
247 | "name": "should_not_fall_for_xss_image_hack_1", |
248 | "input": "<img src=javascript:alert('XSS') />", |
249 | "output": "<img/>", |
250 | "rexml": "Ill-formed XHTML!" |
251 | }, |
252 | |
253 | { |
254 | "name": "should_not_fall_for_xss_image_hack_10", |
255 | "input": "<img src=\"jav
ascript:alert('XSS');\" />", |
256 | "output": "<img/>", |
257 | "rexml": "<img />" |
258 | }, |
259 | |
260 | { |
261 | "name": "should_not_fall_for_xss_image_hack_11", |
262 | "input": "<img src=\"jav
ascript:alert('XSS');\" />", |
263 | "output": "<img/>", |
264 | "rexml": "<img />" |
265 | }, |
266 | |
267 | { |
268 | "name": "should_not_fall_for_xss_image_hack_12", |
269 | "input": "<img src=\"  javascript:alert('XSS');\" />", |
270 | "output": "<img/>", |
271 | "rexml": "<img />" |
272 | }, |
273 | |
274 | { |
275 | "name": "should_not_fall_for_xss_image_hack_13", |
276 | "input": "<img src=\" javascript:alert('XSS');\" />", |
277 | "output": "<img/>", |
278 | "rexml": "<img />" |
279 | }, |
280 | |
281 | { |
282 | "name": "should_not_fall_for_xss_image_hack_14", |
283 | "input": "<img src=\" javascript:alert('XSS');\" />", |
284 | "output": "<img/>", |
285 | "rexml": "<img />" |
286 | }, |
287 | |
288 | { |
289 | "name": "should_not_fall_for_xss_image_hack_2", |
290 | "input": "<img src=\"JaVaScRiPt:alert('XSS')\" />", |
291 | "output": "<img/>", |
292 | "rexml": "<img />" |
293 | }, |
294 | |
295 | { |
296 | "name": "should_not_fall_for_xss_image_hack_3", |
297 | "input": "<img src='javascript:alert("XSS")' />", |
298 | "output": "<img/>", |
299 | "rexml": "<img />" |
300 | }, |
301 | |
302 | { |
303 | "name": "should_not_fall_for_xss_image_hack_4", |
304 | "input": "<img src='javascript:alert(String.fromCharCode(88,83,83))' />", |
305 | "output": "<img/>", |
306 | "rexml": "<img />" |
307 | }, |
308 | |
309 | { |
310 | "name": "should_not_fall_for_xss_image_hack_5", |
311 | "input": "<img src='javascript:alert('XSS')' />", |
312 | "output": "<img/>", |
313 | "rexml": "<img />" |
314 | }, |
315 | |
316 | { |
317 | "name": "should_not_fall_for_xss_image_hack_6", |
318 | "input": "<img src='javascript:alert('XSS')' />", |
319 | "output": "<img/>", |
320 | "rexml": "<img />" |
321 | }, |
322 | |
323 | { |
324 | "name": "should_not_fall_for_xss_image_hack_7", |
325 | "input": "<img src='javascript:alert('XSS')' />", |
326 | "output": "<img/>", |
327 | "rexml": "<img />" |
328 | }, |
329 | |
330 | { |
331 | "name": "should_not_fall_for_xss_image_hack_8", |
332 | "input": "<img src=\"jav\tascript:alert('XSS');\" />", |
333 | "output": "<img/>", |
334 | "rexml": "<img />" |
335 | }, |
336 | |
337 | { |
338 | "name": "should_not_fall_for_xss_image_hack_9", |
339 | "input": "<img src=\"jav	ascript:alert('XSS');\" />", |
340 | "output": "<img/>", |
341 | "rexml": "<img />" |
342 | }, |
343 | |
344 | { |
345 | "name": "should_sanitize_half_open_scripts", |
346 | "input": "<img src=\"javascript:alert('XSS')\"", |
347 | "output": "<img/>", |
348 | "rexml": "Ill-formed XHTML!" |
349 | }, |
350 | |
351 | { |
352 | "name": "should_sanitize_invalid_script_tag", |
353 | "input": "<script/XSS SRC=\"http://ha.ckers.org/xss.js\"></script>", |
354 | "output": "<script XSS=\"\" SRC=\"http://ha.ckers.org/xss.js\"></script>", |
355 | "xhtml": "<script/></script>", |
356 | "rexml": "Ill-formed XHTML!" |
357 | }, |
358 | |
359 | { |
360 | "name": "should_sanitize_script_tag_with_multiple_open_brackets", |
361 | "input": "<<script>alert(\"XSS\");//<</script>", |
362 | "output": "<<script>alert(\"XSS\");//<</script>", |
363 | "xhtml": "<<script>alert("XSS");//<</script>", |
364 | "rexml": "Ill-formed XHTML!" |
365 | }, |
366 | |
367 | { |
368 | "name": "should_sanitize_script_tag_with_multiple_open_brackets_2", |
369 | "input": "<iframe src=http://ha.ckers.org/scriptlet.html\n<", |
370 | "output": "<iframe src=\"http://ha.ckers.org/scriptlet.html\" <=\"\">", |
371 | "xhtml": "<iframe src='http:'/><", |
372 | "rexml": "Ill-formed XHTML!" |
373 | }, |
374 | |
375 | { |
376 | "name": "should_sanitize_tag_broken_up_by_null", |
377 | "input": "<scr\u0000ipt>alert(\"XSS\")</scr\u0000ipt>", |
378 | "output": "<scr\ufffdipt>alert(\"XSS\")</scr\ufffdipt>", |
379 | "xhtml": "<scr>alert("XSS")</scr>", |
380 | "rexml": "Ill-formed XHTML!" |
381 | }, |
382 | |
383 | { |
384 | "name": "should_sanitize_unclosed_script", |
385 | "input": "<script src=http://ha.ckers.org/xss.js?<b>", |
386 | "output": "<script src=\"http://ha.ckers.org/xss.js?&lt;b\">", |
387 | "xhtml": "<script src='http:'/><b>", |
388 | "rexml": "Ill-formed XHTML!" |
389 | }, |
390 | |
391 | { |
392 | "name": "should_strip_href_attribute_in_a_with_bad_protocols", |
393 | "input": "<a href=\"javascript:XSS\" title=\"1\">boo</a>", |
394 | "output": "<a title='1'>boo</a>" |
395 | }, |
396 | |
397 | { |
398 | "name": "should_strip_href_attribute_in_a_with_bad_protocols_and_whitespace", |
399 | "input": "<a href=\" javascript:XSS\" title=\"1\">boo</a>", |
400 | "output": "<a title='1'>boo</a>" |
401 | }, |
402 | |
403 | { |
404 | "name": "should_strip_src_attribute_in_img_with_bad_protocols", |
405 | "input": "<img src=\"javascript:XSS\" title=\"1\">boo</img>", |
406 | "output": "<img title='1'/>boo", |
407 | "rexml": "<img title='1' />" |
408 | }, |
409 | |
410 | { |
411 | "name": "should_strip_src_attribute_in_img_with_bad_protocols_and_whitespace", |
412 | "input": "<img src=\" javascript:XSS\" title=\"1\">boo</img>", |
413 | "output": "<img title='1'/>boo", |
414 | "rexml": "<img title='1' />" |
415 | }, |
416 | |
417 | { |
418 | "name": "xml_base", |
419 | "input": "<div xml:base=\"javascript:alert('XSS');//\">foo</div>", |
420 | "output": "<div>foo</div>" |
421 | }, |
422 | |
423 | { |
424 | "name": "xul", |
425 | "input": "<p style=\"-moz-binding:url('http://ha.ckers.org/xssmoz.xml#xss')\">fubar</p>", |
426 | "output": "<p style=''>fubar</p>" |
427 | }, |
428 | |
429 | { |
430 | "name": "quotes_in_attributes", |
431 | "input": "<img src='foo' title='\"foo\" bar' />", |
432 | "rexml": "<img src='foo' title='\"foo\" bar' />", |
433 | "output": "<img src='foo' title='"foo" bar'/>" |
434 | }, |
435 | |
436 | { |
437 | "name": "uri_refs_in_svg_attributes", |
438 | "input": "<rect fill='url(#foo)' />", |
439 | "rexml": "<rect fill='url(#foo)'></rect>", |
440 | "xhtml": "<rect fill='url(#foo)'/>", |
441 | "output": "<rect fill='url(#foo)'/>" |
442 | }, |
443 | |
444 | { |
445 | "name": "absolute_uri_refs_in_svg_attributes", |
446 | "input": "<rect fill='url(http://bad.com/) #fff' />", |
447 | "rexml": "<rect fill=' #fff'></rect>", |
448 | "xhtml": "<rect fill=' #fff'/>", |
449 | "output": "<rect fill=' #fff'/>" |
450 | }, |
451 | |
452 | { |
453 | "name": "uri_ref_with_space_in svg_attribute", |
454 | "input": "<rect fill='url(\n#foo)' />", |
455 | "rexml": "<rect fill='url(\n#foo)'></rect>", |
456 | "xhtml": "<rect fill='url(\n#foo)'/>", |
457 | "output": "<rect fill='url(\n#foo)'/>" |
458 | }, |
459 | |
460 | { |
461 | "name": "absolute_uri_ref_with_space_in svg_attribute", |
462 | "input": "<rect fill=\"url(\nhttp://bad.com/)\" />", |
463 | "rexml": "<rect fill=' '></rect>", |
464 | "xhtml": "<rect fill=' '/>", |
465 | "output": "<rect fill=' '/>" |
466 | }, |
467 | |
468 | { |
469 | "name": "allow_html5_image_tag", |
470 | "input": "<image src='foo' />", |
471 | "rexml": "<image src=\"foo\"></image>", |
472 | "xhtml": "<image src='foo'/>", |
473 | "output": "<image src=\"foo\"/>" |
474 | }, |
475 | |
476 | { |
477 | "name": "style_attr_end_with_nothing", |
478 | "input": "<div style=\"color: blue\" />", |
479 | "output": "<div style='color: blue;'/>", |
480 | "rexml": "<div style='color: blue;'></div>" |
481 | }, |
482 | |
483 | { |
484 | "name": "style_attr_end_with_space", |
485 | "input": "<div style=\"color: blue \" />", |
486 | "output": "<div style='color: blue ;'/>", |
487 | "rexml": "<div style='color: blue ;'></div>" |
488 | }, |
489 | |
490 | { |
491 | "name": "style_attr_end_with_semicolon", |
492 | "input": "<div style=\"color: blue;\" />", |
493 | "output": "<div style='color: blue;'/>", |
494 | "rexml": "<div style='color: blue;'></div>" |
495 | }, |
496 | |
497 | { |
498 | "name": "style_attr_end_with_semicolon_space", |
499 | "input": "<div style=\"color: blue; \" />", |
500 | "output": "<div style='color: blue;'/>", |
501 | "rexml": "<div style='color: blue;'></div>" |
502 | }, |
503 | |
504 | { |
505 | "name": "attributes_with_embedded_quotes", |
506 | "input": "<img src=doesntexist.jpg\"'onerror=\"alert(1) />", |
507 | "output": "<img src='doesntexist.jpg"'onerror="alert(1)'/>", |
508 | "xhtml": "<img src='doesntexist.jpg"'onerror="alert(1)'/>", |
509 | "rexml": "Ill-formed XHTML!" |
510 | }, |
511 | |
512 | { |
513 | "name": "attributes_with_embedded_quotes_II", |
514 | "input": "<img src=notthere.jpg\"\"onerror=\"alert(2) />", |
515 | "output": "<img src='notthere.jpg""onerror="alert(2)'/>", |
516 | "rexml": "Ill-formed XHTML!" |
517 | } |
518 | ] |