2012-09-18 23:23:16 +08:00
|
|
|
|
/**
|
|
|
|
|
|
* 测试XSS
|
2014-02-13 16:38:32 +08:00
|
|
|
|
*
|
|
|
|
|
|
* @author 老雷<leizongmin@gmail.com>
|
2012-09-18 23:23:16 +08:00
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
|
|
var assert = require('assert');
|
2015-01-22 14:20:55 +08:00
|
|
|
|
var _xss = require('../');
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
function xss (html, options) {
|
|
|
|
|
|
console.log(JSON.stringify(html));
|
|
|
|
|
|
var ret = _xss(html, options);
|
|
|
|
|
|
console.log('\t' + JSON.stringify(ret));
|
|
|
|
|
|
return ret;
|
|
|
|
|
|
}
|
2012-09-18 23:23:16 +08:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
describe('test XSS', function () {
|
|
|
|
|
|
|
|
|
|
|
|
it('#normal', function () {
|
|
|
|
|
|
|
2015-01-12 14:04:29 +08:00
|
|
|
|
// 兼容各种奇葩输入
|
|
|
|
|
|
assert.equal(xss(), '');
|
|
|
|
|
|
assert.equal(xss(null), '');
|
|
|
|
|
|
assert.equal(xss(123), '123');
|
|
|
|
|
|
assert.equal(xss({a: 1111}), '[object Object]');
|
|
|
|
|
|
|
2015-01-20 13:06:54 +08:00
|
|
|
|
// 清除不可见字符
|
2015-01-22 14:20:55 +08:00
|
|
|
|
assert.equal(xss('a\u0000\u0001\u0002\u0003\r\n b'), 'a\u0000\u0001\u0002\u0003\r\n b');
|
|
|
|
|
|
assert.equal(xss('a\u0000\u0001\u0002\u0003\r\n b', {stripBlankChar: true}), 'a\r\n b');
|
2015-01-20 13:06:54 +08:00
|
|
|
|
|
2012-09-18 23:23:16 +08:00
|
|
|
|
// 过滤不在白名单的标签
|
|
|
|
|
|
assert.equal(xss('<b>abcd</b>'), '<b>abcd</b>');
|
|
|
|
|
|
assert.equal(xss('<o>abcd</o>'), '<o>abcd</o>');
|
|
|
|
|
|
assert.equal(xss('<b>abcd</o>'), '<b>abcd</o>');
|
|
|
|
|
|
assert.equal(xss('<b><o>abcd</b></o>'), '<b><o>abcd</b></o>');
|
|
|
|
|
|
assert.equal(xss('<hr>'), '<hr>');
|
|
|
|
|
|
assert.equal(xss('<xss>'), '<xss>');
|
|
|
|
|
|
assert.equal(xss('<xss o="x">'), '<xss o="x">');
|
|
|
|
|
|
assert.equal(xss('<a><b>c</b></a>'), '<a><b>c</b></a>');
|
|
|
|
|
|
assert.equal(xss('<a><c>b</c></a>'), '<a><c>b</c></a>');
|
|
|
|
|
|
|
|
|
|
|
|
// 过滤不是标签的<>
|
|
|
|
|
|
assert.equal(xss('<>>'), '<>>');
|
|
|
|
|
|
assert.equal(xss('<script>'), '<script>');
|
|
|
|
|
|
assert.equal(xss('<<a>b>'), '<<a>b>');
|
|
|
|
|
|
assert.equal(xss('<<<a>>b</a><x>'), '<<<a>>b</a><x>');
|
|
|
|
|
|
|
2013-11-05 15:40:17 +08:00
|
|
|
|
// 过滤不在白名单中的属性
|
2014-02-18 14:27:27 +08:00
|
|
|
|
assert.equal(xss('<a oo="1" xx="2" title="3">yy</a>'), '<a title="3">yy</a>');
|
|
|
|
|
|
assert.equal(xss('<a title xx oo>pp</a>'), '<a title>pp</a>');
|
|
|
|
|
|
assert.equal(xss('<a title "">pp</a>'), '<a title>pp</a>');
|
2012-09-18 23:23:16 +08:00
|
|
|
|
assert.equal(xss('<a t="">'), '<a>');
|
|
|
|
|
|
|
|
|
|
|
|
// 属性内的特殊字符
|
2014-02-18 14:27:27 +08:00
|
|
|
|
assert.equal(xss('<a title="\'<<>>">'), '<a title="\'<<>>">');
|
|
|
|
|
|
assert.equal(xss('<a title=""">'), '<a title=\"\"\">');
|
|
|
|
|
|
assert.equal(xss('<a h=title="oo">'), '<a>');
|
|
|
|
|
|
assert.equal(xss('<a h= title="oo">'), '<a title="oo">');
|
|
|
|
|
|
assert.equal(xss('<a title="javascript&colonalert(/xss/)">'), '<a title="javascript:alert(/xss/)">');
|
2012-09-19 08:20:38 +08:00
|
|
|
|
|
|
|
|
|
|
// 自动将属性值的单引号转为双引号
|
2014-02-18 14:27:27 +08:00
|
|
|
|
assert.equal(xss('<a title=\'abcd\'>'), '<a title="abcd">');
|
2014-12-06 16:25:35 +08:00
|
|
|
|
assert.equal(xss('<a title=\'"\'>'), '<a title=""">');
|
2012-09-19 08:20:38 +08:00
|
|
|
|
|
2012-09-19 09:04:23 +08:00
|
|
|
|
// 没有双引号括起来的属性值
|
2014-02-18 14:27:27 +08:00
|
|
|
|
assert.equal(xss('<a title=home>'), '<a title="home">');
|
2014-12-06 16:25:35 +08:00
|
|
|
|
assert.equal(xss('<a title=abc("d")>'), '<a title="abc("d")">');
|
2014-02-18 14:27:27 +08:00
|
|
|
|
assert.equal(xss('<a title=abc(\'d\')>'), '<a title="abc(\'d\')">');
|
2012-09-19 09:04:23 +08:00
|
|
|
|
|
2012-09-20 20:30:32 +08:00
|
|
|
|
// 单个闭合标签
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<img src/>'), '<img src />');
|
|
|
|
|
|
assert.equal(xss('<img src />'), '<img src />');
|
|
|
|
|
|
assert.equal(xss('<img src//>'), '<img src />');
|
2013-11-05 15:40:17 +08:00
|
|
|
|
assert.equal(xss('<br/>'), '<br />');
|
|
|
|
|
|
assert.equal(xss('<br />'), '<br />');
|
2012-09-20 20:30:32 +08:00
|
|
|
|
|
2012-09-18 23:23:16 +08:00
|
|
|
|
});
|
2014-02-13 15:01:39 +08:00
|
|
|
|
|
2012-09-19 19:56:20 +08:00
|
|
|
|
// 自定义白名单
|
2012-09-18 23:23:16 +08:00
|
|
|
|
it('#white list', function () {
|
|
|
|
|
|
|
|
|
|
|
|
// 过滤所有标签
|
2014-02-18 14:27:27 +08:00
|
|
|
|
assert.equal(xss('<a title="xx">bb</a>', {whiteList: {}}), '<a title="xx">bb</a>');
|
2012-09-19 19:56:20 +08:00
|
|
|
|
assert.equal(xss('<hr>', {whiteList: {}}), '<hr>');
|
2012-09-18 23:23:16 +08:00
|
|
|
|
// 增加白名单标签及属性
|
2012-09-19 19:56:20 +08:00
|
|
|
|
assert.equal(xss('<ooxx yy="ok" cc="no">uu</ooxx>', {whiteList: {ooxx: ['yy']}}), '<ooxx yy="ok">uu</ooxx>');
|
2012-09-18 23:23:16 +08:00
|
|
|
|
|
|
|
|
|
|
});
|
2012-09-19 19:56:20 +08:00
|
|
|
|
|
2012-09-19 09:04:23 +08:00
|
|
|
|
// XSS攻击测试:https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
|
|
|
|
|
|
it('#XSS_Filter_Evasion_Cheat_Sheet', function () {
|
|
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'),
|
|
|
|
|
|
'></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>');
|
|
|
|
|
|
|
|
|
|
|
|
assert.equal(xss(';!--"<XSS>=&{()}'), ';!--"<XSS>=&{()}');
|
|
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'),
|
|
|
|
|
|
'<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>');
|
|
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\');">'), '<img src>');
|
2012-09-19 09:04:23 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC=javascript:alert(\'XSS\')>'), '<img src>');
|
2012-09-19 09:04:23 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>'), '<img src>');
|
2012-09-19 10:12:10 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>'), '<img src>');
|
2012-09-19 10:12:10 +08:00
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<IMG """><SCRIPT>alert("XSS")</SCRIPT>">'), '<img>');
|
|
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>'), '<img src>');
|
2012-09-19 10:12:10 +08:00
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<IMG SRC=javascript:alert('XSS')>'),
|
2014-02-18 14:35:50 +08:00
|
|
|
|
'<img src>');
|
2012-09-19 10:12:10 +08:00
|
|
|
|
|
2013-12-24 12:10:18 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC=javascript:alert('XSS')>'),
|
2014-02-18 14:35:50 +08:00
|
|
|
|
'<img src>');
|
2012-09-19 10:27:24 +08:00
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<IMG SRC=javascript:alert('XSS')>'),
|
2014-02-18 14:35:50 +08:00
|
|
|
|
'<img src>');
|
2012-09-19 10:27:24 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="jav ascript:alert(\'XSS\');">'), '<img src>');
|
2012-09-19 10:27:24 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="jav	ascript:alert(\'XSS\');">'), '<img src>');
|
2012-09-19 10:44:26 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="jav\nascript:alert(\'XSS\');">'), '<img src>');
|
2012-09-19 10:44:26 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC=java\0script:alert(\"XSS\")>'), '<img src>');
|
2012-09-19 10:44:26 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="  javascript:alert(\'XSS\');">'), '<img src>');
|
2012-09-19 10:44:26 +08:00
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>'),
|
|
|
|
|
|
'<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>');
|
|
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>'),
|
|
|
|
|
|
'<BODY onload!#$%&()*~+-_.,:;?@[/|]^`=alert(\"XSS\")>');
|
|
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<<SCRIPT>alert("XSS");//<</SCRIPT>'),
|
|
|
|
|
|
'<<SCRIPT>alert(\"XSS\");//<</SCRIPT>');
|
|
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >'),
|
|
|
|
|
|
'<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >');
|
|
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<SCRIPT SRC=//ha.ckers.org/.j'),
|
|
|
|
|
|
'<SCRIPT SRC=//ha.ckers.org/.j');
|
|
|
|
|
|
|
2012-09-19 11:10:16 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\')"'),
|
|
|
|
|
|
'<IMG SRC=\"javascript:alert(\'XSS\')"');
|
|
|
|
|
|
|
|
|
|
|
|
assert.equal(xss('<iframe src=http://ha.ckers.org/scriptlet.html <'),
|
|
|
|
|
|
'<iframe src=http://ha.ckers.org/scriptlet.html <');
|
|
|
|
|
|
|
2014-02-20 10:44:08 +08:00
|
|
|
|
// 过滤 javascript:
|
2013-05-27 10:54:02 +08:00
|
|
|
|
assert.equal(xss('<a style="url(\'javascript:alert(1)\')">', {whiteList: {a: ['style']}}), '<a style>');
|
2014-02-20 10:27:16 +08:00
|
|
|
|
assert.equal(xss('<td background="url(\'javascript:alert(1)\')">', {whiteList: {td: ['background']}}), '<td background>');
|
2012-09-19 11:10:16 +08:00
|
|
|
|
|
2014-02-20 10:44:08 +08:00
|
|
|
|
// 过滤 style
|
|
|
|
|
|
assert.equal(xss('<DIV STYLE="width: \nexpression(alert(1));">', {whiteList: {div: ['style']}}), '<div style>');
|
|
|
|
|
|
// 不正常的url
|
|
|
|
|
|
assert.equal(xss('<DIV STYLE="background:\n url (javascript:ooxx);">', {whiteList: {div: ['style']}}), '<div style>');
|
|
|
|
|
|
assert.equal(xss('<DIV STYLE="background:url (javascript:ooxx);">', {whiteList: {div: ['style']}}), '<div style>');
|
|
|
|
|
|
// 正常的url
|
2015-05-05 22:50:56 +08:00
|
|
|
|
assert.equal(xss('<DIV STYLE="background: url (ooxx);">', {whiteList: {div: ['style']}}), '<div style="background:url (ooxx);">');
|
2014-02-20 10:44:08 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC=\'vbscript:msgbox("XSS")\'>'), '<img src>');
|
2012-09-19 11:10:16 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="livescript:[code]">'), '<img src>');
|
2012-09-19 11:10:16 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<IMG SRC="mocha:[code]">'), '<img src>');
|
2012-09-19 11:10:16 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<a href="javas/**/cript:alert(\'XSS\');">'), '<a href>');
|
2012-09-19 11:10:16 +08:00
|
|
|
|
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<a href="javascript">'), '<a href>');
|
2013-12-24 13:13:28 +08:00
|
|
|
|
assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">');
|
2014-02-18 14:27:27 +08:00
|
|
|
|
assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">');
|
|
|
|
|
|
assert.equal(xss('<a href="http://aa.com">'), '<a href="http://aa.com">');
|
|
|
|
|
|
assert.equal(xss('<a href="https://aa.com">'), '<a href="https://aa.com">');
|
2014-11-28 15:23:14 +08:00
|
|
|
|
assert.equal(xss('<a href="mailto:me@ucdok.com">'), '<a href="mailto:me@ucdok.com">');
|
|
|
|
|
|
assert.equal(xss('<a href="other">'), '<a href>');
|
2013-12-24 13:13:28 +08:00
|
|
|
|
|
2012-09-19 11:10:16 +08:00
|
|
|
|
// 这个暂时不知道怎么处理
|
|
|
|
|
|
//assert.equal(xss('¼script¾alert(¢XSS¢)¼/script¾'), '');
|
|
|
|
|
|
|
2014-04-03 11:47:21 +08:00
|
|
|
|
assert.equal(xss('<!--[if gte IE 4]><SCRIPT>alert(\'XSS\');</SCRIPT><![endif]--> END', {allowCommentTag: true}),
|
|
|
|
|
|
'<!--[if gte IE 4]><SCRIPT>alert(\'XSS\');</SCRIPT><![endif]--> END');
|
|
|
|
|
|
assert.equal(xss('<!--[if gte IE 4]><SCRIPT>alert(\'XSS\');</SCRIPT><![endif]--> END'), ' END');
|
2012-09-19 11:10:16 +08:00
|
|
|
|
|
2013-12-24 12:23:47 +08:00
|
|
|
|
// HTML5新增实体编码 冒号: 换行

|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<a href="javascript:alert(/xss/)">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="javascript&colonalert(/xss/)">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="a
b">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="a&NewLineb">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="javasc
ript:alert(1)">'), '<a href>');
|
2013-12-24 13:38:57 +08:00
|
|
|
|
|
2014-02-18 14:27:27 +08:00
|
|
|
|
// data URI 协议过滤
|
2014-02-18 14:35:50 +08:00
|
|
|
|
assert.equal(xss('<a href="data:">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="d a t a : ">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="data: html/text;">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="data:html/text;">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="data:html /text;">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<a href="data: image/text;">'), '<a href>');
|
|
|
|
|
|
assert.equal(xss('<img src="data: aaa/text;">'), '<img src>');
|
|
|
|
|
|
assert.equal(xss('<img src="data:image/png; base64; ofdkofiodiofl">'), '<img src>');
|
2013-12-24 13:38:57 +08:00
|
|
|
|
|
2014-09-12 12:23:36 +08:00
|
|
|
|
// HTML备注处理
|
|
|
|
|
|
assert.equal(xss('<!-- -->', {allowCommentTag: false}), '');
|
|
|
|
|
|
assert.equal(xss('<!-- a -->', {allowCommentTag: false}), '');
|
|
|
|
|
|
assert.equal(xss('<!--sa -->ss', {allowCommentTag: false}), 'ss');
|
|
|
|
|
|
assert.equal(xss('<!-- ', {allowCommentTag: false}), '<!-- ');
|
|
|
|
|
|
|
2012-09-19 09:04:23 +08:00
|
|
|
|
});
|
|
|
|
|
|
|
2012-09-18 23:23:16 +08:00
|
|
|
|
});
|
