2 /*********************************************************************************
3 * SugarCRM Community Edition is a customer relationship management program developed by
4 * SugarCRM, Inc. Copyright (C) 2004-2013 SugarCRM Inc.
6 * This program is free software; you can redistribute it and/or modify it under
7 * the terms of the GNU Affero General Public License version 3 as published by the
8 * Free Software Foundation with the addition of the following permission added
9 * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
10 * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
11 * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
13 * This program is distributed in the hope that it will be useful, but WITHOUT
14 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
15 * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
18 * You should have received a copy of the GNU Affero General Public License along with
19 * this program; if not, see http://www.gnu.org/licenses or write to the Free
20 * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
23 * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
24 * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com.
26 * The interactive user interfaces in modified source and object code versions
27 * of this program must display Appropriate Legal Notices, as required under
28 * Section 5 of the GNU Affero General Public License version 3.
30 * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
31 * these Appropriate Legal Notices must retain the display of the "Powered by
32 * SugarCRM" logo. If the display of the logo is not reasonably feasible for
33 * technical reasons, the Appropriate Legal Notices must display the words
34 * "Powered by SugarCRM".
35 ********************************************************************************/
38 require_once 'include/utils.php';
40 class XssTest extends Sugar_PHPUnit_Framework_TestCase
47 protected $html_allow_objects = null;
49 public function setUp()
52 if(isset($sugar_config['email_xss']))
54 $this->email_xss = $sugar_config['email_xss'];
55 $sugar_config['email_xss'] = '';
57 if(isset($GLOBALS['sugar_config']['html_allow_objects'])) {
58 $this->html_allow_objects = $GLOBALS['sugar_config']['html_allow_objects'];
60 $GLOBALS['sugar_config']['html_allow_objects'] = true;
61 SugarCleaner::$instance = null;
64 public function tearDown()
66 $GLOBALS['sugar_config']['html_allow_objects'] = $this->html_allow_objects;
67 if(!empty($this->email_xss))
70 $sugar_config['email_xss'] = $this->email_xss;
74 public function xssData()
78 array("some data", "some data"),
80 array("test <a href=\"http://www.digitalbrandexpressions.com\">link</a>", "test <a href=\"http://www.digitalbrandexpressions.com\">link</a>"),
82 array("some data<script>alert('xss!')</script>", "some data"),
84 array("some data<script src=\" http://localhost/xss.js\"></script> and more", "some data and more"),
86 array("some data<applet> and </applet>more <script src=\" http://localhost/xss.js\"></script>data", "some data and more data"),
88 array('some data before<img alt="<script>" src="http://www.symbolset.org/images/peace-sign-2.jpg"; onload="alert(35)" width="1" height="1"/>some data after',
89 'some data before<img alt="<script>" src="http://www.symbolset.org/images/peace-sign-2.jpg" width="1" height="1" />some data after'),
91 array('some data before<img src="http://www.symbolset.org/images/peace-sign-2.jpg"; onload="alert(35)" width="1" height="1"/>some data after',
92 'some data before<img src="http://www.symbolset.org/images/peace-sign-2.jpg" width="1" height="1" alt="peace-sign-2.jpg" />some data after'),
94 array('some data before<img src="http://www.symbolset.org/images/peace-sign-2.jpg"; width="1" height="1"/>some data after',
95 'some data before<img src="http://www.symbolset.org/images/peace-sign-2.jpg" width="1" height="1" alt="peace-sign-2.jpg" />some data after'),
97 array('<div style="font-family:Calibri;">Roger Smith</div>', '<div style="font-family:Calibri;">Roger Smith</div>'),
98 array('some data before<img onmouseover onload onmouseover=\'alert(8)\' src="http://www.docspopuli.org/images/Symbol.jpg";\'/>some data after',
99 'some data before<img src="http://www.docspopuli.org/images/Symbol.jpg" alt="Symbol.jpg" />some data after'),
101 array('<xmp>some data</xmp>', '<pre>some data</pre>'),
103 array('<object width="425" height="350"><param name="movie" value="http://www.youtube.com/watch?v=dQw4w9WgXcQ" /><param name="wmode" value="transparent" /><embed src="http://www.youtube.com/v/AyPzM5WK8ys" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350" /></object>',
104 '<object width="425" height="350" data="http://www.youtube.com/watch?v=dQw4w9WgXcQ" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/watch?v=dQw4w9WgXcQ" /><param name="wmode" value="transparent" /><embed src="http://www.youtube.com/v/AyPzM5WK8ys" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350" allowscriptaccess="never" allownetworking="internal" /></object>'),
105 // another youtube video
106 array('<iframe width="420" height="315" src="http://www.youtube.com/embed/dQw4w9WgXcQ" frameborder="0" allowfullscreen>My Frame</iframe>',
107 '<iframe width="420" height="315" src="http://www.youtube.com/embed/dQw4w9WgXcQ" frameborder="0">My Frame</iframe>'),
108 // stuff inside iframe
109 array('<iframe width="420" height="315" src="http://www.youtube.com/embed/dQw4w9WgXcQ" frameborder="0" allowfullscreen>My <script>alert(\'xss!\')</script>Frame</iframe>',
110 '<iframe width="420" height="315" src="http://www.youtube.com/embed/dQw4w9WgXcQ" frameborder="0">My Frame</iframe>'),
112 array("<body><head><title>My Page</title></head><html>My Content</html></body>", "My Content"),
114 array('<link rel="stylesheet" type="text/css" href="styles/plain.css" />',
115 '<link rel="stylesheet" type="text/css" href="styles/plain.css" />'
118 array('в чащах юга жил-был <img src="http://images.com/fikus.jpg" alt="фикус"> - דג סקרן שט בים מאוכזב ולפתע מצא חברה',
119 'в чащах юга жил-был <img src="http://images.com/fikus.jpg" alt="фикус" /> - דג סקרן שט בים מאוכזב ולפתע מצא חברה')
123 protected function clean($str)
125 return SugarCleaner::cleanHtml($str, false);
128 * @dataProvider xssData
130 public function testXssFilter($before, $after)
132 $this->assertEquals($after, $this->clean($before));
136 * @dataProvider xssData
138 public function testXssFilterBean($before, $after)
140 $bean = new EmailTemplate();
141 $bean->body_html = to_html($before);
143 $this->assertEquals(to_html($after), $bean->body_html);