def test_css_hack(self):
html = HTML('<div style="*position:static">XSS</div>',
encoding='utf-8')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
html = HTML('<div style="_margin:-10px">XSS</div>', encoding='utf-8')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def test_nagative_margin(self):
html = HTML('<div style="margin-top:-9999px">XSS</div>',
encoding='utf-8')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
html = HTML('<div style="margin:0 -9999px">XSS</div>',
encoding='utf-8')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def test_backslash_without_hex(self):
html = HTML(r'<div style="top:e\xp\ression(alert())">XSS</div>',
encoding='utf-8')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
html = HTML(r'<div style="top:e\\xp\\ression(alert())">XSS</div>',
encoding='utf-8')
self.assertEqual(
r'<div style="top:e\\xp\\ression(alert())">'
'XSS</div>', unicode(html | TracHTMLSanitizer()))
def test_unicode_expression(self):
# Fullwidth small letters
html = HTML(u'<div style="top:expression(alert())">' u'XSS</div>')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
# Fullwidth capital letters
html = HTML(u'<div style="top:EXPRESSION(alert())">' u'XSS</div>')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
# IPA extensions
html = HTML(u'<div style="top:expʀessɪoɴ(alert())">' u'XSS</div>')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def test_expression_with_comments(self):
html = HTML(r'<div style="top:exp/**/ression(alert())">XSS</div>')
self.assertEqual('<div style="top:exp ression(alert())">XSS</div>',
unicode(html | TracHTMLSanitizer()))
html = HTML(r'<div style="top:exp//**/**/ression(alert())">XSS</div>')
self.assertEqual('<div style="top:exp/ **/ression(alert())">XSS</div>',
unicode(html | TracHTMLSanitizer()))
html = HTML(r'<div style="top:ex/*p*/ression(alert())">XSS</div>')
self.assertEqual('<div style="top:ex ression(alert())">XSS</div>',
unicode(html | TracHTMLSanitizer()))
def test_property_name(self):
html = HTML('<div style="display:none;border-left-color:red;'
'user_defined:1;-moz-user-selct:-moz-all">prop</div>',
encoding='utf-8')
self.assertEqual('<div style="display:none; border-left-color:red'
'">prop</div>',
unicode(html | TracHTMLSanitizer()))
def test(expected, content):
html = HTML(content)
sanitizer = TracHTMLSanitizer(safe_schemes=['http', 'data'],
safe_origins=[
'data:', 'http://example.net',
'https://example.org/'
])
self.assertEqual(expected, unicode(html | sanitizer))
def sanitize_attrib(env, element):
if not WikiSystem(env).render_unsafe_content:
sanitized = getattr(tag, element.tag.localname)
for k, data, pos in (Stream(element) | TracHTMLSanitizer()):
sanitized.attrib = data[1]
break # only look at START
element = sanitized
return element
def test_unicode_escapes(self):
html = HTML(r'<div style="top:exp\72 ess\000069 on(alert())">'
r'XSS</div>', encoding='utf-8')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
# escaped backslash
html = HTML(r'<div style="top:exp\5c ression(alert())">XSS</div>',
encoding='utf-8')
self.assertEqual(r'<div style="top:exp\\ression(alert())">XSS</div>',
unicode(html | TracHTMLSanitizer()))
html = HTML(r'<div style="top:exp\5c 72 ession(alert())">XSS</div>',
encoding='utf-8')
self.assertEqual(r'<div style="top:exp\\72 ession(alert())">XSS</div>',
unicode(html | TracHTMLSanitizer()))
# escaped control characters
html = HTML(r'<div style="top:exp\000000res\1f sion(alert())">'
r'XSS</div>', encoding='utf-8')
self.assertEqual('<div style="top:exp res sion(alert())">XSS</div>',
unicode(html | TracHTMLSanitizer()))
def test_unsafe_props(self):
html = HTML('<div style="POSITION:RELATIVE">XSS</div>',
encoding='utf-8')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
html = HTML('<div style="position:STATIC">safe</div>',
encoding='utf-8')
self.assertEqual('<div style="position:STATIC">safe</div>',
unicode(html | TracHTMLSanitizer()))
html = HTML('<div style="behavior:url(test.htc)">XSS</div>',
encoding='utf-8')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
html = HTML(
'<div style="-ms-behavior:url(test.htc) url(#obj)">'
'XSS</div>',
encoding='utf-8')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
html = HTML(
"""<div style="-o-link:'javascript:alert(1)';"""
"""-o-link-source:current">XSS</div>""",
encoding='utf-8')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
html = HTML("""<div style="-moz-binding:url(xss.xbl)">XSS</div>""",
encoding='utf-8')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def expand_macro(self, formatter, macro, args):
args, kw = parse_args(args)
try:
source = args.pop(0).strip()
except NameError:
return system_message('%s: Missing HTML source argument.' % macro)
try:
stream = Stream(HTMLParser(StringIO(source)))
return (stream | TracHTMLSanitizer()).render('xhtml',
encoding=None)
except ParseError, e:
self.env.log.warn(e)
return system_message('%s: HTML parse error: %s.' %
(macro, escape(e.msg)))
def test_unicode_escapes(self):
html = HTML(
r'<div style="top:exp\72 ess\000069 on(alert())">'
r'XSS</div>',
encoding='utf-8')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def __init__(self):
self.log.info('version: %s - id: %s', __version__, str(__id__))
wiki = WikiSystem(self.env)
if not wiki.render_unsafe_content:
self.sanitizer = TracHTMLSanitizer(wiki.safe_schemes)
def sanitize(self, html):
return unicode(HTML(html, encoding='utf-8') | TracHTMLSanitizer())
def test_capital_expression(self):
html = HTML('<div style="top:EXPRESSION(alert())">XSS</div>',
encoding='utf-8')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def test_capital_url_with_javascript(self):
html = HTML(
'<div style="background-image:URL(javascript:alert())">'
'XSS</div>',
encoding='utf-8')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def test_unicode_url(self):
# IPA extensions
html = HTML(u'<div style="background-image:uʀʟ(javascript:alert())">'
u'XSS</div>')
self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def __init__(self):
wiki = WikiSystem(self.env)
if not wiki.render_unsafe_content:
self.sanitizer = TracHTMLSanitizer(wiki.safe_schemes)
def sanitize(self, html):
sanitizer = TracHTMLSanitizer(safe_schemes=self.safe_schemes,
safe_origins=self.safe_origins)
return unicode(sanitizer.sanitize(html))
def sanitize(self, html):
sanitizer = TracHTMLSanitizer(safe_schemes=self.safe_schemes,
safe_origins=self.safe_origins)
return unicode(HTML(html, encoding='utf-8') | sanitizer)
# you should have received as part of this distribution. The terms
# are also available at http://trac.edgewall.com/license.html.
#
# Author: Christian Boos <*****@*****.**>
# Mikael Relbe <*****@*****.**>
import re
import string
from trac.util.html import Markup, tag
from trac.util import arity
from trac.util.compat import sorted
from trac.util.html import TracHTMLSanitizer
if hasattr(TracHTMLSanitizer, 'sanitize_attrs'):
sanitizer = TracHTMLSanitizer()
from trac.util.html import Element
else:
sanitizer = None
from genshi.builder import Stream
from trac.wiki.api import WikiSystem
def prepare_regexp(d):
syms = d.keys()
syms.sort(lambda a, b: cmp(len(b), len(a)))
return "|".join([
r'%s%s%s' % (r'\b' if re.match(r'\w', s[0]) else '', re.escape(s),
r'\b' if re.match(r'\w', s[-1]) else '') for s in syms
])
def _sanitizer(self):
wikisys = WikiSystem(self.env)
return TracHTMLSanitizer(safe_schemes=wikisys.safe_schemes,
safe_origins=wikisys.safe_origins)
def sanitize(self, html):
return unicode(TracHTMLSanitizer().sanitize(html))
