From 5eba8aa0df1befd34eb15a57dacfdc66cffd14ac Mon Sep 17 00:00:00 2001 From: Christian Schneider Date: Sun, 6 Feb 2022 20:12:00 +0100 Subject: Filter out javascript: scheme in U() to avoid more XSS attacks --- test/U_tests.json | 6 ++++++ test/it_html.t | 2 ++ 2 files changed, 8 insertions(+) (limited to 'test') diff --git a/test/U_tests.json b/test/U_tests.json index 83a6771..6bfb957 100644 --- a/test/U_tests.json +++ b/test/U_tests.json @@ -221,6 +221,12 @@ "name": "U() remove multiple schemes from path" }, + { + "args": ["jAvascript://a/%E2%80%A9alert(JSON.stringify(document.cookie))"], + "exp": "//a/%E2%80%A9alert(JSON.stringify(document.cookie))", + "name": "U() remove multiple schemes from path" + }, + { "args": ["//Oeffnungszeiten:8.30-17.00/"], "exp": "//Oeffnungszeiten:8.30-17.00/", diff --git a/test/it_html.t b/test/it_html.t index aa734c0..a387781 100755 --- a/test/it_html.t +++ b/test/it_html.t @@ -253,8 +253,10 @@ is( 'empty tags removal' ); +$GLOBALS['ULTRANOERRORS'] = true; # FIXME CS 2022-03-01 Remove this after U() does include it::error for javascript urls any more foreach (json_decode(it::file_get_contents(dirname($argv[0]) . '/U_tests.json'), true) as $test) is(U(...$test['args']), $test['exp'], $test['name']); +$GLOBALS['ULTRANOERRORS'] = false; is(it_html::entity_decode("ä"), "รค"); is(it_html::entity_decode("J"), "J"); -- cgit v1.2.3