array( 'AllowedFrameTargets' => array('_blank'), 'EnableID' => true ), 'Filter' => array( 'YouTube' => true, ), 'URI' => array( 'HostBlacklist' => array ('www.symfony-project.org') ), 'HTML' => array( 'DefinitionID' => 'allow flash movies', 'DefinitionRev' => 1 ), 'AutoFormat' => array( 'Element' => array( 'param' => array( 'type' => false, 'contents' => 'Empty', 'attr_includes' => false, 'attr' => array( 'name' => 'Text', 'value' => 'Text' ) ), 'object' => array( 'type' => 'Inline', 'contents' => 'Optional: param | Flow | #PCDATA', 'attr_includes' => false, 'attr' => array ( 'type*' => 'Enum#application/x-shockwave-flash', 'width*' => 'Pixels', 'height*' => 'Pixels', 'data' => 'Text', 'bgcolor*' => 'Text', 'quality*' => 'Text' ) ), 'embed' => array( 'type' => 'Block', 'contents' => 'Empty', 'attr_includes' => false, 'attr' => array( 'type*' => 'Enum#application/x-shockwave-flash', 'width*' => 'Pixels', 'height*' => 'Pixels', 'src*' => 'URI', 'flashvars' => 'Text', 'allowscriptaccess' => 'Enum#never', 'enablejsurls' => 'Enum#false', 'enablehref' => 'Enum#false', 'bgcolor' => 'Text', 'align' => 'Text', 'quality' => 'Text', 'wmode' => 'Text', 'pluginspage' => 'URI', 'saveembedtags' => 'Text', 'salign' => 'Text', 'scale' => 'Text', 'name' => 'Text' ) ) ) ) ); // force configuration sfConfig::set('app_sfXssSafePlugin_definition', $definitions); $xsssafe_tests = array( 'XSS Quick Test' => array( 'input' => '\'\';!--"=&{()}', 'output' => '\'\';!--"=&{()}' ), 'SCRIPT w/Alert()' => array( 'input' => '', 'output' => '' ), 'SCRIPT w/Source File' => array( 'input' => '', 'output' => '' ), 'SCRIPT w/Char Code' => array( 'input' => '', 'output' => '' ), 'BASE' => array( 'input' => '', 'output' => '' ), 'BGSOUND' => array( 'input' => '', 'output' => '' ), 'BODY background-image' => array( 'input' => '', 'output' => '' ), 'BODY ONLOAD' => array( 'input' => '', 'output' => '' ), 'DIV background-image' => array( 'input' => '
', 'output' => '
' ), 'DIV expression' => array( 'input' => '
', 'output' => '
' ), 'FRAME' => array( 'input' => '', 'output' => '' ), 'IFRAME' => array( 'input' => '', 'output' => '' ), 'IMG w/JavaScript Directive' => array( 'input' => '', 'output' => '' ), 'IMG No Quotes/Semicolon' => array( 'input' => '', 'output' => '' ), 'IMG Dynsrc' => array( 'input' => '', 'output' => '' ), 'IMG Lowsrc' => array( 'input' => '', 'output' => '' ), 'IMG Embedded commands 1' => array( 'input' => '', 'output' => 'somecommand.php?somevariables=maliciouscode' ), 'IMG STYLE w/expression' => array( 'input' => 'exp/*', 'output' => 'exp/*' ), 'List-style-image' => array( 'input' => '
  • XSS', 'output' => '
    • XSS
    ' ), 'IMG w/VBscript' => array( 'input' => '', 'output' => '' ), 'LAYER' => array( 'input' => '', 'output' => '' ), 'Livescript' => array( 'input' => ' ', 'output' => '' ), 'META' => array( 'input' => '', 'output' => '' ), 'META w/data:URL' => array( 'input' => '', 'output' => '' ), 'META w/additional URL parameter' => array( 'input' => '', 'output' => '' ), 'OBJECT' => array( 'input' => '', 'output' => '' ), 'OBJECT w/Embedded XSS' => array( 'input' => '', 'output' => '' ), 'Embed Flash' => array( 'input' => '', 'output' => '' ), 'STYLE' => array( 'input' => '', 'output' => '' ), 'STYLE w/Comment' => array( 'input' => '', 'output' => '' ), 'STYLE w/Anonymous HTML' => array( 'input' => '', 'output' => '' ), 'STYLE w/background-image' => array( 'input' => '', 'output' => '' ), 'STYLE w/background' => array( 'input' => '', 'output' => '' ), 'Stylesheet' => array( 'input' => '', 'output' => '' ), 'Remote Stylesheet' => array( 'input' => '', 'output' => '' ), 'TABLE' => array( 'input' => '
    ', 'output' => '' ), 'PHP' => array( 'input' => 'alert("XSS")\'); ?>', 'output' => '<? echo(\'alert("XSS")\'); ?>', ), 'JavaScript Link Location' => array( 'input' => 'XSS', 'output' => 'XSS' ), 'Case Insensitive' => array( 'input' => '', 'output' => '' ), 'HTML Entities' => array( 'input' => '', 'output' => '' ), 'Grave Accents' => array( 'input' => '', 'output' => '' ), 'Image w/CharCode' => array( 'input' => '', 'output' => '' ), 'Escaping JavaScript escapes' => array( 'input' => << << array( 'input' => '', 'output' => '' ), 'STYLE w/broken up JavaScript' => array( 'input' => <<@im\port'\ja\vasc\rip t:alert("XSS")'; END , 'output' => '' ), 'Embedded Tab' => array( 'input' => '', 'output' => '' ), 'Embedded Encoded Tab' => array( 'input' => '', 'output' => '' ), 'Embedded Newline' => array( 'input' => '', 'output' => '' ), 'Embedded Carriage Return' => array( 'input' => '', 'output' => '' ), 'Multiline w/Carriage Returns' => array( 'input' => << END , 'output' => '' ), 'Firefox Lookups' => array( 'input' => 'XSS', 'output' => 'XSS' ), 'Content Replace' => array( 'input' => 'XSS', 'output' => 'XSS' ), 'Mixed Encoding' => array( 'input' => <<XSS END , 'output' => 'XSS' ) ); $miscellaneous_tests = array( 'YouTube Filter' => array( 'input' => '', 'output' => '', 'filter' => true ), 'Allowed Frame Targets Filter' => array( 'input' => '', 'output' => '', 'filter' => true ), 'Enable ID' => array( 'input' => '
    ', 'output' => '
    ', 'filter' => true ), 'Host Blacklist' => array( 'input' => 'Symfony Project', 'output' => 'Symfony Project', 'filter' => true ), 'Enable Object' => array( 'input' => ' ', 'output' => '', 'filter' => true ) ); $t = new lime_test(count($xsssafe_tests)+count($miscellaneous_tests)+2, new lime_output_color()); // XssSafe Helper $t->diag('XssSafe Helper'); $t->include_ok(sfConfig::get('sf_plugins_dir').'/sfXssSafePlugin/lib/helper/XssSafeHelper.php', 'XssSafe Helper include'); $t->include_ok(sfConfig::get('sf_plugins_dir').'/sfXssSafePlugin/lib/vendor/htmlpurifier/HTMLPurifier.auto.php', 'HTML Purifier include'); // XSS Attacks Smoketest $t->diag('XSS Attacks Smoketest'); foreach ($xsssafe_tests as $name => $test) { $t->is(esc_xsssafe($test['input']), $test['output'], $name . sprintf('%s', isset($test['filter']) ? ' is properly filtered' : ' is properly escaped')); } // HTML Purifier Config $t->diag('HTML Purifier Config'); foreach ($miscellaneous_tests as $name => $test) { $t->is(trim(esc_xsssafe($test['input'])), $test['output'], $name . sprintf('%s', isset($test['filter']) ? ' is properly filtered' : ' is properly escaped')); } ?>