From af0de616ae1b4cade8cb4bfa43fc71e75d383562 Mon Sep 17 00:00:00 2001
From: "Edward Z. Yang" <edwardzyang@thewritingpot.com>
Date: Thu, 17 Aug 2006 23:36:35 +0000
Subject: [PATCH] Add a variableWidthAttack smoketest, and add analysis to some
 smoketests.

git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@294 48356398-32a2-884e-a903-53898d9a118a
---
 smoketests/utf8.php                | 12 +++++-
 smoketests/variableWidthAttack.php | 62 ++++++++++++++++++++++++++++++
 smoketests/xssAttacks.php          | 13 +++++--
 3 files changed, 83 insertions(+), 4 deletions(-)
 create mode 100644 smoketests/variableWidthAttack.php

diff --git a/smoketests/utf8.php b/smoketests/utf8.php
index 1b43f368..09b3d7af 100644
--- a/smoketests/utf8.php
+++ b/smoketests/utf8.php
@@ -1,4 +1,9 @@
-<!DOCTYPE html 
+<?php
+
+// there must not be a byte order mark
+header('Content-type: text/html; charset=UTF-8');
+
+?><!DOCTYPE html 
      PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html>
@@ -27,5 +32,10 @@ $string = '
 <?php echo $string; ?>
 <h2>Purified</h2>
 <?php echo $purifier->purify($string); ?>
+<h2>Analysis</h2>
+<p>The content in <strong>Raw</strong> should be equivalent to the content
+in <strong>Purified</strong>.  If <strong>Purified</strong> is mangled, there
+is likely trouble a-brewing in the library. If
+both are mangled, check to see that this file was not corrupted.</p>
 </body>
 </html>
\ No newline at end of file
diff --git a/smoketests/variableWidthAttack.php b/smoketests/variableWidthAttack.php
new file mode 100644
index 00000000..c9bbcb1e
--- /dev/null
+++ b/smoketests/variableWidthAttack.php
@@ -0,0 +1,62 @@
+<?php
+
+header('Content-type: text/html; charset=UTF-8');
+
+?><!DOCTYPE html 
+     PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
+     "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
+<html>
+<head>
+<title>HTMLPurifier Variable Width Attack Smoketest</title>
+<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+</head>
+<body>
+<h1>HTMLPurifier Variable Width Attack Smoketest</h1>
+<p>For more information, see
+<a href="http://applesoup.googlepages.com/bypass_filter.txt">Cheng Peng Su's
+original advisory.</a>  This particular exploit code appears only to work
+in Internet Explorer, if it works at all.</p>
+<h2>Test</h2>
+<?php
+
+set_include_path('../library' . PATH_SEPARATOR . get_include_path());
+require_once 'HTMLPurifier.php';
+$purifier = new HTMLPurifier();
+
+function escape($string) {
+    $string = htmlspecialchars($string, ENT_COMPAT, 'UTF-8');
+    $string = iconv('UTF-8', 'UTF-8//IGNORE', $string);
+    return $string;
+}
+
+?>
+<table>
+<thead><tr><th>ASCII</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead>
+<tbody>
+<?php
+
+for ($i = 0; $i < 256; $i++) {
+    $c = chr($i);
+    $html = '<img src="" alt="X' . $c . '"';
+    $html .= '>A"'; // in our out the attribute? ;-)
+    $html .= "onerror=alert('$i')>O";
+    $pure_html = $purifier->purify($html);
+?>
+<tr>
+    <td><?php echo $i; ?></td>
+    <td style="font-size:8pt;"><?php echo escape($html); ?></td>
+    <td style="font-size:8pt;"><?php echo escape($pure_html); ?></td>
+    <td><?php echo $pure_html; ?></td>
+</tr>
+<?php } ?>
+</tbody>
+</table>
+
+<h2>Analysis</h2>
+
+<p>This test currently passes the XSS aspect but fails the validation aspect
+due to generalized encoding issues.  An augmented UTF-8 smoketest is 
+pending, until then, consider this a pass.</p>
+
+</body>
+</html>
\ No newline at end of file
diff --git a/smoketests/xssAttacks.php b/smoketests/xssAttacks.php
index 5b0e2605..bd6800a6 100644
--- a/smoketests/xssAttacks.php
+++ b/smoketests/xssAttacks.php
@@ -1,10 +1,14 @@
-<!DOCTYPE html 
+<?php
+
+header('Content-type: text/html; charset=UTF-8');
+
+?><!DOCTYPE html 
      PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
      "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
 <html>
 <head>
-<title>HTMLPurifier XSS Attacks Smoketest</title>
-<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
+    <title>HTMLPurifier XSS Attacks Smoketest</title>
+    <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
 </head>
 <body>
 <h1>HTMLPurifier XSS Attacks Smoketest</h1>
@@ -13,6 +17,8 @@
 <p>The last segment of tests regarding blacklisted websites is not
 applicable at the moment, but when we add that functionality they'll be
 relevant.</p>
+<p>Most of the XSS broadcasts its presence by spawning an alert dialogue.</p>
+<h2>Test</h2>
 <?php
 
 if (version_compare(PHP_VERSION, '5', '<')) exit('<p>Requires PHP 5.</p>');
@@ -24,6 +30,7 @@ $xml = simplexml_load_file('xssAttacks.xml');
 $purifier = new HTMLPurifier();
 
 ?>
+<!-- form is used so that we can use textareas and stay valid -->
 <form method="post" action="xssAttacks.php">
 <table>
 <thead><tr><th>Name</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead>