235 lines
9.5 KiB
JavaScript
235 lines
9.5 KiB
JavaScript
/**
|
||
* 测试XSS
|
||
*/
|
||
|
||
var assert = require('assert');
|
||
var xss = require('../');
|
||
|
||
|
||
describe('test XSS', function () {
|
||
|
||
it('#normal', function () {
|
||
|
||
// 过滤不在白名单的标签
|
||
assert.equal(xss('<b>abcd</b>'), '<b>abcd</b>');
|
||
assert.equal(xss('<o>abcd</o>'), '<o>abcd</o>');
|
||
assert.equal(xss('<b>abcd</o>'), '<b>abcd</o>');
|
||
assert.equal(xss('<b><o>abcd</b></o>'), '<b><o>abcd</b></o>');
|
||
assert.equal(xss('<hr>'), '<hr>');
|
||
assert.equal(xss('<xss>'), '<xss>');
|
||
assert.equal(xss('<xss o="x">'), '<xss o="x">');
|
||
assert.equal(xss('<a><b>c</b></a>'), '<a><b>c</b></a>');
|
||
assert.equal(xss('<a><c>b</c></a>'), '<a><c>b</c></a>');
|
||
|
||
// 过滤不是标签的<>
|
||
assert.equal(xss('<>>'), '<>>');
|
||
assert.equal(xss('<script>'), '<script>');
|
||
assert.equal(xss('<<a>b>'), '<<a>b>');
|
||
assert.equal(xss('<<<a>>b</a><x>'), '<<<a>>b</a><x>');
|
||
|
||
// 过滤不在白名单中的属性
|
||
assert.equal(xss('<a oo="1" xx="2" href="3">yy</a>'), '<a href="3">yy</a>');
|
||
assert.equal(xss('<a href xx oo>pp</a>'), '<a href>pp</a>');
|
||
assert.equal(xss('<a href "">pp</a>'), '<a href>pp</a>');
|
||
assert.equal(xss('<a t="">'), '<a>');
|
||
|
||
// 属性内的特殊字符
|
||
assert.equal(xss('<a href="\'<<>>">'), '<a href="\'<<>>">');
|
||
assert.equal(xss('<a href=""">'), '<a href=\"\"\">');
|
||
assert.equal(xss('<a h=href="oo">'), '<a>');
|
||
assert.equal(xss('<a h= href="oo">'), '<a href="oo">');
|
||
|
||
// 自动将属性值的单引号转为双引号
|
||
assert.equal(xss('<a href=\'abcd\'>'), '<a href="abcd">');
|
||
assert.equal(xss('<a href=\'"\'>'), '<a href=""e;">');
|
||
|
||
// 没有双引号括起来的属性值
|
||
assert.equal(xss('<a href=home>'), '<a href="home">');
|
||
assert.equal(xss('<a href=abc("d")>'), '<a href="abc("e;d"e;)">');
|
||
assert.equal(xss('<a href=abc(\'d\')>'), '<a href="abc(\'d\')">');
|
||
|
||
// 单个闭合标签
|
||
assert.equal(xss('<img src="#"/>'), '<img src="#" />');
|
||
assert.equal(xss('<img src="#" />'), '<img src="#" />');
|
||
assert.equal(xss('<img src="#"//>'), '<img src="#" />');
|
||
assert.equal(xss('<br/>'), '<br />');
|
||
assert.equal(xss('<br />'), '<br />');
|
||
|
||
});
|
||
return;
|
||
// 自定义白名单
|
||
it('#white list', function () {
|
||
|
||
// 过滤所有标签
|
||
assert.equal(xss('<a href="xx">bb</a>', {whiteList: {}}), '<a href="xx">bb</a>');
|
||
assert.equal(xss('<hr>', {whiteList: {}}), '<hr>');
|
||
// 增加白名单标签及属性
|
||
assert.equal(xss('<ooxx yy="ok" cc="no">uu</ooxx>', {whiteList: {ooxx: ['yy']}}), '<ooxx yy="ok">uu</ooxx>');
|
||
|
||
});
|
||
|
||
// 自定义过滤属性函数
|
||
it('#process attribute value', function () {
|
||
|
||
assert.equal(xss('<a href="ignore:ooxx">abc</a><a href="ooxx">', {
|
||
onTagAttr: function (tag, attr, value) {
|
||
if (tag === 'a' && attr === 'href') {
|
||
if (value.substr(0, 7) === 'ignore:') {
|
||
return '#';
|
||
}
|
||
}
|
||
}
|
||
}), '<a href="#">abc</a><a href="ooxx">');
|
||
|
||
});
|
||
|
||
// 自定义处理不在白名单中的标签
|
||
it('#process ignore tag', function () {
|
||
|
||
// 过滤标签
|
||
assert.equal(xss('<ooxx xxyy>ookk</ooxx><img>', {
|
||
onIgnoreTag: function (tag, html) {
|
||
return '';
|
||
}
|
||
}), 'ookk<img>');
|
||
assert.equal(xss('<ooxx xxyy>ookk</ooxx><img>', {
|
||
onIgnoreTag: function (tag, html) {
|
||
return '[removed]';
|
||
}
|
||
}), '[removed]ookk[removed]<img>');
|
||
|
||
// 检验附加属性
|
||
var isClosing = [];
|
||
var position = [];
|
||
var originalPosition = [];
|
||
var html = xss('TTG:<ooxx href="ooy" >ds</ooxx>--ds d<yy hh uu>', {
|
||
onIgnoreTag: function (tag, html, options) {
|
||
isClosing.push(options.isClosing);
|
||
position.push(options.position);
|
||
originalPosition.push(options.originalPosition);
|
||
}
|
||
});
|
||
//console.log(html);
|
||
assert.deepEqual(isClosing, [false, true, false]);
|
||
assert.deepEqual(position, [4, 30, 50]);
|
||
assert.deepEqual(originalPosition, [4, 24, 38]);
|
||
|
||
// 替换检验 utils.tagFilter()
|
||
var filter = xss.utils.tagFilter(['script']);
|
||
var html = xss('<b >script is <script t="d">alert("xss"); ooxx()</script>, wahaha!!</b>', {
|
||
onIgnoreTag: filter.onIgnoreTag
|
||
});
|
||
assert.equal(filter.filter(html), '<b>script is , wahaha!!</b>');
|
||
|
||
var filter = xss.utils.tagFilter(['x2']);
|
||
var html = xss('<x1></b><x2>dds</x2><x3>fd</x3>', {
|
||
onIgnoreTag: filter.onIgnoreTag
|
||
});
|
||
assert.equal(filter.filter(html), '<x1></b><x3>fd</x3>');
|
||
|
||
});
|
||
|
||
|
||
// XSS攻击测试:https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
|
||
it('#XSS_Filter_Evasion_Cheat_Sheet', function () {
|
||
|
||
assert.equal(xss('></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>'),
|
||
'></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>');
|
||
|
||
assert.equal(xss(';!--"<XSS>=&{()}'), ';!--"<XSS>=&{()}');
|
||
|
||
assert.equal(xss('<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>'),
|
||
'<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>');
|
||
|
||
assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\');">'), '<img src="#">');
|
||
|
||
assert.equal(xss('<IMG SRC=javascript:alert(\'XSS\')>'), '<img src="#">');
|
||
|
||
assert.equal(xss('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>'), '<img src="#">');
|
||
|
||
assert.equal(xss('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>'), '<img src="#">');
|
||
|
||
assert.equal(xss('<IMG """><SCRIPT>alert("XSS")</SCRIPT>">'), '<img>');
|
||
|
||
assert.equal(xss('<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>'), '<img src="#">');
|
||
|
||
assert.equal(xss('<IMG SRC=javascript:alert('XSS')>'),
|
||
'<img src="#">');
|
||
|
||
assert.equal(xss('<IMG SRC=javascript:alert('XSS')>'),
|
||
'<img src="#">');
|
||
|
||
assert.equal(xss('<IMG SRC=javascript:alert('XSS')>'),
|
||
'<img src="#">');
|
||
|
||
assert.equal(xss('<IMG SRC="jav ascript:alert(\'XSS\');">'), '<img src="#">');
|
||
|
||
assert.equal(xss('<IMG SRC="jav	ascript:alert(\'XSS\');">'), '<img src="#">');
|
||
|
||
assert.equal(xss('<IMG SRC="jav\nascript:alert(\'XSS\');">'), '<img src="#">');
|
||
|
||
assert.equal(xss('<IMG SRC=java\0script:alert(\"XSS\")>'), '<img src="#">');
|
||
|
||
assert.equal(xss('<IMG SRC="  javascript:alert(\'XSS\');">'), '<img src="#">');
|
||
|
||
assert.equal(xss('<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>'),
|
||
'<SCRIPT/XSS SRC=\"http://ha.ckers.org/xss.js\"></SCRIPT>');
|
||
|
||
assert.equal(xss('<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>'),
|
||
'<BODY onload!#$%&()*~+-_.,:;?@[/|]^`=alert(\"XSS\")>');
|
||
|
||
assert.equal(xss('<<SCRIPT>alert("XSS");//<</SCRIPT>'),
|
||
'<<SCRIPT>alert(\"XSS\");//<</SCRIPT>');
|
||
|
||
assert.equal(xss('<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >'),
|
||
'<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >');
|
||
|
||
assert.equal(xss('<SCRIPT SRC=//ha.ckers.org/.j'),
|
||
'<SCRIPT SRC=//ha.ckers.org/.j');
|
||
|
||
assert.equal(xss('<IMG SRC="javascript:alert(\'XSS\')"'),
|
||
'<IMG SRC=\"javascript:alert(\'XSS\')"');
|
||
|
||
assert.equal(xss('<iframe src=http://ha.ckers.org/scriptlet.html <'),
|
||
'<iframe src=http://ha.ckers.org/scriptlet.html <');
|
||
|
||
assert.equal(xss('<a style="url(\'javascript:alert(1)\')">', {whiteList: {a: ['style']}}), '<a style>');
|
||
|
||
assert.equal(xss('<IMG SRC=\'vbscript:msgbox("XSS")\'>'), '<img src="#">');
|
||
|
||
assert.equal(xss('<IMG SRC="livescript:[code]">'), '<img src="#">');
|
||
|
||
assert.equal(xss('<IMG SRC="mocha:[code]">'), '<img src="#">');
|
||
|
||
assert.equal(xss('<a href="javas/**/cript:alert(\'XSS\');">'), '<a href="#">');
|
||
|
||
assert.equal(xss('<a href="javascript">'), '<a href="javascript">');
|
||
assert.equal(xss('<a href="/javascript/a">'), '<a href="/javascript/a">');
|
||
|
||
// 这个暂时不知道怎么处理
|
||
//assert.equal(xss('¼script¾alert(¢XSS¢)¼/script¾'), '');
|
||
|
||
assert.equal(xss('<!--[if gte IE 4]><SCRIPT>alert(\'XSS\');</SCRIPT><![endif]-->'),
|
||
'<!--[if gte IE 4]><SCRIPT>alert(\'XSS\');</SCRIPT><![endif]-->');
|
||
|
||
// HTML5新增实体编码 冒号: 换行

|
||
assert.equal(xss('<a href="javascript:alert(/xss/)">'), '<a href="#">');
|
||
assert.equal(xss('<a href="javascript&colonalert(/xss/)">'), '<a href="#">');
|
||
assert.equal(xss('<a href="a
b">'), '<a href="a b">');
|
||
assert.equal(xss('<a href="a&NewLineb">'), '<a href="a b">');
|
||
assert.equal(xss('<a href="javasc
ript:alert(1)">'), '<a href="#">');
|
||
|
||
// data URI 协议过滤,只允许 data: image/*
|
||
assert.equal(xss('<a href="data:">'), '<a href="#">');
|
||
assert.equal(xss('<a href="d a t a : ">'), '<a href="#">');
|
||
assert.equal(xss('<a href="data: html/text;">'), '<a href="#">');
|
||
assert.equal(xss('<a href="data:html/text;">'), '<a href="#">');
|
||
assert.equal(xss('<a href="data:html /text;">'), '<a href="#">');
|
||
assert.equal(xss('<a href="data: image/text;">'), '<a href="data: image/text;">');
|
||
assert.equal(xss('<img src="data: aaa/text;">'), '<img src="#">');
|
||
assert.equal(xss('<img src="data:image/png; base64; ofdkofiodiofl">'), '<img src="data:image/png; base64; ofdkofiodiofl">');
|
||
|
||
});
|
||
|
||
});
|