deac/instiki
1
0
Fork 0
Code Issues Pull requests Releases Wiki Activity

Fix XSS vulnerabilities in chunk-handling

Browse source
This commit is contained in:
Jacques Distler 2007-09-23 19:30:39 +00:00
parent 36b86a9d41
commit a3d3f1c536
6 changed files with 55 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

8
test/unit/chunks/category_test.rb
View file

@ -19,4 +19,12 @@ class CategoryTest < Test::Unit::TestCase
)
end
def test_multiple_categories_sanitized
match(Category, 'category: test, multiple,<span>a & b</span> <script>alert("XSS!");</script>', :list => ['test', 'multiple', '&lt;span&gt;a &amp; b&lt;/span&gt; &lt;script&gt;alert(&quot;XSS!&quot;);&lt;/script&gt;'], :hidden => nil
)
match(Category, 'category : chunk test , multi category,<span>a & b</span> <script>alert("XSS!");</script>',
:list => ['chunk test','multi category','&lt;span&gt;a &amp; b&lt;/span&gt; &lt;script&gt;alert(&quot;XSS!&quot;);&lt;/script&gt;'], :hidden => nil
)
end
end

6
test/unit/chunks/nowiki_test.rb
View file

@ -12,4 +12,10 @@ class NoWikiTest < Test::Unit::TestCase
)
end
def test_sanitized_nowiki
match(NoWiki, 'This sentence contains <nowiki><span>a b</span> <script>alert("XSS!");</script></nowiki>. Do not touch!',
:plain_text => '<span>a b</span> &lt;script&gt;alert("XSS!");&lt;/script&gt;'
)
end
end