3 require_once 'common.php';
6 PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
7 "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
10 <title
>HTMLPurifier Variable Width Attack Smoketest
</title
>
11 <meta http
-equiv
="Content-Type" content
="text/html; charset=UTF-8" />
14 <h1
>HTMLPurifier Variable Width Attack Smoketest
</h1
>
15 <p
>For more information
, see
16 <a href
="http://applesoup.googlepages.com/bypass_filter.txt">Cheng Peng Su
's
17 original advisory.</a> This particular exploit code appears only to work
18 in Internet Explorer, if it works at all.</p>
22 $purifier = new HTMLPurifier();
26 <thead><tr><th>ASCII</th><th width="30%">Raw</th><th>Output</th><th>Render</th></tr></thead>
30 for ($i = 0; $i < 256; $i++) {
32 $html = '<img src
="" alt
="X' . $c . '"';
33 $html .= '>A
"'; // in our out the attribute? ;-)
34 $html .= "onerror
=alert('$i')>O
";
35 $pure_html = $purifier->purify($html);
38 <td><?php echo $i; ?></td>
39 <td style="font
-size
:8pt
;"><?php echo escapeHTML($html); ?></td>
40 <td style="font
-size
:8pt
;"><?php echo escapeHTML($pure_html); ?></td>
41 <td><?php echo $pure_html; ?></td>
49 <p>By making sure that UTF-8 is well formed and non-SGML codepoints are
50 removed, as well as escaping quotes outside of tags, this is a non-threat.</p>