Ignore:
Timestamp:
12/04/08 07:48:32 (3 years ago)
Author:
KennethLavrsen
Message:

Item375: First part of addressing URLPARAM XSS issue
Additionally some docs will need some additional work.
Please test this carefully so we know which apps break from this.

File:
1 edited

Legend:

Unmodified
Added
Removed

  • trunk/UnitTestContrib/test/unit/Fn_URLPARAM.pm

    r816 r1161  
    5555        '%URLPARAM{"foo" default="bar"}%', $this->{test_web}, $this->{test_topic}); 
    5656    $this->assert_str_equals('', "$str"); 
     57     
     58    $this->{request}->param( -name=>'foo', -value=>'<evil script>\'\"%'); 
     59    $str = $this->{twiki}->handleCommonTags( 
     60        '%URLPARAM{"foo" default="bar"}%', $this->{test_web}, $this->{test_topic}); 
     61    $this->assert_str_equals('&#60;evil script&#62;&#39;\&#34;&#37;', "$str"); 
    5762} 
    5863 
     
    6267    my $str; 
    6368 
    64     $this->{request}->param( -name=>'foo', -value=>'&?*!"'); 
     69    $this->{request}->param( -name=>'foo', -value=>'<>\'%&?*!"'); 
    6570    $str = $this->{twiki}->handleCommonTags( 
    6671        '%URLPARAM{"foo" encode="entity"}%', $this->{test_web}, $this->{test_topic}); 
    67     $this->assert_str_equals('&#38;?&#42;!&#34;', "$str"); 
     72    $this->assert_str_equals('&#60;&#62;&#39;&#37;&#38;?&#42;!&#34;', "$str"); 
    6873 
    6974    $this->{request}->param( -name=>'foo', -value=>'&?*!" '); 
     
    7681        '%URLPARAM{"foo" encode="quote"}%', $this->{test_web}, $this->{test_topic}); 
    7782    $this->assert_str_equals('&?*!\" ', "$str"); 
     83     
     84    $this->{request}->param( -name=>'foo', -value=>'<evil script>\'\"%'); 
     85    $str = $this->{twiki}->handleCommonTags( 
     86        '%URLPARAM{"foo" default="bar" encode="safe"}%', $this->{test_web}, $this->{test_topic}); 
     87    $this->assert_str_equals('&#60;evil script&#62;&#39;\&#34;&#37;', "$str"); 
     88     
     89    $this->{request}->param( -name=>'foo', -value=>'<evil script>\'\"%'); 
     90    $str = $this->{twiki}->handleCommonTags( 
     91        '%URLPARAM{"foo" default="bar" encode="off"}%', $this->{test_web}, $this->{test_topic}); 
     92    $this->assert_str_equals('<evil script>\'\"%', "$str"); 
     93     
     94    $this->{request}->param( -name=>'foo', -value=>'<evil script>\'\"%'); 
     95    $str = $this->{twiki}->handleCommonTags( 
     96        '%URLPARAM{"foo" default="bar" encode="none"}%', $this->{test_web}, $this->{test_topic}); 
     97    $this->assert_str_equals('<evil script>\'\"%', "$str"); 
    7898} 
    7999 
Note: See TracChangeset for help on using the changeset viewer.