# -- # Copyright (C) 2001-2021 OTRS AG, https://otrs.com/ # Copyright (C) 2021 Znuny GmbH, https://znuny.org/ # -- # This software comes with ABSOLUTELY NO WARRANTY. For details, see # the enclosed file COPYING for license information (GPL). If you # did not receive this file, see https://www.gnu.org/licenses/gpl-3.0.txt. # -- use strict; use warnings; use utf8; use vars (qw($Self)); # get HTMLUtils object my $HTMLUtilsObject = $Kernel::OM->Get('Kernel::System::HTMLUtils'); # Safety tests my @Tests = ( { Input => 'Some Text', Result => { Output => 'Some Text', Replace => 0, }, Name => 'Safety - simple' }, { Input => 'Some Text', Result => { Output => 'Some Text', Replace => 0, }, Name => 'Safety - simple' }, { Input => 'Some Text', Result => { Output => 'Some Text', Replace => 1, }, Name => 'Safety - simple' }, { Input => 'Some Text', Result => { Output => 'Some Text', Replace => 1, }, Name => 'Safety - simple' }, { Input => 'https://www.yoururl.tld/sub/online-assessment/index.php', Result => { Output => 'https://www.yoururl.tld/sub/online-assessment/index.php', Replace => 0, }, Name => 'Safety - simple' }, { Input => "https://www.yoururl.tld/sub/online-assessment/index.php", Result => { Output => "https://www.yoururl.tld/sub/online-assessment/index.php", Replace => 0, }, Name => 'Safety - simple' }, { Input => 'Some Text', Result => { Output => 'Some Text', Replace => 1, }, Name => 'Safety - simple' }, { Input => 'Some Text

', Result => { Output => 'Some Text ', Replace => 1, }, Name => 'Safety - simple' }, { Input => ' ', Result => { Output => ' ', Replace => 1, }, Name => 'Safety - script tag' }, { Input => ' Not all browsers can run applets. If you see this, yours can not. You should be able to continue reading these lessons, however. ', Result => { Output => ' ', Replace => 1, }, Name => 'Safety - applet tag' }, { Input => '

', Result => { Output => ' ', Replace => 1, }, Name => 'Safety - object tag' }, { Input => ' \'\';!--"=&{()} ', Result => { Output => ' \'\';!--"=&{()} ', Replace => 0, }, Name => 'Safety - simple' }, { Input => ' ', Result => { Output => ' ', Replace => 1, }, Name => 'Safety - script/src tag' }, { Input => ' ', Result => { Output => ' ', Replace => 1, }, Name => 'Safety - script/src tag' }, { Input => '

', Result => { Output => ' ', Replace => 1, }, Name => 'Safety - img tag' }, { Input => '

', Result => { Output => ' ', Replace => 1, }, Name => 'Safety - img tag' }, { Input => ' "> ', Result => { Output => ' "> ', Replace => 1, }, Name => 'Safety - script/img tag' }, { Input => ' ', Result => { Output => ' ', Replace => 1, }, Name => 'Safety - script tag' }, { Input => ' ', Result => { Output => ' ', Replace => 1, }, Name => 'Safety - script tag' }, { Input => ' < ', Result => { Output => ' < ', Replace => 1, }, Name => 'Safety - script tag' }, { Input => ' ', Result => { Output => ' ', Replace => 1, }, Name => 'Safety - script' }, { Input => ' ', Result => { Output => ' ', Replace => 1, }, Name => 'Safety - script' }, { Input => ' ', Result => { Output => ' ', Replace => 1, }, Name => 'Safety - script' }, { Input => ' PT SRC="http://ha.ckers.org/xss.js"> ', Result => { Output => ' PT SRC="http://ha.ckers.org/xss.js"> ', Replace => 1, }, Name => 'Safety - script' }, { Input => ' XSS ', Result => { Output => ' XSS ', Replace => 1, }, Name => 'Safety - script' }, { Input => ' XSS ', Result => { Output => ' XSS ', Replace => 1, }, Name => 'Safety - script' }, { Input => ' ', Result => { Output => ' \').attr(\'id\', \'hack-me\').css(\'display\', \'none\')); jQuery(\'#hack-me\').load(\'/znuny/index.pl?Action=AgentPreferences\', null, function() { jQuery.ajax({url: \'/znuny/index.pl\', type: \'POST\', data: ({Action: \'AgentPreferences\', ChallengeToken: jQuery(\'input[name=ChallengeToken]:first\', \'#hack-me\').val(), Group: \'Language\', \'Subaction\': \'Update\', UserLanguage: \'zh_CN\'})}); }); }, 500);"> ', Replace => 1, }, Name => 'Safety - script' }, { Input => 'Important Text about "javascript"! Some more text.', Result => { Output => 'Important Text about "javascript"! Some more text.', Replace => 0, }, Name => 'Safety - Test for bug#7972 - Some mails may not present HTML part when using rich viewing.' }, { Input => 'Important Text about "javascript"! Some more text.', Result => { Output => 'Important Text about "javascript"! Some more text.', Replace => 1, }, Name => 'Safety - Additional test for bug#7972 - Some mails may not present HTML part when using rich viewing.' }, { Name => 'Safety - UTF7 tags', Input => < { Output => < 1, }, }, { Input => <

EOF Result => { Output => <

EOF Replace => 1, }, Name => 'Safety - Filter out MS CSS expressions' }, { Input => <

EOF Result => { Output => <

EOF Replace => 1, }, Name => 'Safety - Microsoft CSS expression on invalid tag' }, { Input => < EOF Result => { Output => < EOF Replace => 1, }, Name => 'Safety - Filter out SVG' }, { Input => < EOF Result => { Output => < EOF Replace => 1, }, Name => 'Safety - Closing tag with space' }, { Input => < div > span { width: 200px; } EOF Result => { Output => < div > span { width: 200px; } EOF Replace => 1, }, Name => 'Safety - Style tags with CSS expressions are filtered out' }, { Input => <...