diff options
author | thomascube <thomas@roundcube.net> | 2009-03-02 17:34:18 +0000 |
---|---|---|
committer | thomascube <thomas@roundcube.net> | 2009-03-02 17:34:18 +0000 |
commit | 11526305f506245af55e8ae7ea31faec49dfd98d (patch) | |
tree | c07328bd6bb8a07e677e97ccbe82e751b638c083 /tests | |
parent | 63d4b1217216f3d04894090026ed3f01aba9b385 (diff) |
Revert r2322; this is done in rcmail_html4inline() and now secured + fix tests
Diffstat (limited to 'tests')
-rw-r--r-- | tests/mailfunc.php | 13 | ||||
-rw-r--r-- | tests/src/htmlxss.txt | 2 |
2 files changed, 10 insertions, 5 deletions
diff --git a/tests/mailfunc.php b/tests/mailfunc.php index bf9163b7d..8fd2cd3d5 100644 --- a/tests/mailfunc.php +++ b/tests/mailfunc.php @@ -19,6 +19,8 @@ class rcube_test_mailfunc extends UnitTestCase $IMAP = $RCMAIL->imap; require_once 'steps/mail/func.inc'; + + $GLOBALS['EMAIL_ADDRESS_PATTERN'] = $EMAIL_ADDRESS_PATTERN; } /** @@ -43,7 +45,7 @@ class rcube_test_mailfunc extends UnitTestCase $part->replaces = array('ex1.jpg' => 'part_1.2.jpg', 'ex2.jpg' => 'part_1.2.jpg'); // render HTML in normal mode - $html = rcmail_print_body($part, array('safe' => false)); + $html = rcmail_html4inline(rcmail_print_body($part, array('safe' => false)), 'foo'); $this->assertPattern('/src="'.$part->replaces['ex1.jpg'].'"/', $html, "Replace reference to inline image"); $this->assertPattern('#background="./program/blocked.gif"#', $html, "Replace external background image"); @@ -71,10 +73,13 @@ class rcube_test_mailfunc extends UnitTestCase { $part = $this->get_html_part('src/htmlxss.txt'); $washed = rcmail_print_body($part, array('safe' => true)); - + $this->assertNoPattern('/src="skins/', $washed, "Remove local references"); - $this->assertNoPattern('/\son[a-z]+/', $wahsed, "Remove on* attributes"); - $this->assertNoPattern('/alert/', $wahsed, "Remove alerts"); + $this->assertNoPattern('/\son[a-z]+/', $washed, "Remove on* attributes"); + + $html = rcmail_html4inline($washed, 'foo'); + $this->assertNoPattern('/onclick="return rcmail.command(\'compose\',\'xss@somehost.net\',this)"/', $html, "Clean mailto links"); + $this->assertNoPattern('/alert/', $html, "Remove alerts"); } /** diff --git a/tests/src/htmlxss.txt b/tests/src/htmlxss.txt index 60ceb944e..f6c43e353 100644 --- a/tests/src/htmlxss.txt +++ b/tests/src/htmlxss.txt @@ -3,7 +3,7 @@ <p><img onLoad.="alert(document.cookie)" src="skins/default/images/roundcube_logo.png" /></p> -<p><a href="javascript:alert(document.cookie)">mail me!</a> +<p><a href="mailto:xss@somehost.net') && alert(document.cookie) || ignore('">mail me!</a> <a href="http://roundcube.net" target="_self">roundcube.net</a> <a href="http://roundcube.net" \onmouseover="alert('XSS')">roundcube.net (2)</a> |