Ejemplo n.º 1
0
    def test_css_hack(self):
        html = HTML('<div style="*position:static">XSS</div>',
                    encoding='utf-8')
        self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))

        html = HTML('<div style="_margin:-10px">XSS</div>', encoding='utf-8')
        self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
Ejemplo n.º 2
0
 def test_nagative_margin(self):
     html = HTML('<div style="margin-top:-9999px">XSS</div>',
                 encoding='utf-8')
     self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
     html = HTML('<div style="margin:0 -9999px">XSS</div>',
                 encoding='utf-8')
     self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
Ejemplo n.º 3
0
 def test_backslash_without_hex(self):
     html = HTML(r'<div style="top:e\xp\ression(alert())">XSS</div>',
                 encoding='utf-8')
     self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
     html = HTML(r'<div style="top:e\\xp\\ression(alert())">XSS</div>',
                 encoding='utf-8')
     self.assertEqual(
         r'<div style="top:e\\xp\\ression(alert())">'
         'XSS</div>', unicode(html | TracHTMLSanitizer()))
Ejemplo n.º 4
0
 def test_unicode_expression(self):
     # Fullwidth small letters
     html = HTML(u'<div style="top:expression(alert())">' u'XSS</div>')
     self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
     # Fullwidth capital letters
     html = HTML(u'<div style="top:EXPRESSION(alert())">' u'XSS</div>')
     self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
     # IPA extensions
     html = HTML(u'<div style="top:expʀessɪoɴ(alert())">' u'XSS</div>')
     self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
Ejemplo n.º 5
0
 def test_expression_with_comments(self):
     html = HTML(r'<div style="top:exp/**/ression(alert())">XSS</div>')
     self.assertEqual('<div style="top:exp ression(alert())">XSS</div>',
                      unicode(html | TracHTMLSanitizer()))
     html = HTML(r'<div style="top:exp//**/**/ression(alert())">XSS</div>')
     self.assertEqual('<div style="top:exp/ **/ression(alert())">XSS</div>',
                      unicode(html | TracHTMLSanitizer()))
     html = HTML(r'<div style="top:ex/*p*/ression(alert())">XSS</div>')
     self.assertEqual('<div style="top:ex ression(alert())">XSS</div>',
                      unicode(html | TracHTMLSanitizer()))
Ejemplo n.º 6
0
 def test_property_name(self):
     html = HTML('<div style="display:none;border-left-color:red;'
                 'user_defined:1;-moz-user-selct:-moz-all">prop</div>',
                 encoding='utf-8')
     self.assertEqual('<div style="display:none; border-left-color:red'
                      '">prop</div>',
                      unicode(html | TracHTMLSanitizer()))
Ejemplo n.º 7
0
 def test(expected, content):
     html = HTML(content)
     sanitizer = TracHTMLSanitizer(safe_schemes=['http', 'data'],
                                   safe_origins=[
                                       'data:', 'http://example.net',
                                       'https://example.org/'
                                   ])
     self.assertEqual(expected, unicode(html | sanitizer))
Ejemplo n.º 8
0
 def sanitize_attrib(env, element):
     if not WikiSystem(env).render_unsafe_content:
         sanitized = getattr(tag, element.tag.localname)
         for k, data, pos in (Stream(element) | TracHTMLSanitizer()):
             sanitized.attrib = data[1]
             break  # only look at START
         element = sanitized
     return element
Ejemplo n.º 9
0
 def test_unicode_escapes(self):
     html = HTML(r'<div style="top:exp\72 ess\000069 on(alert())">'
                 r'XSS</div>', encoding='utf-8')
     self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
     # escaped backslash
     html = HTML(r'<div style="top:exp\5c ression(alert())">XSS</div>',
                 encoding='utf-8')
     self.assertEqual(r'<div style="top:exp\\ression(alert())">XSS</div>',
                      unicode(html | TracHTMLSanitizer()))
     html = HTML(r'<div style="top:exp\5c 72 ession(alert())">XSS</div>',
                 encoding='utf-8')
     self.assertEqual(r'<div style="top:exp\\72 ession(alert())">XSS</div>',
                      unicode(html | TracHTMLSanitizer()))
     # escaped control characters
     html = HTML(r'<div style="top:exp\000000res\1f sion(alert())">'
                 r'XSS</div>', encoding='utf-8')
     self.assertEqual('<div style="top:exp res sion(alert())">XSS</div>',
                      unicode(html | TracHTMLSanitizer()))
Ejemplo n.º 10
0
    def test_unsafe_props(self):
        html = HTML('<div style="POSITION:RELATIVE">XSS</div>',
                    encoding='utf-8')
        self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
        html = HTML('<div style="position:STATIC">safe</div>',
                    encoding='utf-8')
        self.assertEqual('<div style="position:STATIC">safe</div>',
                         unicode(html | TracHTMLSanitizer()))

        html = HTML('<div style="behavior:url(test.htc)">XSS</div>',
                    encoding='utf-8')
        self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))

        html = HTML(
            '<div style="-ms-behavior:url(test.htc) url(#obj)">'
            'XSS</div>',
            encoding='utf-8')
        self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))

        html = HTML(
            """<div style="-o-link:'javascript:alert(1)';"""
            """-o-link-source:current">XSS</div>""",
            encoding='utf-8')
        self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))

        html = HTML("""<div style="-moz-binding:url(xss.xbl)">XSS</div>""",
                    encoding='utf-8')
        self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
Ejemplo n.º 11
0
    def expand_macro(self, formatter, macro, args):

        args, kw = parse_args(args)

        try:
            source = args.pop(0).strip()
        except NameError:
            return system_message('%s: Missing HTML source argument.' % macro)

        try:
            stream = Stream(HTMLParser(StringIO(source)))
            return (stream | TracHTMLSanitizer()).render('xhtml',
                                                         encoding=None)
        except ParseError, e:
            self.env.log.warn(e)
            return system_message('%s: HTML parse error: %s.' %
                                  (macro, escape(e.msg)))
Ejemplo n.º 12
0
 def test_unicode_escapes(self):
     html = HTML(
         r'<div style="top:exp\72 ess\000069 on(alert())">'
         r'XSS</div>',
         encoding='utf-8')
     self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
Ejemplo n.º 13
0
 def __init__(self):
     self.log.info('version: %s - id: %s', __version__, str(__id__))
     wiki = WikiSystem(self.env)
     if not wiki.render_unsafe_content:
         self.sanitizer = TracHTMLSanitizer(wiki.safe_schemes)
Ejemplo n.º 14
0
 def sanitize(self, html):
     return unicode(HTML(html, encoding='utf-8') | TracHTMLSanitizer())
Ejemplo n.º 15
0
 def test_capital_expression(self):
     html = HTML('<div style="top:EXPRESSION(alert())">XSS</div>',
                 encoding='utf-8')
     self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
Ejemplo n.º 16
0
 def test_capital_url_with_javascript(self):
     html = HTML(
         '<div style="background-image:URL(javascript:alert())">'
         'XSS</div>',
         encoding='utf-8')
     self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
Ejemplo n.º 17
0
 def test_unicode_url(self):
     # IPA extensions
     html = HTML(u'<div style="background-image:uʀʟ(javascript:alert())">'
                 u'XSS</div>')
     self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
Ejemplo n.º 18
0
 def __init__(self):
     wiki = WikiSystem(self.env)
     if not wiki.render_unsafe_content:
         self.sanitizer = TracHTMLSanitizer(wiki.safe_schemes)
Ejemplo n.º 19
0
 def sanitize(self, html):
     sanitizer = TracHTMLSanitizer(safe_schemes=self.safe_schemes,
                                   safe_origins=self.safe_origins)
     return unicode(sanitizer.sanitize(html))
Ejemplo n.º 20
0
 def sanitize(self, html):
     sanitizer = TracHTMLSanitizer(safe_schemes=self.safe_schemes,
                                   safe_origins=self.safe_origins)
     return unicode(HTML(html, encoding='utf-8') | sanitizer)
Ejemplo n.º 21
0
# you should have received as part of this distribution. The terms
# are also available at http://trac.edgewall.com/license.html.
#
# Author: Christian Boos <*****@*****.**>
#         Mikael Relbe <*****@*****.**>

import re
import string

from trac.util.html import Markup, tag

from trac.util import arity
from trac.util.compat import sorted
from trac.util.html import TracHTMLSanitizer
if hasattr(TracHTMLSanitizer, 'sanitize_attrs'):
    sanitizer = TracHTMLSanitizer()
    from trac.util.html import Element
else:
    sanitizer = None
    from genshi.builder import Stream
from trac.wiki.api import WikiSystem


def prepare_regexp(d):
    syms = d.keys()
    syms.sort(lambda a, b: cmp(len(b), len(a)))
    return "|".join([
        r'%s%s%s' % (r'\b' if re.match(r'\w', s[0]) else '', re.escape(s),
                     r'\b' if re.match(r'\w', s[-1]) else '') for s in syms
    ])
Ejemplo n.º 22
0
 def _sanitizer(self):
     wikisys = WikiSystem(self.env)
     return TracHTMLSanitizer(safe_schemes=wikisys.safe_schemes,
                              safe_origins=wikisys.safe_origins)
Ejemplo n.º 23
0
 def sanitize(self, html):
     return unicode(TracHTMLSanitizer().sanitize(html))