[TASK] Deprecate RemoveXSS 02/48102/16
authorGeorg Ringer <georg.ringer@gmail.com>
Thu, 12 May 2016 13:04:36 +0000 (15:04 +0200)
committerWouter Wolters <typo3@wouterwolters.nl>
Thu, 26 May 2016 13:52:58 +0000 (15:52 +0200)
Due to the wrong approach of RemoveXSS it is not 100%
safe and does not keep its promise.

Resolves: #76164
Releases: master
Change-Id: I8aa0a05f7866041f392441fa852bae5a7c202142
Reviewed-on: https://review.typo3.org/48102
Reviewed-by: Nicole Cordes <typo3@cordes.co>
Tested-by: Nicole Cordes <typo3@cordes.co>
Reviewed-by: Wouter Wolters <typo3@wouterwolters.nl>
Tested-by: Wouter Wolters <typo3@wouterwolters.nl>
21 files changed:
typo3/sysext/backend/Classes/Controller/Wizard/AddController.php
typo3/sysext/backend/Classes/Search/LiveSearch/LiveSearch.php
typo3/sysext/core/Classes/Utility/GeneralUtility.php
typo3/sysext/core/Documentation/Changelog/master/Deprecation-76164-DeprecateRemoveXSS.rst [new file with mode: 0644]
typo3/sysext/core/Resources/PHP/RemoveXSS.php
typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php
typo3/sysext/felogin/Classes/Controller/FrontendLoginController.php
typo3/sysext/felogin/Resources/Private/Language/locallang.xlf
typo3/sysext/form/Classes/Domain/Builder/FormBuilder.php
typo3/sysext/form/Classes/Domain/Filter/RemoveXssFilter.php
typo3/sysext/form/Configuration/PageTS/modWizards.ts
typo3/sysext/form/Configuration/TypoScript/Filters/Filters.ts
typo3/sysext/form/Documentation/Administration/WizardSettings/DefaultsReference/OptionsTab/Index.rst
typo3/sysext/form/Documentation/Configuration/Filters/Index.rst
typo3/sysext/form/Documentation/Configuration/Filters/Removexss/Index.rst [deleted file]
typo3/sysext/form/Documentation/Configuration/Objects/ObjectAttributes/Index.rst
typo3/sysext/form/Resources/Private/Language/locallang_wizard.xlf
typo3/sysext/form/Resources/Public/JavaScript/Wizard.js
typo3/sysext/form/Resources/Public/JavaScript/Wizard/Viewport/Left/Options/Forms/Filters.js
typo3/sysext/form/Resources/Public/JavaScript/Wizard/Viewport/Left/Options/Forms/Filters/RemoveXSS.js [deleted file]
typo3/sysext/form/Tests/Unit/Filter/RemoveXssFilterTest.php [deleted file]

index c7d1980..7f1a580 100644 (file)
@@ -265,7 +265,7 @@ class AddController extends AbstractWizardController
             $redirectUrl = BackendUtility::getModuleUrl('record_edit', array(
                 'returnEditConf' => 1,
                 'edit[' . $this->P['params']['table'] . '][' . $this->pid . ']' => 'new',
-                'returnUrl' => GeneralUtility::removeXSS(GeneralUtility::getIndpEnv('REQUEST_URI'))
+                'returnUrl' => GeneralUtility::getIndpEnv('REQUEST_URI')
             ));
             HttpUtility::redirect($redirectUrl);
         }
index 4aa7cd2..03c2436 100644 (file)
@@ -426,11 +426,10 @@ class LiveSearch
      *
      * @param string $queryString
      * @return void
-     * @see \TYPO3\CMS\Core\Utility\GeneralUtility::removeXSS()
      */
     public function setQueryString($queryString)
     {
-        $this->queryString = GeneralUtility::removeXSS($queryString);
+        $this->queryString = $queryString;
     }
 
     /**
index 18d975f..fd295be 100755 (executable)
@@ -249,6 +249,7 @@ class GeneralUtility
      *
      * @param string $string Input string
      * @return string Input string with potential XSS code removed
+     * @deprecated since TYPO3 v8, will be removed in TYPO3 v9
      */
     public static function removeXSS($string)
     {
@@ -3390,14 +3391,17 @@ class GeneralUtility
      * Checks if a given string is a valid frame URL to be loaded in the
      * backend.
      *
+     * If the given url is empty or considered to be harmless, it is returned
+     * as is, else the event is logged and an empty string is returned.
+     *
      * @param string $url potential URL to check
-     * @return string either $url if $url is considered to be harmless, or an
+     * @return string $url or empty string
      */
     public static function sanitizeLocalUrl($url = '')
     {
         $sanitizedUrl = '';
-        $decodedUrl = rawurldecode($url);
-        if (!empty($url) && self::removeXSS($decodedUrl) === $decodedUrl) {
+        if (!empty($url)) {
+            $decodedUrl = rawurldecode($url);
             $parsedUrl = parse_url($decodedUrl);
             $testAbsoluteUrl = self::resolveBackPath($decodedUrl);
             $testRelativeUrl = self::resolveBackPath(self::dirname(self::getIndpEnv('SCRIPT_NAME')) . '/' . $decodedUrl);
@@ -3410,7 +3414,9 @@ class GeneralUtility
                 $sanitizedUrl = $url;
             } elseif (strpos($testAbsoluteUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && $decodedUrl[0] === '/') {
                 $sanitizedUrl = $url;
-            } elseif (empty($parsedUrl['scheme']) && strpos($testRelativeUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && $decodedUrl[0] !== '/') {
+            } elseif (empty($parsedUrl['scheme']) && strpos($testRelativeUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0
+                && $decodedUrl[0] !== '/' && strpbrk($decodedUrl, "*:|\"<>") === FALSE && strpos($decodedUrl, '\\\\') === false
+            ) {
                 $sanitizedUrl = $url;
             }
         }
diff --git a/typo3/sysext/core/Documentation/Changelog/master/Deprecation-76164-DeprecateRemoveXSS.rst b/typo3/sysext/core/Documentation/Changelog/master/Deprecation-76164-DeprecateRemoveXSS.rst
new file mode 100644 (file)
index 0000000..97ef210
--- /dev/null
@@ -0,0 +1,30 @@
+=========================================
+Deprecation: #76164 - Deprecate RemoveXSS
+=========================================
+
+Description
+===========
+
+Due to the wrong approach of RemoveXSS it is not 100% secure and does not keep its promise. The following methods have been marked as deprecated:
+
+- :php:``\TYPO3\CMS\Core\Utility\GeneralUtility::removeXSS()``
+- :php:``\RemoveXSS::process()``
+- :php:``\TYPO3\CMS\Form\Domain\Filter\RemoveXssFilter``
+
+
+Impact
+======
+
+Using the mentioned methods will trigger a deprecation log entry
+
+
+Affected Installations
+======================
+
+Instances that use these methods
+
+
+Migration
+=========
+
+Implement a proper encoding by yourself. Use :php:``htmlspecialchars()`` in the context of HTML or :php:``GeneralUtility::quoteJSvalue()`` in the context of JavaScript.
index 7bf25c8..06d789a 100644 (file)
  * This code is public domain, you are free to do whatever you want with it,
  * including adding it to your own project which can be under any license.
  */
+use TYPO3\CMS\Core\Utility\GeneralUtility;
+
+/**
+ * Class RemoveXSS
+ *
+ * @deprecated since TYPO3 v8, will be removed in TYPO3 v9
+ */
 class RemoveXSS
 {
     /**
@@ -26,9 +33,11 @@ class RemoveXSS
      * @param string $value Input string
      * @param string $replaceString replaceString for inserting in keywords (which destroys the tags)
      * @return string Input string with potential XSS code removed
+     * @deprecated since TYPO3 v8, will be removed in TYPO3 v9
      */
     public static function process($value, $replaceString = '<x>')
     {
+        GeneralUtility::logDeprecatedFunction();
         // Don't use empty $replaceString because then no XSS-remove will be done
         if ($replaceString == '') {
             $replaceString = '<x>';
index 282433f..faa9aa0 100644 (file)
@@ -2188,7 +2188,9 @@ class GeneralUtilityTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
             'empty string' => array(''),
             'http domain' => array('http://www.google.de/'),
             'https domain' => array('https://www.google.de/'),
-            'relative path with XSS' => array('../typo3/whatever.php?argument=javascript:alert(0)'),
+            'XSS attempt' => array('" onmouseover="alert(123)"'),
+            'invalid URL, UNC path' => array('\\\\foo\\bar\\'),
+            'invalid URL, HTML break out attempt' => array('" >blabuubb'),
             'base64 encoded string' => array('data:%20text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4='),
         );
     }
index 79c016a..d4fe68f 100644 (file)
@@ -1005,12 +1005,6 @@ class FrontendLoginController extends \TYPO3\CMS\Frontend\Plugin\AbstractPlugin
         if ($url === '') {
             return '';
         }
-        $decodedUrl = rawurldecode($url);
-        $sanitizedUrl = GeneralUtility::removeXSS($decodedUrl);
-        if ($decodedUrl !== $sanitizedUrl || preg_match('#["<>\\\\]+#', $url)) {
-            GeneralUtility::sysLog(sprintf($this->pi_getLL('xssAttackDetected'), $url), 'felogin', GeneralUtility::SYSLOG_SEVERITY_WARNING);
-            return '';
-        }
         // Validate the URL:
         if ($this->isRelativeUrl($url) || $this->isInCurrentDomain($url) || $this->isInLocalDomain($url)) {
             return $url;
@@ -1083,10 +1077,13 @@ class FrontendLoginController extends \TYPO3\CMS\Frontend\Plugin\AbstractPlugin
      */
     protected function isRelativeUrl($url)
     {
-        $parsedUrl = @parse_url($url);
-        if ($parsedUrl !== false && !isset($parsedUrl['scheme']) && !isset($parsedUrl['host'])) {
-            // If the relative URL starts with a slash, we need to check if it's within the current site path
-            return $parsedUrl['path'][0] !== '/' || GeneralUtility::isFirstPartOfStr($parsedUrl['path'], GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
+        $url = GeneralUtility::sanitizeLocalUrl($url);
+        if (!empty($url)) {
+            $parsedUrl = @parse_url($url);
+            if ($parsedUrl !== false && !isset($parsedUrl['scheme']) && !isset($parsedUrl['host'])) {
+                // If the relative URL starts with a slash, we need to check if it's within the current site path
+                return $parsedUrl['path'][0] !== '/' || GeneralUtility::isFirstPartOfStr($parsedUrl['path'], GeneralUtility::getIndpEnv('TYPO3_SITE_PATH'));
+            }
         }
         return false;
     }
index f742b5a..0c234c4 100644 (file)
@@ -141,9 +141,6 @@ For security reasons, this link is only active until %s. If you do not visit the
                        <trans-unit id="noValidRedirectUrl">
                                <source>Url "%s" for redirect was not accepted!</source>
                        </trans-unit>
-                       <trans-unit id="xssAttackDetected">
-                               <source>Url "%s" contained an XSS attack and was cleaned!</source>
-                       </trans-unit>
                </body>
        </file>
 </xliff>
index e6d798e..0336873 100644 (file)
@@ -443,8 +443,6 @@ class FormBuilder
 
         if ($this->getIncomingData()->getIncomingField($elementName) !== null) {
             /* filter values and set it back to incoming fields */
-                /* remove xss every time */
-            $userConfiguredElementTypoScript['filters.'][-1] = 'removexss';
             $keys = ArrayUtility::filterAndSortByNumericKeys($userConfiguredElementTypoScript['filters.']);
             foreach ($keys as $key) {
                 $class = $userConfiguredElementTypoScript['filters.'][$key];
index 9357863..0a97a2b 100644 (file)
@@ -18,6 +18,8 @@ use TYPO3\CMS\Core\Utility\GeneralUtility;
 
 /**
  * Remove Cross Site Scripting filter
+ *
+ * @deprecated since TYPO3 v8, will be removed in TYPO3 v9
  */
 class RemoveXssFilter extends AbstractFilter implements FilterInterface
 {
@@ -29,6 +31,7 @@ class RemoveXssFilter extends AbstractFilter implements FilterInterface
      *
      * @param string $value Unfiltered value
      * @return string The filtered value
+     * @deprecated since TYPO3 v8, will be removed in TYPO3 v9
      */
     public function filter($value)
     {
index e42812d..aa514e3 100644 (file)
@@ -134,7 +134,7 @@ prefix = tx_form
                                                        }
                                                }
                                                filtering {
-                                                       showFilters = alphabetic, alphanumeric, currency, digit, integer, lowercase, regexp, removexss, stripnewlines, titlecase, trim, uppercase
+                                                       showFilters = alphabetic, alphanumeric, currency, digit, integer, lowercase, regexp, stripnewlines, titlecase, trim, uppercase
 
                                                        filters {
                                                                alphabetic {
@@ -165,10 +165,6 @@ prefix = tx_form
                                                                        showProperties = expression
                                                                }
 
-                                                               removexss {
-                                                                       showProperties =
-                                                               }
-
                                                                stripnewlines {
                                                                        showProperties =
                                                                }
index df8fe68..6d6c36c 100644 (file)
@@ -42,11 +42,6 @@ plugin.tx_form {
                                className = TYPO3\CMS\Form\Domain\Filter\RegExpFilter
                        }
 
-                       removexss {
-                               displayName = Remove XSS
-                               className = TYPO3\CMS\Form\Domain\Filter\RemoveXssFilter
-                       }
-
                        stripnewlines {
                                displayName = Strip New Lines
                                className = TYPO3\CMS\Form\Domain\Filter\StripNewLinesFilter
index 5978187..4bc01d2 100644 (file)
@@ -236,7 +236,7 @@ showFilters
 
 :aspect:`Default:`
     alphabetic, alphanumeric, currency, digit, integer, lowercase,
-    regexp, removexss, titlecase, trim, uppercase
+    regexp, titlecase, trim, uppercase
 
 
 .. _wizard-settings-defaults-options-filtering-filters:
@@ -358,7 +358,7 @@ The default configuration of the options tab looks like this:
             }
          }
          filtering {
-            showFilters = alphabetic, alphanumeric, currency, digit, integer, lowercase, regexp, removexss, titlecase, trim, uppercase
+            showFilters = alphabetic, alphanumeric, currency, digit, integer, lowercase, regexp, titlecase, trim, uppercase
             filters {
                alphabetic {
                   showProperties = allowWhiteSpace
@@ -381,9 +381,6 @@ The default configuration of the options tab looks like this:
                regexp {
                   showProperties = expression
                }
-               removexss {
-                  showProperties =
-               }
                titlecase {
                   showProperties =
                }
index 79d7f01..7335792 100644 (file)
@@ -16,11 +16,6 @@ assigned filters in the given order. The filtered data will be shown to the
 visitor when there are errors in the form or on a confirmation page.
 Otherwise the filtered data will be send by mail to the receiver.
 
-.. attention::
-
-   By default, all submitted data will be filtered by a Cross Site Scripting
-   (XSS) filter to prevent security issues.
-
 .. toctree::
     :maxdepth: 5
     :titlesonly:
@@ -33,7 +28,6 @@ Otherwise the filtered data will be send by mail to the receiver.
     Integer/Index.rst
     Lowercase/Index.rst
     Regexp/Index.rst
-    Removexss/Index.rst
     Stripnewlines/Index.rst
     Titlecase/Index.rst
     Trim/Index.rst
diff --git a/typo3/sysext/form/Documentation/Configuration/Filters/Removexss/Index.rst b/typo3/sysext/form/Documentation/Configuration/Filters/Removexss/Index.rst
deleted file mode 100644 (file)
index f55525f..0000000
+++ /dev/null
@@ -1,16 +0,0 @@
-.. include:: ../../../Includes.txt
-
-
-.. _reference-filters-removexss:
-
-=========
-removexss
-=========
-
-This filter will process all incoming data by default. There is no need to
-add this filter manually.
-
-It filters the incoming data on possible Cross Site Scripting attacks and
-renders the incoming data safely by removing potential XSS code and adding a
-replacement string which destroys the tags.
-
index bcff9f0..a95d2f1 100644 (file)
@@ -365,14 +365,11 @@ filters
 
     **Filtered:** John Doe
 
-    **Note:**: By default, all submitted data will be filtered by a Cross
-    Site Scripting (XSS) filter to prevent security issues.
-
 :aspect:`Default:`
     .. code-block:: typoscript
 
       filters {
-        0 = removexss
+        0 = trim
       }
 
 
index 488988b..47ec19b 100644 (file)
                        <trans-unit id="filters_regexp">
                                <source>Regular Expression</source>
                        </trans-unit>
-                       <trans-unit id="filters_removexss">
-                               <source>Remove XSS</source>
-                       </trans-unit>
                        <trans-unit id="filters_stripnewlines">
                                <source>Strip New Lines</source>
                        </trans-unit>
index 72ea858..3be1fa1 100644 (file)
@@ -84,7 +84,6 @@ function configureWizardApplication() {
                'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Integer':       {exports: 'TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.Integer',       deps: ['TYPO3/CMS/Form/Wizard/Viewport/Left/Options', 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Filter']},
                'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/LowerCase':     {exports: 'TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.LowerCase',     deps: ['TYPO3/CMS/Form/Wizard/Viewport/Left/Options', 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Filter']},
                'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/RegExp':        {exports: 'TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.RegExp',        deps: ['TYPO3/CMS/Form/Wizard/Viewport/Left/Options', 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Filter']},
-               'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/RemoveXSS':     {exports: 'TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.RemoveXSS',     deps: ['TYPO3/CMS/Form/Wizard/Viewport/Left/Options', 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Filter']},
                'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/StripNewLines': {exports: 'TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.StripNewLines', deps: ['TYPO3/CMS/Form/Wizard/Viewport/Left/Options', 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Filter']},
                'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/TitleCase':     {exports: 'TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.TitleCase',     deps: ['TYPO3/CMS/Form/Wizard/Viewport/Left/Options', 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Filter']},
                'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Trim':          {exports: 'TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.Trim',          deps: ['TYPO3/CMS/Form/Wizard/Viewport/Left/Options', 'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Filter']},
@@ -127,7 +126,6 @@ function configureWizardApplication() {
                        'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Integer',
                        'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/LowerCase',
                        'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/RegExp',
-                       'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/RemoveXSS',
                        'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/StripNewLines',
                        'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/TitleCase',
                        'TYPO3/CMS/Form/Wizard/Viewport/Left/Options/Forms/Filters/Trim',
index 60a0933..0b835f3 100644 (file)
@@ -29,7 +29,6 @@ TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters = Ext.extend(Ext.Panel, {
                integer: true,
                lowercase: true,
                regexp: true,
-               removexss: true,
                stripnewlines: true,
                titlecase: true,
                trim: true,
@@ -189,7 +188,6 @@ TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters = Ext.extend(Ext.Panel, {
                                'integer',
                                'lowercase',
                                'regexp',
-                               'removexss',
                                'stripnewlines',
                                'titlecase',
                                'trim',
diff --git a/typo3/sysext/form/Resources/Public/JavaScript/Wizard/Viewport/Left/Options/Forms/Filters/RemoveXSS.js b/typo3/sysext/form/Resources/Public/JavaScript/Wizard/Viewport/Left/Options/Forms/Filters/RemoveXSS.js
deleted file mode 100644 (file)
index 21a0e85..0000000
+++ /dev/null
@@ -1,18 +0,0 @@
-Ext.namespace('TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters');
-
-/**
- * The remove XSS filter
- *
- * @class TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.RemoveXSS
- * @extends TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.Filter
- */
-TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.RemoveXSS = Ext.extend(TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.Filter, {
-       /**
-        * @cfg {String} filter
-        *
-        * The name of this filter
-        */
-       filter: 'removexss'
-});
-
-Ext.reg('typo3-form-wizard-viewport-left-options-forms-filters-removexss', TYPO3.Form.Wizard.Viewport.Left.Options.Forms.Filters.RemoveXSS);
\ No newline at end of file
diff --git a/typo3/sysext/form/Tests/Unit/Filter/RemoveXssFilterTest.php b/typo3/sysext/form/Tests/Unit/Filter/RemoveXssFilterTest.php
deleted file mode 100644 (file)
index f8f6d65..0000000
+++ /dev/null
@@ -1,54 +0,0 @@
-<?php
-namespace TYPO3\CMS\Form\Tests\Unit\Filter;
-
-/*
- * This file is part of the TYPO3 CMS project.
- *
- * It is free software; you can redistribute it and/or modify it under
- * the terms of the GNU General Public License, either version 2
- * of the License, or any later version.
- *
- * For the full copyright and license information, please read the
- * LICENSE.txt file that was distributed with this source code.
- *
- * The TYPO3 project - inspiring people to share!
- */
-
-/**
- * Test case
- */
-class RemoveXssFilterTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
-{
-    /**
-     * @var \TYPO3\CMS\Form\Domain\Filter\RemoveXssFilter
-     */
-    protected $subject;
-
-    protected function setUp()
-    {
-        $this->subject = new \TYPO3\CMS\Form\Domain\Filter\RemoveXssFilter();
-    }
-
-    public function maliciousStringProvider()
-    {
-        return array(
-            '<IMG SRC="javascript:alert(\'XSS\');">' => array('<IMG SRC="javascript:alert(\'XSS\');">'),
-            '<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>' => array('<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'),
-            '<IMG SRC=JaVaScRiPt:alert(\'XSS\')>' => array('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>'),
-            '<IMG SRC=javascript:alert(&quot;XSS&quot;)>' => array('<IMG SRC=javascript:alert(&quot;XSS&quot;)>'),
-            '<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>' => array('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>'),
-        );
-    }
-
-    /**
-     * @test
-     * @dataProvider maliciousStringProvider
-     */
-    public function filterForMaliciousStringReturnsInputFilteredOfXssCode($input)
-    {
-        $this->assertNotSame(
-            $input,
-            $this->subject->filter($input)
-        );
-    }
-}