1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
|
#!/usr/bin/env perl
use strict;
use warnings;
use MojoMojo::Formatter::Defang;
use Test::More tests => 11;
use Test::Differences;
my ( $content, $got, $expected, $test );
$test = 'unclosed iframe src http not allowed';
$content = <<'HTML';
<iframe src=http://dandascalescu.com/bugs/mojomojo/scriptlet.html
HTML
$expected =
'<!--defang_iframe defang_src=http://dandascalescu.com/bugs/mojomojo/scriptlet.html
-->';
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );
$test = 'img src javascript not allowed';
$content = <<'HTML';
<IMG SRC="javascript:alert('XSS');">
HTML
$expected = <<'HTML';
<IMG defang_SRC="javascript:alert('XSS');">
HTML
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );
$test = 'unclosed img src javascript not allowed';
$content = <<'HTML';
<img src=javascript:alert('XSS')
HTML
$expected = "<img defang_src=javascript:alert('XSS')
>";
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );
$test = 'script src http not allowed';
$content = <<'HTML';
<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>
HTML
$expected =
'<!--defang_SCRIPT SRC=http://ha.ckers.org/xss.js--><!-- --><!--/defang_SCRIPT-->
';
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );
# This test will fails when allowing img and src at default Defang (return 2) setting.
$test = 'img src http not allowed';
$content = <<'HTML';
<img src="http://malicious.com/foto.jpg" />
HTML
$expected = '<img defang_src="http://malicious.com/foto.jpg" />
';
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );
# This test will fails when allowing img and src at default Defang (return 2) setting.
$test = 'unclosed src http not allowed';
$content = <<'HTML';
<img src=http://malicious.com/xss.js
HTML
$expected = '<img defang_src=http://malicious.com/xss.js
>';
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );
$test = 'No quotes and semicolon img src javascript';
$content = <<'HTML';
<IMG SRC=javascript:alert('XSS')>
HTML
$expected = "<IMG defang_SRC=javascript:alert('XSS')>\n";
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );
$test = 'Link Title';
$content = <<'HTML';
<a href="http://mojomojo.org/" title="MojoMojo Home Page">mojomojo.org.</a>
HTML
$expected =
'<a href="http://mojomojo.org/" title="MojoMojo Home Page">mojomojo.org.</a>
';
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );
$test = 'Protocol Resolution Bypass a href';
$content = '<A HREF="//www.google.com/">XSS</A>';
$expected = '<A defang_HREF="//www.google.com/">XSS</A>';
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );
# This test will fails when allowing img and src at default Defang (return 2) setting.
$test = 'Protocol Resolution Bypass img src';
$content = <<'HTML';
<img src="//ha.ckers.org/xss.js" />
HTML
$expected = '<img defang_src="//ha.ckers.org/xss.js" />
';
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );
$test = 'javascript in href';
$content = "<A HREF='javascript:SomeEvilStuff'>XSS</A>";
$expected = "<A defang_HREF='javascript:SomeEvilStuff'>XSS</A>";
MojoMojo::Formatter::Defang->format_content( \$content );
eq_or_diff( $content, $expected, $test );
|
