parent
e40da8b1a6
commit
f2628a0bf3
1 changed files with 44 additions and 0 deletions
44
js/test.js
44
js/test.js
|
@ -1442,6 +1442,50 @@ describe('PasteViewer', function () {
|
|||
return results.every(element => element);
|
||||
}
|
||||
);
|
||||
|
||||
jsc.property(
|
||||
'sanitizes XSS',
|
||||
jsc.elements(['plaintext', 'markdown', 'syntaxhighlighting']),
|
||||
'string',
|
||||
// https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
|
||||
jsc.elements([
|
||||
'<PLAINTEXT>',
|
||||
'\';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";',
|
||||
'alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//--',
|
||||
'></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>',
|
||||
'\'\';!--"<XSS>=&{()}',
|
||||
'<SCRIPT SRC=http://example.com/xss.js></SCRIPT>',
|
||||
'\'">><marquee><img src=x onerror=confirm(1)></marquee>"></plaintext\\></|\\><plaintext/onmouseover=prompt(1)><script>prompt(1)</script>@gmail.com<isindex formaction=javascript:alert(/XSS/) type=submit>\'-->"></script><script>alert(document.cookie)</script>"><img/id="confirm(1)"/alt="/"src="/"onerror=eval(id)>\'">',
|
||||
'<IMG SRC="javascript:alert(\'XSS\');">',
|
||||
'<IMG SRC=javascript:alert(\'XSS\')>',
|
||||
'<IMG SRC=JaVaScRiPt:alert(\'XSS\')>',
|
||||
'<IMG SRC=javascript:alert("XSS")>',
|
||||
'<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>',
|
||||
'<a onmouseover="alert(document.cookie)">xxs link</a>',
|
||||
'<a onmouseover=alert(document.cookie)>xxs link</a>',
|
||||
'<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
|
||||
'<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>'
|
||||
// the list goes on…
|
||||
]),
|
||||
'string',
|
||||
function (format, prefix, xss, suffix) {
|
||||
var clean = jsdom(),
|
||||
text = prefix + xss + suffix;
|
||||
$('body').html(
|
||||
'<div id="placeholder" class="hidden">+++ no paste text ' +
|
||||
'+++</div><div id="prettymessage" class="hidden"><pre ' +
|
||||
'id="prettyprint" class="prettyprint linenums:1"></pre>' +
|
||||
'</div><div id="plaintext" class="hidden"></div>'
|
||||
);
|
||||
$.PrivateBin.PasteViewer.init();
|
||||
$.PrivateBin.PasteViewer.setFormat(format);
|
||||
$.PrivateBin.PasteViewer.setText(text);
|
||||
$.PrivateBin.PasteViewer.run();
|
||||
var result = $('body').html().indexOf(xss) !== -1;
|
||||
clean();
|
||||
return result;
|
||||
}
|
||||
);
|
||||
});
|
||||
});
|
||||
|
||||
|
|
Loading…
Reference in a new issue