Don't add nofollow for matching hosts, generalize this code.
[htmlpurifier.git] / smoketests / variableWidthAttack.php
blobf3b6e821423aed4cb95a4e3a12f901837164a097
1 <?php
3 require_once 'common.php';
5 echo '<?xml version="1.0" encoding="UTF-8" ?>';
6 ?><!DOCTYPE html
7 PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
8 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
9 <html>
10 <head>
11 <title>HTML Purifier Variable Width Attack Smoketest</title>
12 <meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
13 </head>
14 <body>
15 <h1>HTML Purifier Variable Width Attack Smoketest</h1>
16 <p>For more information, see
17 <a href="http://applesoup.googlepages.com/bypass_filter.txt">Cheng Peng Su's
18 original advisory.</a> This particular exploit code appears only to work
19 in Internet Explorer, if it works at all.</p>
20 <h2>Test</h2>
21 <?php
23 $purifier = new HTMLPurifier();
26 <table>
27 <thead><tr><th>ASCII</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead>
28 <tbody>
29 <?php
31 for ($i = 0; $i < 256; $i++) {
32 $c = chr($i);
33 $html = '<img src="" alt="X' . $c . '"';
34 $html .= '>A"'; // in our out the attribute? ;-)
35 $html .= "onerror=alert('$i')>O";
36 $pure_html = $purifier->purify($html);
38 <tr>
39 <td><?php echo $i; ?></td>
40 <td style="font-size:8pt;"><?php echo escapeHTML($html); ?></td>
41 <td style="font-size:8pt;"><?php echo escapeHTML($pure_html); ?></td>
42 <td><?php echo $pure_html; ?></td>
43 </tr>
44 <?php } ?>
45 </tbody>
46 </table>
48 <h2>Analysis</h2>
50 <p>By making sure that UTF-8 is well formed and non-SGML codepoints are
51 removed, as well as escaping quotes outside of tags, this is a non-threat.</p>
53 </body>
54 </html>
55 <?php
57 // vim: et sw=4 sts=4