Commit 6405c2b8 authored by Benni Mack's avatar Benni Mack Committed by Christian Kuhn
Browse files

[!!!][TASK] Remove deprecated methods in GeneralUtility

Drop methods and change method signatures of methods
within GeneralUtility.

Resolves: #80703
Releases: master
Change-Id: I7c617d7dbf0a7f877f6ae248319f4d28eb1f725c
Reviewed-on: https://review.typo3.org/52480


Tested-by: default avatarTYPO3com <no-reply@typo3.com>
Reviewed-by: Anja Leichsenring's avatarAnja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring's avatarAnja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
parent 86947e4c
......@@ -45,7 +45,6 @@ class FlexFormNoTabsContainer extends AbstractContainer
$sheetName = array_pop($flexFormSheetNames);
$flexFormRowDataSubPart = $flexFormRowData['data'][$sheetName]['lDEF'] ?: [];
// That was taken from GeneralUtility::resolveSheetDefInDS - no idea if it is important
unset($flexFormDataStructureArray['meta']);
if (!is_array($flexFormDataStructureArray['sheets'][$sheetName]['ROOT']['el'])) {
......
......@@ -10,16 +10,47 @@ Description
===========
The following PHP classes that have been previously deprecated for v8 have been removed:
* RemoveXSS
* TYPO3\CMS\Backend\Console\Application
* TYPO3\CMS\Backend\Console\CliRequestHandler
* TYPO3\CMS\Core\Controller\CommandLineController
* TYPO3\CMS\Lowlevel\CleanerCommand
The following PHP class methods that have been previously deprecated for v8 have been removed:
* TYPO3\CMS\Core\Utility\GeneralUtility::array2xml_cs()
* TYPO3\CMS\Core\Utility\GeneralUtility::compat_version()
* TYPO3\CMS\Core\Utility\GeneralUtility::convertMicrotime()
* TYPO3\CMS\Core\Utility\GeneralUtility::csvValues()
* TYPO3\CMS\Core\Utility\GeneralUtility::deHSCentities()
* TYPO3\CMS\Core\Utility\GeneralUtility::flushOutputBuffers()
* TYPO3\CMS\Core\Utility\GeneralUtility::freetypeDpiComp()
* TYPO3\CMS\Core\Utility\GeneralUtility::generateRandomBytes()
* TYPO3\CMS\Core\Utility\GeneralUtility::getMaximumPathLength()
* TYPO3\CMS\Core\Utility\GeneralUtility::getRandomHexString()
* TYPO3\CMS\Core\Utility\GeneralUtility::imageMagickCommand()
* TYPO3\CMS\Core\Utility\GeneralUtility::lcfirst()
* TYPO3\CMS\Core\Utility\GeneralUtility::rawUrlEncodeFP()
* TYPO3\CMS\Core\Utility\GeneralUtility::rawUrlEncodeJS()
* TYPO3\CMS\Core\Utility\GeneralUtility::removeXSS()
* TYPO3\CMS\Core\Utility\GeneralUtility::requireFile()
* TYPO3\CMS\Core\Utility\GeneralUtility::requireOnce()
* TYPO3\CMS\Core\Utility\GeneralUtility::resolveAllSheetsInDS()
* TYPO3\CMS\Core\Utility\GeneralUtility::resolveSheetDefInDS()
* TYPO3\CMS\Core\Utility\GeneralUtility::slashJS()
* TYPO3\CMS\Core\Utility\GeneralUtility::strtolower()
* TYPO3\CMS\Core\Utility\GeneralUtility::strtoupper()
* TYPO3\CMS\Core\Utility\GeneralUtility::xmlGetHeaderAttribs()
The following methods changed signature according to previous deprecations in v8:
* TYPO3\CMS\Core\Utility\GeneralUtility::callUserFunction() - Persistent or file prefix in first argument removed
* TYPO3\CMS\Core\Utility\GeneralUtility::getFileAbsFileName() - Second and thrird argument dropped
* TYPO3\CMS\Core\Utility\GeneralUtility::getUserObj() - File reference prefix in first argument removed
* TYPO3\CMS\Core\Utility\GeneralUtility::wrapJS() - Second argument dropped
The following configuration options are not evaluated anymore:
* $GLOBALS['TYPO3_CONF_VARS']['SC_OPTIONS']['GLOBAL']['cliKeys']
The following entrypoints have been removed
The following entry points have been removed:
* typo3/cli_dispatch.phpsh
......@@ -28,6 +59,6 @@ Impact
Instantiating or requiring the PHP classes, will result in PHP fatal errors.
Calling the entrypoints via CLI will result in a file not found error.
Calling the entry points via CLI will result in a file not found error.
.. index:: PHP-API
\ No newline at end of file
<?php
/**
* Usage: Run *every* variable passed in through it.
* The goal of this function is to be a generic function that can be used to
* parse almost any input and render it XSS safe. For more information on
* actual XSS attacks, check out http://ha.ckers.org/xss.html. Another
* excellent site is the XSS Database which details each attack and how it
* works.
*
* Used with permission by the author.
* URL: http://quickwired.com/smallprojects/php_xss_filter_function.php
*
* Check XSS attacks on http://ha.ckers.org/xss.html
*
* License:
* This code is public domain, you are free to do whatever you want with it,
* including adding it to your own project which can be under any license.
*/
use TYPO3\CMS\Core\Utility\GeneralUtility;
/**
* Class RemoveXSS
*
* @deprecated since TYPO3 v8, will be removed in TYPO3 v9
*/
class RemoveXSS
{
/**
* Removes potential XSS code from an input string.
*
* Using an external class by Travis Puderbaugh <kallahar@quickwired.com>
*
* @param string $value Input string
* @param string $replaceString replaceString for inserting in keywords (which destroys the tags)
* @return string Input string with potential XSS code removed
* @deprecated since TYPO3 v8, will be removed in TYPO3 v9
*/
public static function process($value, $replaceString = '<x>')
{
GeneralUtility::logDeprecatedFunction();
// Don't use empty $replaceString because then no XSS-remove will be done
if ($replaceString == '') {
$replaceString = '<x>';
}
// Remove all non-printable characters. CR(0a) and LF(0b) and TAB(9) are allowed.
// This prevents some character re-spacing such as <java\0script>
// Note that you have to handle splits with \n, \r, and \t later since they *are* allowed in some inputs
$value = preg_replace('/([\x00-\x08]|[\x0b-\x0c]|[\x0e-\x19])/', '', $value);
// Straight replacements, the user should never need these since they're normal characters.
// This prevents like <IMG SRC=&#X40&#X61&#X76&#X61&#X73&#X63&#X72&#X69&#X70&#X74&#X3A&#X61&#X6C&#X65&#X72&#X74&#X28&#X27&#X58&#X53&#X53&#X27&#X29>
$searchHexEncodings = '/&#[xX]0{0,8}(21|22|23|24|25|26|27|28|29|2a|2b|2d|2f|30|31|32|33|34|35|36|37|38|39|3a|3b|3d|3f|40|41|42|43|44|45|46|47|48|49|4a|4b|4c|4d|4e|4f|50|51|52|53|54|55|56|57|58|59|5a|5b|5c|5d|5e|5f|60|61|62|63|64|65|66|67|68|69|6a|6b|6c|6d|6e|6f|70|71|72|73|74|75|76|77|78|79|7a|7b|7c|7d|7e);?/i';
$searchUnicodeEncodings = '/&#0{0,8}(33|34|35|36|37|38|39|40|41|42|43|45|47|48|49|50|51|52|53|54|55|56|57|58|59|61|63|64|65|66|67|68|69|70|71|72|73|74|75|76|77|78|79|80|81|82|83|84|85|86|87|88|89|90|91|92|93|94|95|96|97|98|99|100|101|102|103|104|105|106|107|108|109|110|111|112|113|114|115|116|117|118|119|120|121|122|123|124|125|126);?/i';
while (preg_match($searchHexEncodings, $value) || preg_match($searchUnicodeEncodings, $value)) {
$value = preg_replace_callback(
$searchHexEncodings,
function ($matches) {
return chr(hexdec($matches[1]));
},
$value
);
$value = preg_replace_callback(
$searchUnicodeEncodings,
function ($matches) {
return chr($matches[1]);
},
$value
);
}
// Now the only remaining whitespace attacks are \t, \n, and \r
$allKeywords = ['javascript', 'vbscript', 'expression', 'applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed',
'object', 'iframe', 'frame', 'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base', 'video', 'audio', 'track',
'canvas', 'onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate', 'onbeforecopy', 'onbeforecut',
'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint', 'onbeforeunload', 'onbeforeupdate',
'onblur', 'onbounce', 'oncanplay', 'oncanplaythrough', 'oncellchange', 'onchange', 'onclick', 'oncontextmenu',
'oncontrolselect', 'oncopy', 'oncuechange', 'oncut', 'ondataavailable', 'ondatasetchanged', 'ondatasetcomplete',
'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover', 'ondragstart',
'ondrop', 'ondurationchange', 'onemptied', 'onended', 'onerror', 'onerrorupdate', 'onfilterchange', 'onfinish',
'onfocus', 'onfocusin', 'onfocusout', 'onhashchange', 'onhelp', 'oninput', 'oninvalid', 'onkeydown', 'onkeypress',
'onkeyup', 'onlayoutcomplete', 'onload', 'onloadeddata', 'onloadedmetadata', 'onloadstart', 'onlosecapture',
'onmessage', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout', 'onmouseover', 'onmouseup',
'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onoffline', 'ononline', 'onpagehide', 'onpageshow', 'onpaste',
'onpause', 'onplay', 'onplaying', 'onpopstate', 'onprogress', 'onpropertychange', 'onratechange', 'onreadystatechange',
'onreset', 'onresize', 'onresizeend', 'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted',
'onscroll', 'onseeked', 'onseeking', 'onselect', 'onselectionchange', 'onselectstart', 'onshow', 'onstalled', 'onstart',
'onstop', 'onstorage', 'onsubmit', 'onsuspend', 'ontimeupdate', 'onunload', 'onvolumechange', 'onwaiting'];
$tagKeywords = ['applet', 'meta', 'xml', 'blink', 'link', 'style', 'script', 'embed', 'object', 'iframe', 'frame',
'frameset', 'ilayer', 'layer', 'bgsound', 'title', 'base', 'video', 'audio', 'track', 'canvas'];
$attributeKeywords = ['style', 'onabort', 'onactivate', 'onafterprint', 'onafterupdate', 'onbeforeactivate',
'onbeforecopy', 'onbeforecut', 'onbeforedeactivate', 'onbeforeeditfocus', 'onbeforepaste', 'onbeforeprint',
'onbeforeunload', 'onbeforeupdate', 'onblur', 'onbounce', 'oncanplay', 'oncanplaythrough', 'oncellchange', 'onchange',
'onclick', 'oncontextmenu', 'oncontrolselect', 'oncopy', 'oncuechange', 'oncut', 'ondataavailable', 'ondatasetchanged',
'ondatasetcomplete', 'ondblclick', 'ondeactivate', 'ondrag', 'ondragend', 'ondragenter', 'ondragleave', 'ondragover',
'ondragstart', 'ondrop', 'ondurationchange', 'onemptied', 'onended', 'onerror', 'onerrorupdate', 'onfilterchange',
'onfinish', 'onfocus', 'onfocusin', 'onfocusout', 'onhashchange', 'onhelp', 'oninput', 'oninvalid,', 'onkeydown',
'onkeypress', 'onkeyup', 'onlayoutcomplete', 'onload', 'onloadeddata', 'onloadedmetadata', 'onloadstart',
'onlosecapture', 'onmessage', 'onmousedown', 'onmouseenter', 'onmouseleave', 'onmousemove', 'onmouseout',
'onmouseover', 'onmouseup', 'onmousewheel', 'onmove', 'onmoveend', 'onmovestart', 'onoffline', 'ononline',
'onpagehide', 'onpageshow', 'onpaste', 'onpause', 'onplay', 'onplaying', 'onpopstate', 'onprogress',
'onpropertychange', 'onratechange', 'onreadystatechange', 'onredo', 'onreset', 'onresize', 'onresizeend',
'onresizestart', 'onrowenter', 'onrowexit', 'onrowsdelete', 'onrowsinserted', 'onscroll', 'onseeked', 'onseeking',
'onselect', 'onselectionchange', 'onselectstart', 'onshow', 'onstalled', 'onstart', 'onstop', 'onstorage', 'onsubmit',
'onsuspend', 'ontimeupdate', 'onundo', 'onunload', 'onvolumechange', 'onwaiting'];
$protocolKeywords = ['javascript', 'vbscript', 'expression'];
// Remove the potential &#xxx; stuff for testing
$valueForQuickCheck = preg_replace('/(&#[xX]?0{0,8}(9|10|13|a|b);?)*\s*/i', '', $value);
$potentialKeywords = [];
foreach ($allKeywords as $keyword) {
// Stripos is faster than the regular expressions used later and because the words we're looking for only have
// chars < 0x80 we can use the non-multibyte safe version.
if (stripos($valueForQuickCheck, $keyword) !== false) {
//keep list of potential words that were found
if (in_array($keyword, $protocolKeywords, true)) {
$potentialKeywords[] = [$keyword, 'protocol'];
}
if (in_array($keyword, $tagKeywords, true)) {
$potentialKeywords[] = [$keyword, 'tag'];
}
if (in_array($keyword, $attributeKeywords, true)) {
$potentialKeywords[] = [$keyword, 'attribute'];
}
// Some keywords appear in more than one array.
// These get multiple entries in $potentialKeywords, each with the appropriate type
}
}
// Only process potential words
if (!empty($potentialKeywords)) {
// Keep replacing as long as the previous round replaced something
$found = true;
while ($found) {
$valueBeforeReplacement = $value;
foreach ($potentialKeywords as $potentialKeywordItem) {
list($keyword, $type) = $potentialKeywordItem;
$keywordLength = strlen($keyword);
// Build pattern with each letter of the keyword and potential (encoded) whitespace in between
$pattern = $keyword[0];
if ($keywordLength > 1) {
for ($j = 1; $j < $keywordLength; $j++) {
$pattern .= '((&#[xX]0{0,8}([9ab]);?)|(&#0{0,8}(9|10|13);?)|\s)*' . $keyword[$j];
}
}
// Handle each type a little different (extra conditions to prevent false positives a bit better)
switch ($type) {
case 'protocol':
// These take the form of e.g. 'javascript:'
$pattern .= '((&#[xX]0{0,8}([9ab]);?)|(&#0{0,8}(9|10|13);?)|\s)*(?=:)';
break;
case 'tag':
// These take the form of e.g. '<SCRIPT[^\da-z] ....';
$pattern = '(?<=<)' . $pattern . '((&#[xX]0{0,8}([9ab]);?)|(&#0{0,8}(9|10|13);?)|\s)*(?=[^\da-z])';
break;
case 'attribute':
// These take the form of e.g. 'onload=' Beware that a lot of characters are allowed
// between the attribute and the equal sign!
$pattern .= '[\s\!\#\$\%\&\(\)\*\~\+\-\_\.\,\:\;\?\@\[\/\|\\\\\]\^\`]*(?==)';
break;
}
$pattern = '/' . $pattern . '/i';
// Inject the replacement to render the potential problem harmless
$replacement = substr_replace($keyword, $replaceString, 2, 0);
// Perform the actual replacement
$value = preg_replace($pattern, $replacement, $value);
// If no replacements were made exit the loop
$found = ($valueBeforeReplacement !== $value);
}
}
}
return $value;
}
}
<?php
/*
* This file is part of the TYPO3 CMS project.
*
* It is free software; you can redistribute it and/or modify it under
* the terms of the GNU General Public License, either version 2
* of the License, or any later version.
*
* For the full copyright and license information, please read the
* LICENSE.txt file that was distributed with this source code.
*
* The TYPO3 project - inspiring people to share!
*/
/**
* Testcase for class RemoveXSS
* @ see http://ha.ckers.org/xss.html
* @ examples from http://ha.ckers.org/xssAttacks.xml
*/
class RemoveXSSTest extends \TYPO3\TestingFramework\Core\Unit\UnitTestCase
{
/**
* @test
*/
public function checkAttackScriptAlert()
{
$testString = "<SCRIPT>alert('XSS')</SCRIPT>";
$expectedString = "<sc<x>ript>alert('XSS')</SCRIPT>";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackScriptSrcJs()
{
$testString = '<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>';
$expectedString = '<sc<x>ript SRC=http://ha.ckers.org/xss.js></SCRIPT>';
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackScriptAlertFromCharCode()
{
$testString = '<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>';
$expectedString = '<sc<x>ript>alert(String.fromCharCode(88,83,83))</SCRIPT>';
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackBaseHref()
{
$testString = "<BASE HREF=\"javascript:alert('XSS');//\">";
$expectedString = "<ba<x>se HREF=\"ja<x>vascript:alert('XSS');//\">";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackBgsound()
{
$testString = "<BGSOUND SRC=\"javascript:alert('XSS');\">";
$expectedString = "<bg<x>sound SRC=\"ja<x>vascript:alert('XSS');\">";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackBodyBackground()
{
$testString = "<BODY BACKGROUND=\"javascript:alert('XSS');\">";
$expectedString = "<BODY BACKGROUND=\"ja<x>vascript:alert('XSS');\">";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackBodyOnLoad()
{
$testString = "<BODY ONLOAD=alert('XSS')>";
$expectedString = "<BODY on<x>load=alert('XSS')>";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackStyleUrl()
{
$testString = "<DIV STYLE=\"background-image: url(javascript:alert('XSS'))\">";
$expectedString = "<DIV st<x>yle=\"background-image: url(ja<x>vascript:alert('XSS'))\">";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackStyleWidth()
{
$testString = "<DIV STYLE=\"width: expression(alert('XSS'));\">";
$expectedString = "<DIV st<x>yle=\"width: expression(alert('XSS'));\">";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackFrameset()
{
$testString = "<FRAMESET><FRAME SRC=\"javascript:alert('XSS');\"></FRAMESET>";
$expectedString = "<fr<x>ameset><fr<x>ame SRC=\"ja<x>vascript:alert('XSS');\"></FRAMESET>";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackIframe()
{
$testString = "<IFRAME SRC=\"javascript:alert('XSS');\"></IFRAME>";
$expectedString = "<if<x>rame SRC=\"ja<x>vascript:alert('XSS');\"></IFRAME>";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackInputImage()
{
$testString = "<INPUT TYPE=\"IMAGE\" SRC=\"javascript:alert('XSS');\">";
$expectedString = "<INPUT TYPE=\"IMAGE\" SRC=\"ja<x>vascript:alert('XSS');\">";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackImageSrc()
{
$testString = "<IMG SRC=\"javascript:alert('XSS');\">";
$expectedString = "<IMG SRC=\"ja<x>vascript:alert('XSS');\">";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackImageSrcNoQuotesNoSemicolon()
{
$testString = "<IMG SRC=javascript:alert('XSS')>";
$expectedString = "<IMG SRC=ja<x>vascript:alert('XSS')>";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackImageDynsrc()
{
$testString = "<IMG DYNSRC=\"javascript:alert('XSS');\">";
$expectedString = "<IMG DYNSRC=\"ja<x>vascript:alert('XSS');\">";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackImageLowsrc()
{
$testString = "<IMG LOWSRC=\"javascript:alert('XSS');\">";
$expectedString = "<IMG LOWSRC=\"ja<x>vascript:alert('XSS');\">";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackStyle()
{
$testString = "<STYLE>li {list-style-image: url(\"javascript:alert('XSS')\");}</STYLE>";
$expectedString = "<st<x>yle>li {list-style-image: url(\"ja<x>vascript:alert('XSS')\");}</STYLE>";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackImageVbscript()
{
$testString = "<IMG SRC='vbscript:msgbox(\"XSS\")'>";
$expectedString = "<IMG SRC='vb<x>script:msgbox(\"XSS\")'>";
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackLayer()
{
$testString = '<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>';
$expectedString = '<la<x>yer SRC="http://ha.ckers.org/scriptlet.html"></LAYER>';
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackMeta()
{
$testString = '<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(\'XSS\');">';
$expectedString = '<me<x>ta HTTP-EQUIV="refresh" CONTENT="0;url=ja<x>vascript:alert(\'XSS\');">';
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackMetaWithUrl()
{
$testString = '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">';
$expectedString = '<me<x>ta HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">';
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackMetaWithUrlExtended()
{
$testString = '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(\'XSS\');">';
$expectedString = '<me<x>ta HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=ja<x>vascript:alert(\'XSS\');">';
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackObject()
{
$testString = '<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>';
$expectedString = '<ob<x>ject TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>';
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackObjectEmbeddedXss()
{
$testString = '<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert(\'XSS\')></OBJECT>';
$expectedString = '<ob<x>ject classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=ja<x>vascript:alert(\'XSS\')></OBJECT>';
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackEmbedFlash()
{
$testString = '<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>';
$expectedString = '<em<x>bed SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>';
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackActionScriptEval()
{
$testString = 'a="get";b="URL("";c="javascript:";d="alert(\'XSS\');")";eval(a+b+c+d);";';
$expectedString = 'a="get";b="URL("";c="ja<x>vascript:";d="alert(\'XSS\');")";eval(a+b+c+d);";';
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackImageStyleWithComment()
{
$testString = '<IMG STYLE="xss:expr/*XSS*/ession(alert(\'XSS\'))">';
$expectedString = '<IMG st<x>yle="xss:expr/*XSS*/ession(alert(\'XSS\'))">';
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackStyleInAnonymousHtml()
{
$testString = '<XSS STYLE="xss:expression(alert(\'XSS\'))">';
$expectedString = '<XSS st<x>yle="xss:expression(alert(\'XSS\'))">';
$actualString = RemoveXSS::process($testString);
$this->assertEquals($expectedString, $actualString);
}
/**
* @test
*/
public function checkAttackStyleWithBackgroundImage()
{
$testString = '<STYLE>.XSS{background-image:url("javascript:alert(\'XSS\')");}</STYLE><A CLASS=XSS></A>';
$expectedString = '<st<x>yle>.XSS{background-image:url("ja<x>vascript:alert(\'XSS\')");}</STYLE><A CLASS=XSS></A>';
$actualString = RemoveXSS::process($testString);