Changesets can be listed by changeset number.
The Git repository is here.
- Revision:
- 171
- Log:
Initial import of Beast 0.9 from downloaded Tarball. Beast is a Ruby
On Rails based forum application. The original tarball came from the
following location:http://s3.amazonaws.com/beast-forum/beast-0.9.tar.gz
The forum post which announced this version's availability was at:
http://beast.caboo.se/forums/1/topics/446
- Author:
- rool
- Date:
- Fri Mar 02 15:51:55 +0000 2007
- Size:
- 4901 Bytes
1 | require 'test/unit' |
2 | require File.expand_path(File.join(File.dirname(__FILE__), '../../../../config/environment.rb')) |
3 | |
4 | class WhiteListTest < Test::Unit::TestCase |
5 | include WhiteListHelper |
6 | public :contains_bad_protocols? |
7 | |
8 | (WhiteListHelper.tags + WhiteListHelper.attributes.keys).compact.each do |tag_name| |
9 | define_method "test_should_allow_#{tag_name}_tag" do |
10 | assert_white_listed "start <#{tag_name} id=\"1\" name=\"foo\">foo <bad>bar</bad> baz</#{tag_name}> end", "start <#{tag_name} id='1'>foo <bad>bar</bad> baz</#{tag_name}> end" |
11 | end |
12 | end |
13 | |
14 | def test_should_allow_anchors |
15 | assert_white_listed %(<a href="foo" onclick="bar"><script>baz</script></a>), "<a href='foo'><script>baz</script></a>" |
16 | end |
17 | |
18 | WhiteListHelper.attributes['img'].each do |img_attr| |
19 | define_method "test_should_allow_image_#{img_attr}_attribute" do |
20 | assert_white_listed %(<img #{img_attr}="foo" onclick="bar" />), "<img #{img_attr}='foo' />" |
21 | end |
22 | end |
23 | |
24 | def test_should_handle_non_html |
25 | assert_white_listed 'abc' |
26 | end |
27 | |
28 | def test_should_handle_blank_text |
29 | assert_white_listed nil |
30 | assert_white_listed '' |
31 | end |
32 | |
33 | [%w(img src), %w(a href)].each do |(tag, attr)| |
34 | define_method "test_should_strip_#{attr}_attribute_in_#{tag}_with_bad_protocols" do |
35 | assert_white_listed %(<#{tag} #{attr}="javascript:bang" id="1">boo</#{tag}>), %(<#{tag} id='1'>boo</#{tag}>) |
36 | end |
37 | end |
38 | |
39 | def test_should_flag_bad_protocols |
40 | %w(about chrome data disk hcp help javascript livescript lynxcgi lynxexec ms-help ms-its mhtml mocha opera res resource shell vbscript view-source vnd.ms.radio wysiwyg).each do |proto| |
41 | assert contains_bad_protocols?("#{proto}://bad") |
42 | end |
43 | end |
44 | |
45 | def test_should_accept_good_protocols |
46 | WhiteListHelper.protocols.each do |proto| |
47 | assert !contains_bad_protocols?("#{proto}://good") |
48 | end |
49 | end |
50 | |
51 | def test_should_reject_hex_codes_in_protocol |
52 | assert contains_bad_protocols?("%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%22%58%53%53%22%29") |
53 | assert_white_listed %(<a href="%6A%61%76%61%73%63%72%69%70%74%3A%61%6C%65%72%74%28%22%58%53%53%22%29">1</a>), "<a>1</a>" |
54 | end |
55 | |
56 | def test_should_block_script_tag |
57 | assert_white_listed %(<SCRIPT\nSRC=http://ha.ckers.org/xss.js></SCRIPT>), "<script src='http:' /></script>" |
58 | end |
59 | |
60 | [%(<IMG SRC="javascript:alert('XSS');">), |
61 | %(<IMG SRC=javascript:alert('XSS')>), |
62 | %(<IMG SRC=JaVaScRiPt:alert('XSS')>), |
63 | %(<IMG """><SCRIPT>alert("XSS")</SCRIPT>">), |
64 | %(<IMG SRC=javascript:alert("XSS")>), |
65 | %(<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>), |
66 | %(<IMG SRC=javascript:alert('XSS')>), |
67 | %(<IMG SRC=javascript:alert('XSS')>), |
68 | %(<IMG SRC=javascript:alert('XSS')>), |
69 | %(<IMG SRC="jav\tascript:alert('XSS');">), |
70 | %(<IMG SRC="jav	ascript:alert('XSS');">), |
71 | %(<IMG SRC="jav
ascript:alert('XSS');">), |
72 | %(<IMG SRC="jav
ascript:alert('XSS');">), |
73 | %(<IMG SRC="  javascript:alert('XSS');">), |
74 | %(<IMG SRC=`javascript:alert("RSnake says, 'XSS'")`>)].each_with_index do |img_hack, i| |
75 | define_method "test_should_not_fall_for_xss_image_hack_#{i}" do |
76 | assert_white_listed img_hack, "<img>" |
77 | end |
78 | end |
79 | |
80 | def test_should_sanitize_tag_broken_up_by_null |
81 | assert_white_listed %(<SCR\0IPT>alert(\"XSS\")</SCR\0IPT>), "<scr>alert(\"XSS\")</scr>" |
82 | end |
83 | |
84 | def test_should_sanitize_invalid_script_tag |
85 | assert_white_listed %(<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>), "<script /></script>" |
86 | end |
87 | |
88 | def test_should_sanitize_script_tag_with_multiple_open_brackets |
89 | assert_white_listed %(<<SCRIPT>alert("XSS");//<</SCRIPT>), "<<script>alert(\"XSS\");//<</script>" |
90 | assert_white_listed %(<iframe src=http://ha.ckers.org/scriptlet.html\n<), "<iframe src='http:' /><" |
91 | end |
92 | |
93 | def test_should_sanitize_unclosed_script |
94 | assert_white_listed %(<SCRIPT SRC=http://ha.ckers.org/xss.js?<B>), "<script src='http:' /><b>" |
95 | end |
96 | |
97 | def test_should_sanitize_half_open_scripts |
98 | assert_white_listed %(<IMG SRC="javascript:alert('XSS')"), "<img>" |
99 | end |
100 | |
101 | def test_should_not_fall_for_ridiculous_hack |
102 | img_hack = %(<IMG\nSRC\n=\n"\nj\na\nv\na\ns\nc\nr\ni\np\nt\n:\na\nl\ne\nr\nt\n(\n'\nX\nS\nS\n'\n)\n"\n>) |
103 | assert_white_listed img_hack, "<img>" |
104 | end |
105 | |
106 | protected |
107 | def assert_white_listed(text, expected = nil) |
108 | assert_equal((expected || text), white_list(text)) |
109 | end |
110 | end |
111 |