Sha256: b1f5516c68f8317e87f4812935e57a9789d88084b9284eb2f8c30bb365a1a97e
Contents?: true
Size: 1.23 KB
Versions: 30
Compression:
Stored size: 1.23 KB
Contents
# encoding: utf-8
require_relative 'common'
# Miscellaneous attempts to sneak maliciously crafted CSS past Sanitize. Some of
# these are courtesy of (or inspired by) the OWASP XSS Filter Evasion Cheat
# Sheet.
#
# https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
describe 'Malicious CSS' do
make_my_diffs_pretty!
parallelize_me!
before do
@s = Sanitize::CSS.new(Sanitize::Config::RELAXED)
end
it 'should not be possible to inject an expression by munging it with a comment' do
@s.properties(%[width:expr/*XSS*/ession(alert('XSS'))]).
must_equal ''
@s.properties(%[width:ex/*XSS*//*/*/pression(alert("XSS"))]).
must_equal ''
end
it 'should not be possible to inject an expression by munging it with a newline' do
@s.properties(%[width:\nexpression(alert('XSS'));]).
must_equal ''
end
it 'should not allow the javascript protocol' do
@s.properties(%[background-image:url("javascript:alert('XSS')");]).
must_equal ''
Sanitize.fragment(%[<div style="background-image: url(javascript:alert('XSS'))">],
Sanitize::Config::RELAXED).must_equal '<div></div>'
end
it 'should not allow behaviors' do
@s.properties(%[behavior: url(xss.htc);]).must_equal ''
end
end
Version data entries
30 entries across 30 versions & 2 rubygems