add some more tests from OWASP

This commit is contained in:
rugk 2017-11-22 15:41:49 +01:00
parent 9fa2ea3373
commit 3d2dbabaec
No known key found for this signature in database
GPG key ID: 05D40A636AFAB34D

View file

@ -1451,9 +1451,6 @@ describe('PasteViewer', function () {
// https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet // https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
jsc.elements([ jsc.elements([
'<PLAINTEXT>', '<PLAINTEXT>',
// @TODO these two pass, but aren't evaluated in this context - do they need to be sanitized, too?
// '\';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";',
// 'alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--',
'></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>', '></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>',
'\'\';!--"<XSS>=&{()}', '\'\';!--"<XSS>=&{()}',
'<SCRIPT SRC=http://example.com/xss.js></SCRIPT>', '<SCRIPT SRC=http://example.com/xss.js></SCRIPT>',
@ -1466,8 +1463,18 @@ describe('PasteViewer', function () {
'<a onmouseover="alert(document.cookie)">xxs link</a>', '<a onmouseover="alert(document.cookie)">xxs link</a>',
'<a onmouseover=alert(document.cookie)>xxs link</a>', '<a onmouseover=alert(document.cookie)>xxs link</a>',
'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">', '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
'<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>' '<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>',
// @TODO the list goes on… '<IMG STYLE="xss:expr/*XSS*/ession(alert(\'XSS\'))">',
'<FRAMESET><FRAME SRC="javascript:alert(\'XSS\');"></FRAMESET>',
'<TABLE BACKGROUND="javascript:alert(\'XSS\')">',
'<TABLE><TD BACKGROUND="javascript:alert(\'XSS\')">',
'<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="httx://xss.rocks/xss.js"></SCRIPT>',
'(alert)(1)',
'a=alert,a(1)',
'top[“al”+”ert”](1)',
'top[/al/.source+/ert/.source](1)',
'al\u0065rt(1)',
'top[8680439..toString(30)](1)'
]), ]),
'string', 'string',
function (format, prefix, xss, suffix) { function (format, prefix, xss, suffix) {
@ -1490,4 +1497,3 @@ describe('PasteViewer', function () {
); );
}); });
}); });