diff options
| author | Christian Schneider | 2022-02-06 20:12:00 +0100 |
|---|---|---|
| committer | Christian Schneider | 2022-02-06 20:13:18 +0100 |
| commit | 5eba8aa0df1befd34eb15a57dacfdc66cffd14ac (patch) | |
| tree | 2e14bc4a995bf12738649adc9dd8550a01094ffa /test | |
| parent | e867407ae8b86b3170f0f103607d54a0fb7c616e (diff) | |
| download | itools-5eba8aa0df1befd34eb15a57dacfdc66cffd14ac.tar.gz itools-5eba8aa0df1befd34eb15a57dacfdc66cffd14ac.tar.bz2 itools-5eba8aa0df1befd34eb15a57dacfdc66cffd14ac.zip | |
Filter out javascript: scheme in U() to avoid more XSS attacks
Diffstat (limited to 'test')
| -rw-r--r-- | test/U_tests.json | 6 | ||||
| -rwxr-xr-x | test/it_html.t | 2 |
2 files changed, 8 insertions, 0 deletions
diff --git a/test/U_tests.json b/test/U_tests.json index 83a6771..6bfb957 100644 --- a/test/U_tests.json +++ b/test/U_tests.json @@ -222,6 +222,12 @@ }, { + "args": ["jAvascript://a/%E2%80%A9alert(JSON.stringify(document.cookie))"], + "exp": "//a/%E2%80%A9alert(JSON.stringify(document.cookie))", + "name": "U() remove multiple schemes from path" + }, + + { "args": ["//Oeffnungszeiten:8.30-17.00/"], "exp": "//Oeffnungszeiten:8.30-17.00/", "name": "U() with invalid URL" diff --git a/test/it_html.t b/test/it_html.t index aa734c0..a387781 100755 --- a/test/it_html.t +++ b/test/it_html.t @@ -253,8 +253,10 @@ is( 'empty tags removal' ); +$GLOBALS['ULTRANOERRORS'] = true; # FIXME CS 2022-03-01 Remove this after U() does include it::error for javascript urls any more foreach (json_decode(it::file_get_contents(dirname($argv[0]) . '/U_tests.json'), true) as $test) is(U(...$test['args']), $test['exp'], $test['name']); +$GLOBALS['ULTRANOERRORS'] = false; is(it_html::entity_decode("ä"), "รค"); is(it_html::entity_decode("J"), "J"); |