def test_css_hack(self): html = HTML('<div style="*position:static">XSS</div>', encoding='utf-8') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer())) html = HTML('<div style="_margin:-10px">XSS</div>', encoding='utf-8') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def test_nagative_margin(self): html = HTML('<div style="margin-top:-9999px">XSS</div>', encoding='utf-8') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer())) html = HTML('<div style="margin:0 -9999px">XSS</div>', encoding='utf-8') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def test_backslash_without_hex(self): html = HTML(r'<div style="top:e\xp\ression(alert())">XSS</div>', encoding='utf-8') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer())) html = HTML(r'<div style="top:e\\xp\\ression(alert())">XSS</div>', encoding='utf-8') self.assertEqual( r'<div style="top:e\\xp\\ression(alert())">' 'XSS</div>', unicode(html | TracHTMLSanitizer()))
def test_unicode_expression(self): # Fullwidth small letters html = HTML(u'<div style="top:expression(alert())">' u'XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer())) # Fullwidth capital letters html = HTML(u'<div style="top:EXPRESSION(alert())">' u'XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer())) # IPA extensions html = HTML(u'<div style="top:expʀessɪoɴ(alert())">' u'XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def test_expression_with_comments(self): html = HTML(r'<div style="top:exp/**/ression(alert())">XSS</div>') self.assertEqual('<div style="top:exp ression(alert())">XSS</div>', unicode(html | TracHTMLSanitizer())) html = HTML(r'<div style="top:exp//**/**/ression(alert())">XSS</div>') self.assertEqual('<div style="top:exp/ **/ression(alert())">XSS</div>', unicode(html | TracHTMLSanitizer())) html = HTML(r'<div style="top:ex/*p*/ression(alert())">XSS</div>') self.assertEqual('<div style="top:ex ression(alert())">XSS</div>', unicode(html | TracHTMLSanitizer()))
def test_property_name(self): html = HTML('<div style="display:none;border-left-color:red;' 'user_defined:1;-moz-user-selct:-moz-all">prop</div>', encoding='utf-8') self.assertEqual('<div style="display:none; border-left-color:red' '">prop</div>', unicode(html | TracHTMLSanitizer()))
def test(expected, content): html = HTML(content) sanitizer = TracHTMLSanitizer(safe_schemes=['http', 'data'], safe_origins=[ 'data:', 'http://example.net', 'https://example.org/' ]) self.assertEqual(expected, unicode(html | sanitizer))
def sanitize_attrib(env, element): if not WikiSystem(env).render_unsafe_content: sanitized = getattr(tag, element.tag.localname) for k, data, pos in (Stream(element) | TracHTMLSanitizer()): sanitized.attrib = data[1] break # only look at START element = sanitized return element
def test_unicode_escapes(self): html = HTML(r'<div style="top:exp\72 ess\000069 on(alert())">' r'XSS</div>', encoding='utf-8') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer())) # escaped backslash html = HTML(r'<div style="top:exp\5c ression(alert())">XSS</div>', encoding='utf-8') self.assertEqual(r'<div style="top:exp\\ression(alert())">XSS</div>', unicode(html | TracHTMLSanitizer())) html = HTML(r'<div style="top:exp\5c 72 ession(alert())">XSS</div>', encoding='utf-8') self.assertEqual(r'<div style="top:exp\\72 ession(alert())">XSS</div>', unicode(html | TracHTMLSanitizer())) # escaped control characters html = HTML(r'<div style="top:exp\000000res\1f sion(alert())">' r'XSS</div>', encoding='utf-8') self.assertEqual('<div style="top:exp res sion(alert())">XSS</div>', unicode(html | TracHTMLSanitizer()))
def test_unsafe_props(self): html = HTML('<div style="POSITION:RELATIVE">XSS</div>', encoding='utf-8') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer())) html = HTML('<div style="position:STATIC">safe</div>', encoding='utf-8') self.assertEqual('<div style="position:STATIC">safe</div>', unicode(html | TracHTMLSanitizer())) html = HTML('<div style="behavior:url(test.htc)">XSS</div>', encoding='utf-8') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer())) html = HTML( '<div style="-ms-behavior:url(test.htc) url(#obj)">' 'XSS</div>', encoding='utf-8') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer())) html = HTML( """<div style="-o-link:'javascript:alert(1)';""" """-o-link-source:current">XSS</div>""", encoding='utf-8') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer())) html = HTML("""<div style="-moz-binding:url(xss.xbl)">XSS</div>""", encoding='utf-8') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def expand_macro(self, formatter, macro, args): args, kw = parse_args(args) try: source = args.pop(0).strip() except NameError: return system_message('%s: Missing HTML source argument.' % macro) try: stream = Stream(HTMLParser(StringIO(source))) return (stream | TracHTMLSanitizer()).render('xhtml', encoding=None) except ParseError, e: self.env.log.warn(e) return system_message('%s: HTML parse error: %s.' % (macro, escape(e.msg)))
def test_unicode_escapes(self): html = HTML( r'<div style="top:exp\72 ess\000069 on(alert())">' r'XSS</div>', encoding='utf-8') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def __init__(self): self.log.info('version: %s - id: %s', __version__, str(__id__)) wiki = WikiSystem(self.env) if not wiki.render_unsafe_content: self.sanitizer = TracHTMLSanitizer(wiki.safe_schemes)
def sanitize(self, html): return unicode(HTML(html, encoding='utf-8') | TracHTMLSanitizer())
def test_capital_expression(self): html = HTML('<div style="top:EXPRESSION(alert())">XSS</div>', encoding='utf-8') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def test_capital_url_with_javascript(self): html = HTML( '<div style="background-image:URL(javascript:alert())">' 'XSS</div>', encoding='utf-8') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def test_unicode_url(self): # IPA extensions html = HTML(u'<div style="background-image:uʀʟ(javascript:alert())">' u'XSS</div>') self.assertEqual('<div>XSS</div>', unicode(html | TracHTMLSanitizer()))
def __init__(self): wiki = WikiSystem(self.env) if not wiki.render_unsafe_content: self.sanitizer = TracHTMLSanitizer(wiki.safe_schemes)
def sanitize(self, html): sanitizer = TracHTMLSanitizer(safe_schemes=self.safe_schemes, safe_origins=self.safe_origins) return unicode(sanitizer.sanitize(html))
def sanitize(self, html): sanitizer = TracHTMLSanitizer(safe_schemes=self.safe_schemes, safe_origins=self.safe_origins) return unicode(HTML(html, encoding='utf-8') | sanitizer)
# you should have received as part of this distribution. The terms # are also available at http://trac.edgewall.com/license.html. # # Author: Christian Boos <*****@*****.**> # Mikael Relbe <*****@*****.**> import re import string from trac.util.html import Markup, tag from trac.util import arity from trac.util.compat import sorted from trac.util.html import TracHTMLSanitizer if hasattr(TracHTMLSanitizer, 'sanitize_attrs'): sanitizer = TracHTMLSanitizer() from trac.util.html import Element else: sanitizer = None from genshi.builder import Stream from trac.wiki.api import WikiSystem def prepare_regexp(d): syms = d.keys() syms.sort(lambda a, b: cmp(len(b), len(a))) return "|".join([ r'%s%s%s' % (r'\b' if re.match(r'\w', s[0]) else '', re.escape(s), r'\b' if re.match(r'\w', s[-1]) else '') for s in syms ])
def _sanitizer(self): wikisys = WikiSystem(self.env) return TracHTMLSanitizer(safe_schemes=wikisys.safe_schemes, safe_origins=wikisys.safe_origins)
def sanitize(self, html): return unicode(TracHTMLSanitizer().sanitize(html))