diff options
Diffstat (limited to 'tests/src')
| -rw-r--r-- | tests/src/BID-26800.txt | 52 | ||||
| -rw-r--r-- | tests/src/htmlbody.txt | 50 | ||||
| -rw-r--r-- | tests/src/htmlxss.txt | 22 | ||||
| -rw-r--r-- | tests/src/plainbody.txt | 37 | ||||
| -rw-r--r-- | tests/src/valid.css | 30 |
5 files changed, 191 insertions, 0 deletions
diff --git a/tests/src/BID-26800.txt b/tests/src/BID-26800.txt new file mode 100644 index 000000000..513516c09 --- /dev/null +++ b/tests/src/BID-26800.txt @@ -0,0 +1,52 @@ +<html> +<head> +</head> +<body> +<h1>1 test</h1> +<p><style> block</p> +<style>input { left:expression( alert('expression!') ) }</style> +<style>div { background:url(alert('URL!') ) }</style> + +<h1>2 test</h1> +<p><div> block</p> +<div style="font-style:italic">valid css</div> +<div style="{ left:expression( alert('expression!') ) }"> +<div style="{ background:url( alert('URL!') ) }"> + +<h1>3 test</h1> +<p>Inject comment text</p> +<div style="{ left:exp/* */ression( alert('xss3') ) }"> +<div style="{ background:u/* */rl( alert('xssurl3') ) }"> + +<h1>4 test</h1> +<p>Using reverse solid to directe the codepoint</p> +<div style="{ left:\0065\0078pression( alert('xss4') ) }"> +<div style="{ background:\0075rl( alert('xssurl4') ) }"> + +<h1>5 test</h1> +<p>Character entity references</p> +<p>Character entity references is acceptable in "inline styles"</p> +<div style="{ left:expression( alert('xss') ) }"> +<div style="{ left:expression( alert('xss') ) }"> +<div style="{ background:url( alert('URL!') ) }"> +<div style="{ background:url( alert('URL!') ) }"> +<div style="{ left:expression( alert('xss') ) }"> + +<div style="{ left:..p.....o.( alert('xss') ) }"> +<div style="{ left:../**/pression( alert('xss') ) }"> +<div style="{ left:expʀessioɴ( alert('xss') ) }"> +<div style="{ left:\0065\0078pression( alert('xss') ) }"> +<div style="{ left:ex p ression( alert('xss') ) }"> + +<div style="{ background:...( javascript:alert('xss') ) }"> +<div style="{ background:u/**/rl( javascript:alert('xss') ) }"> +<div style="{ background:\0075\0072\006c( javascript:alert('xss') ) }"> +<div style="{ background:uʀʟ( javascript:alert('xss') ) +}"> +<div style="{ background:\0075\0280l( javascript:alert('xss') +) }"> +<div style="{ background:u r l( javascript:alert('xss') ) }"> + +</body> +</html> + diff --git a/tests/src/htmlbody.txt b/tests/src/htmlbody.txt new file mode 100644 index 000000000..5cdd7579e --- /dev/null +++ b/tests/src/htmlbody.txt @@ -0,0 +1,50 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"> +<html> +<head> +<meta http-equiv="content-type" content="text/html; charset=ISO-8859-1"> +<title>RoundCube Test Message</title> +<style type="text/css"> + +p, a { + font-family: Arial, 'Bitstream Vera Sans', Helvetica; + margin-top: 0px; + margin-bottom: 0px; + padding-top: 0px; + padding-bottom: 0px; +} + +</style> +</head> +<body style="margin: 0 0 0 0;"> + +<table width="100%" cellpadding="0" cellspacing="20" style="background-image:url(http://evilsite.net/newsletter/image/bg/bg-64.jpg);background-attachment:fixed;" background="http://evilsite.net/newsletter/image/bg/bg-64.jpg" border="0"> +<tr> +<td> + +<h1>This is a HTML message</h1> + +<p>See nice pictures like the following:</p> + +<div> + <img src="ex1.jpg" width="320" height="320" alt="Example 1"> + <img src="ex2.jpg" width="320" height="320" alt="Example 2"> + <img src="http://evilsite.net/mailings/ex3.jpg" width="320" height="320" alt="Example 3"> +</div> + +<form action="http://evilsite.net/subscribe.php"> + <p>Subscription form</p> + + E-Mail: <input type="text" name="mail" value=""><br/> + <input type="submit" value="Subscribe"> + +</form> + +<p>To unsubscribe click here <a href="http://evilsite.net/unsubscribe.php?mail=foo@bar.com"> or + send a mail to <a href="mailto:unsubscribe@evilsite.net">unsubscribe@evilsite.net</a></p> + +</td> +</tr> +</table> + +</body> +</html>
\ No newline at end of file diff --git a/tests/src/htmlxss.txt b/tests/src/htmlxss.txt new file mode 100644 index 000000000..60ceb944e --- /dev/null +++ b/tests/src/htmlxss.txt @@ -0,0 +1,22 @@ +<html> +<body> + +<p><img onLoad.="alert(document.cookie)" src="skins/default/images/roundcube_logo.png" /></p> + +<p><a href="javascript:alert(document.cookie)">mail me!</a> +<a href="http://roundcube.net" target="_self">roundcube.net</a> +<a href="http://roundcube.net" \onmouseover="alert('XSS')">roundcube.net (2)</a> + +</p> + +<div>Brilliant!</div> + +<table><tbody><tr><td background="javascript:alert('XSS')">BBBBBB</td></tr></tbody></table> + +<p> +Have a nice Christmas time.<br /> +Thomas +</p> + +</body> +</html> diff --git a/tests/src/plainbody.txt b/tests/src/plainbody.txt new file mode 100644 index 000000000..7ebfe429b --- /dev/null +++ b/tests/src/plainbody.txt @@ -0,0 +1,37 @@ +From: iPhone Developer Program <noreply-iphonedev@apple.com> +To: nobody@roundcube.net + +*iPhone Developer Program* + +----------------------------------- +iPhone SDK 2.2.1 is now available +https://daw.apple.com/cgi-bin/WebObjects/DSAuthWeb.woa/wa/login?appIdKey=3D= +D635F5C417E087A3B9864DAC5D25920C4E9442C9339FA9277951628F0291F620&path=3D//i= +phone/login.action + +Log in to the iPhone Dev Center to download iPhone SDK for iPhone OS 2.2.1.= + Installation of iPhone SDK 2.2.1 is required for development with devices = +updated to iPhone OS 2.2.1. Please view the Read Me before installing the n= +ew version of the iPhone SDK. + +Log in now +https://daw.apple.com/cgi-bin/WebObjects/DSAuthWeb.woa/wa/login?appIdKey=3D= +D635F5C417E087A3B9864DAC5D25920C4E9442C9339FA9277951628F0291F620&path=3D//i= +phone/login.action + +----------------------------------- +Copyright (c) 2009 Apple Inc. 1 Infinite Loop, MS 303-3DM, Cupertino, CA 95= +014. + +All Rights Reserved +http://www.apple.com/legal/default.html + +Keep Informed +http://www.apple.com/enews/subscribe/ + +Privacy Policy +http://www.apple.com/legal/privacy/ + +My Info +https://myinfo.apple.com/cgi-bin/WebObjects/MyInfo + diff --git a/tests/src/valid.css b/tests/src/valid.css new file mode 100644 index 000000000..340fa9a87 --- /dev/null +++ b/tests/src/valid.css @@ -0,0 +1,30 @@ +/** Master style definitions **/ + +body, p, div, h1, h2, h3, textarea { + font-family: "Lucida Grande", Helvetica, sans-serif; + font-size: 8.8pt; + color: #333; +} + +body { + background-color: white; + margin: 0; +} + +h1 { + color: #1F519A; + font-size: 1.7em; + font-weight: normal; + margin-top: 0; + margin-bottom: 1em; +} + +.noscript { + display: none; +} + +.hint, .username { + color: #999; +} + + |