BOOST_AUTO_TEST_CASE(BasicTest)
{
string output = restrict_html("<h1>Table</h1><table> <tr><th>Month</th> <th>Savings</th> </tr> <tr> <td>January</td> <td>$100</td> </tr></table> <p>Paragraph with a <a href=\"https://example.de\"><i>Acceptable Link</i></a>.</p> <ul> <li>Coffee</li> <li>Tea</li> <li>Milk</li></ul>");
- BOOST_CHECK_EQUAL(string("<h1>Table</h1><table> <tr><th>Month</th> <th>Savings</th> </tr> <tr> <td>January</td> <td>$100</td> </tr></table> <p>Paragraph with a <a href=\"/arnie?form=redirect&url=https://example.de\" target=_blank><i>Acceptable Link</i></a>.</p> <ul> <li>Coffee</li> <li>Tea</li> <li>Milk</li></ul>"), output);
+ BOOST_CHECK_EQUAL(string("<h1>Table</h1><table> <tr><th>Month</th> <th>Savings</th> </tr> <tr> <td>January</td> <td>$100</td> </tr></table> <p>Paragraph with a <a href=\"/arnie?form=redirect&url=https%3A%2F%2Fexample%2Ede\" target=_blank><i>Acceptable Link</i></a>.</p> <ul> <li>Coffee</li> <li>Tea</li> <li>Milk</li></ul>"), output);
}
BOOST_AUTO_TEST_CASE(ScriptInjection)
BOOST_AUTO_TEST_CASE(AhrefLink)
{
string output = restrict_html("<a href=\"http://i2n.de/\" >test</a>");
- BOOST_CHECK_EQUAL(string("<a href=\"/arnie?form=redirect&url=http://i2n.de/\" target=_blank>test</a>"), output);
+ BOOST_CHECK_EQUAL(string("<a href=\"/arnie?form=redirect&url=http%3A%2F%2Fi2n%2Ede%2F\" target=_blank>test</a>"), output);
}
BOOST_AUTO_TEST_CASE(AhrefLink2)
BOOST_AUTO_TEST_CASE(AhrefProtocol)
{
string output = restrict_html("<a href=\"http://www.foo.com\">foo</a>");
- BOOST_CHECK_EQUAL(string("<a href=\"/arnie?form=redirect&url=http://www.foo.com\" target=_blank>foo</a>"), output);
+ BOOST_CHECK_EQUAL(string("<a href=\"/arnie?form=redirect&url=http%3A%2F%2Fwww%2Efoo%2Ecom\" target=_blank>foo</a>"), output);
}
BOOST_AUTO_TEST_CASE(AhrefWrongProtocol)
BOOST_CHECK_EQUAL(string(" Test Me!!"), output);
}
+BOOST_AUTO_TEST_CASE(EncodedURL)
+{
+ string output = restrict_html("<A HREF=\"http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D\">test</A>");
+ BOOST_CHECK_EQUAL(string("<a href=\"/arnie?form=redirect&url=http%3A%2F%2Fwww%2Egoogle%2Ecom\" target=_blank>test</a>"), output);
+}
+
+BOOST_AUTO_TEST_CASE(InvalidRedirection)
+{
+ string output = restrict_html("<a href=\"/arnie?form=redirect&url=javascript:alert(String.fromCharCode(88,83,83))\">test</a>");
+ BOOST_CHECK_EQUAL(string("test"), output);
+}
+
+BOOST_AUTO_TEST_CASE(InvalidRedirection2)
+{
+ string output = restrict_html("<a href=/arnie?form=redirect&url=http://something.com;href=javascript:alert(1)>test</a>");
+ BOOST_CHECK_EQUAL(string("test"), output);
+}
+
+BOOST_AUTO_TEST_CASE(InvalidTag)
+{
+ string output = restrict_html("<STYLE TYPE=\"text/javascript\">alert('XSS');</STYLE>");
+ BOOST_CHECK_EQUAL(string("alert('XSS');"), output);
+}
+
+BOOST_AUTO_TEST_CASE(InvalidTag2)
+{
+ string output = restrict_html("<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>");
+ BOOST_CHECK_EQUAL(string(""), output);
+}
+
BOOST_AUTO_TEST_CASE(DecodeStringURL)
{
string output = decode_url("%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D");