summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
Diffstat (limited to 'tests')
-rw-r--r--tests/mailfunc.php13
-rw-r--r--tests/src/htmlxss.txt2
2 files changed, 10 insertions, 5 deletions
diff --git a/tests/mailfunc.php b/tests/mailfunc.php
index bf9163b7d..8fd2cd3d5 100644
--- a/tests/mailfunc.php
+++ b/tests/mailfunc.php
@@ -19,6 +19,8 @@ class rcube_test_mailfunc extends UnitTestCase
$IMAP = $RCMAIL->imap;
require_once 'steps/mail/func.inc';
+
+ $GLOBALS['EMAIL_ADDRESS_PATTERN'] = $EMAIL_ADDRESS_PATTERN;
}
/**
@@ -43,7 +45,7 @@ class rcube_test_mailfunc extends UnitTestCase
$part->replaces = array('ex1.jpg' => 'part_1.2.jpg', 'ex2.jpg' => 'part_1.2.jpg');
// render HTML in normal mode
- $html = rcmail_print_body($part, array('safe' => false));
+ $html = rcmail_html4inline(rcmail_print_body($part, array('safe' => false)), 'foo');
$this->assertPattern('/src="'.$part->replaces['ex1.jpg'].'"/', $html, "Replace reference to inline image");
$this->assertPattern('#background="./program/blocked.gif"#', $html, "Replace external background image");
@@ -71,10 +73,13 @@ class rcube_test_mailfunc extends UnitTestCase
{
$part = $this->get_html_part('src/htmlxss.txt');
$washed = rcmail_print_body($part, array('safe' => true));
-
+
$this->assertNoPattern('/src="skins/', $washed, "Remove local references");
- $this->assertNoPattern('/\son[a-z]+/', $wahsed, "Remove on* attributes");
- $this->assertNoPattern('/alert/', $wahsed, "Remove alerts");
+ $this->assertNoPattern('/\son[a-z]+/', $washed, "Remove on* attributes");
+
+ $html = rcmail_html4inline($washed, 'foo');
+ $this->assertNoPattern('/onclick="return rcmail.command(\'compose\',\'xss@somehost.net\',this)"/', $html, "Clean mailto links");
+ $this->assertNoPattern('/alert/', $html, "Remove alerts");
}
/**
diff --git a/tests/src/htmlxss.txt b/tests/src/htmlxss.txt
index 60ceb944e..f6c43e353 100644
--- a/tests/src/htmlxss.txt
+++ b/tests/src/htmlxss.txt
@@ -3,7 +3,7 @@
<p><img onLoad.="alert(document.cookie)" src="skins/default/images/roundcube_logo.png" /></p>
-<p><a href="javascript:alert(document.cookie)">mail me!</a>
+<p><a href="mailto:xss@somehost.net') && alert(document.cookie) || ignore('">mail me!</a>
<a href="http://roundcube.net" target="_self">roundcube.net</a>
<a href="http://roundcube.net" \onmouseover="alert('XSS')">roundcube.net (2)</a>