diff options
| author | thomascube <thomas@roundcube.net> | 2009-03-02 14:46:12 +0000 |
|---|---|---|
| committer | thomascube <thomas@roundcube.net> | 2009-03-02 14:46:12 +0000 |
| commit | 63d4b1217216f3d04894090026ed3f01aba9b385 (patch) | |
| tree | f951e8fa1431f6dd27e255685b64628e3c49f271 /tests/modcss.php | |
| parent | f54a3a6d41e5700c45120091a57f2c73b804ae25 (diff) | |
Create some basic unit tests based in simpletest.org
Diffstat (limited to 'tests/modcss.php')
| -rw-r--r-- | tests/modcss.php | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/tests/modcss.php b/tests/modcss.php new file mode 100644 index 000000000..f9271ff65 --- /dev/null +++ b/tests/modcss.php @@ -0,0 +1,45 @@ +<?php + +/** + * Test class to test rcmail_mod_css_styles and XSS vulnerabilites + * + * @package Tests + */ +class rcube_test_modcss extends UnitTestCase +{ + + function __construct() + { + $this->UnitTestCase('CSS modification and vulnerability tests'); + } + + function test_modcss() + { + $css = file_get_contents(TESTS_DIR . 'src/valid.css'); + $mod = rcmail_mod_css_styles($css, 'rcmbody'); + + $this->assertPattern('/#rcmbody div.rcmBody\s+\{/', $mod, "Replace body style definition"); + $this->assertPattern('/#rcmbody h1\s\{/', $mod, "Prefix tag styles (single)"); + $this->assertPattern('/#rcmbody h1, #rcmbody h2, #rcmbody h3, #rcmbody textarea\s+\{/', $mod, "Prefix tag styles (multiple)"); + $this->assertPattern('/#rcmbody \.noscript\s+\{/', $mod, "Prefix class styles"); + } + + function test_xss() + { + $mod = rcmail_mod_css_styles("body.main2cols { background-image: url('../images/leftcol.png'); }", 'rcmbody'); + $this->assertEqual("/* evil! */", $mod, "No url() values allowed"); + + $mod = rcmail_mod_css_styles("@import url('http://localhost/somestuff/css/master.css');", 'rcmbody'); + $this->assertEqual("/* evil! */", $mod, "No import statements"); + + $mod = rcmail_mod_css_styles("left:expression(document.body.offsetWidth-20)", 'rcmbody'); + $this->assertEqual("/* evil! */", $mod, "No expression properties"); + + $mod = rcmail_mod_css_styles("left:exp/* */ression( alert('xss3') )", 'rcmbody'); + $this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks"); + + $mod = rcmail_mod_css_styles("background:\\0075\\0072\\006c( javascript:alert('xss') )", 'rcmbody'); + $this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks (2)"); + } + +}
\ No newline at end of file |