aboutsummaryrefslogtreecommitdiffstats
path: root/lib/htmlpurifier/smoketests/variableWidthAttack.php
diff options
context:
space:
mode:
Diffstat (limited to 'lib/htmlpurifier/smoketests/variableWidthAttack.php')
-rw-r--r--lib/htmlpurifier/smoketests/variableWidthAttack.php57
1 files changed, 57 insertions, 0 deletions
diff --git a/lib/htmlpurifier/smoketests/variableWidthAttack.php b/lib/htmlpurifier/smoketests/variableWidthAttack.php
new file mode 100644
index 000000000..f3b6e8214
--- /dev/null
+++ b/lib/htmlpurifier/smoketests/variableWidthAttack.php
@@ -0,0 +1,57 @@
+<?php
+
+require_once 'common.php';
+
+echo '<?xml version="1.0" encoding="UTF-8" ?>';
+?><!DOCTYPE html
+ PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+ "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html>
+<head>
+ <title>HTML Purifier Variable Width Attack Smoketest</title>
+ <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+</head>
+<body>
+<h1>HTML Purifier Variable Width Attack Smoketest</h1>
+<p>For more information, see
+<a href="http://applesoup.googlepages.com/bypass_filter.txt">Cheng Peng Su's
+original advisory.</a> This particular exploit code appears only to work
+in Internet Explorer, if it works at all.</p>
+<h2>Test</h2>
+<?php
+
+$purifier = new HTMLPurifier();
+
+?>
+<table>
+<thead><tr><th>ASCII</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead>
+<tbody>
+<?php
+
+for ($i = 0; $i < 256; $i++) {
+ $c = chr($i);
+ $html = '<img src="" alt="X' . $c . '"';
+ $html .= '>A"'; // in our out the attribute? ;-)
+ $html .= "onerror=alert('$i')>O";
+ $pure_html = $purifier->purify($html);
+?>
+<tr>
+ <td><?php echo $i; ?></td>
+ <td style="font-size:8pt;"><?php echo escapeHTML($html); ?></td>
+ <td style="font-size:8pt;"><?php echo escapeHTML($pure_html); ?></td>
+ <td><?php echo $pure_html; ?></td>
+</tr>
+<?php } ?>
+</tbody>
+</table>
+
+<h2>Analysis</h2>
+
+<p>By making sure that UTF-8 is well formed and non-SGML codepoints are
+removed, as well as escaping quotes outside of tags, this is a non-threat.</p>
+
+</body>
+</html>
+<?php
+
+// vim: et sw=4 sts=4