صفحهٔ اصلی گشت‌و‌گذار راهنما
ورود
bachir
/
materio-base-d7
1
0
انشعاب 0
پرونده‌ها مشکلات 0 درخواست واکشی 0 ویکی
درخت: 26fadc74e4
شاخه‌ها تگ‌ها
materio-base...
/
sites
/
all
/
modules
/
contrib
/
seo
/
metatag
/
tests
/
metatag.xss.test

metatag.xss.test 6.0 KB
تاريخچه خام

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209 
  1. <?php
    2. 

  2. 

  3. /**
    4. 

  4.  * @file
    5. 

  5.  * Tests Metatag module to ensure there are no XSS scripting vulnerabilities.
    6. 

  6.  */
    7. 

  7. 

  8. /**
    9. 

  9.  * Tests Metatag module to ensure there are no XSS scripting vulnerabilities.
    10. 

  10.  */
    11. 

  11. class MetatagCoreXSSTest extends MetatagTestHelper {
    12. 

  12. 

  13.   /**
    14. 

  14.    * String that causes an alert when page titles aren't filtered for xss.
    15. 

  15.    *
    16. 

  16.    * @var string
    17. 

  17.    */
    18. 

  18.   private $xssTitleString = '<script>alert("xss");</script>';
    19. 

  19. 

  20.   /**
    21. 

  21.    * String that causes an alert when metatags aren't filtered for xss.
    22. 

  22.    *
    23. 

  23.    * @var string
    24. 

  24.    */
    25. 

  25.   private $xssString = '"><script>alert("xss");</script><meta "';
    26. 

  26. 

  27.   /**
    28. 

  28.    * Rendered xss tag that has escaped attribute to avoid xss injection.
    29. 

  29.    *
    30. 

  30.    * @var string
    31. 

  31.    */
    32. 

  32.   private $escapedXssTag = '<meta name="abstract" content="&quot;&gt;alert(&quot;xss&quot;);" />';
    33. 

  33. 

  34.   /**
    35. 

  35.    * String that causes an alert when metatags aren't filtered for xss.
    36. 

  36.    *
    37. 

  37.    * "Image" meta tags are processed differently to others, so this checks for a
    38. 

  38.    * different string.
    39. 

  39.    *
    40. 

  40.    * @var string
    41. 

  41.    */
    42. 

  42.   private $xssImageString = '/"><script>alert("image xss");</script><meta "';
    43. 

  43. 

  44.   /**
    45. 

  45.    * Rendered xss tag that has escaped attribute to avoid xss injection.
    46. 

  46.    *
    47. 

  47.    * @var string
    48. 

  48.    */
    49. 

  49.   private $escapedXssImageTag = '';
    50. 

  50. 

  51.   /**
    52. 

  52.    * {@inheritdoc}
    53. 

  53.    */
    54. 

  54.   public static function getInfo() {
    55. 

  55.     return array(
    56. 

  56.       'name' => 'Metatag core tests for XSS.',
    57. 

  57.       'description' => 'Test Metatag for XSS vulnerabilities.',
    58. 

  58.       'group' => 'Metatag',
    59. 

  59.     );
    60. 

  60.   }
    61. 

  61. 

  62.   /**
    63. 

  63.    * {@inheritdoc}
    64. 

  64.    */
    65. 

  65.   function setUp(array $modules = array()) {
    66. 

  66.     parent::setUp($modules);
    67. 

  67. 

  68.     $content_type = 'page';
    69. 

  69. 

  70.     // Create an admin user and log them in.
    71. 

  71.     $perms = array(
    72. 

  72.       // Needed for the content type.
    73. 

  73.       'create ' . $content_type . ' content',
    74. 

  74.       'delete any ' . $content_type . ' content',
    75. 

  75.       'edit any ' . $content_type . ' content',
    76. 

  76. 

  77.       // This permission is required in order to create new revisions.
    78. 

  78.       'administer nodes',
    79. 

  79.     );
    80. 

  80.     $this->adminUser = $this->createAdminUser($perms);
    81. 

  81.     $this->drupalLogin($this->adminUser);
    82. 

  82. 

  83.     // Generate the encoded version of $xssImageString.
    84. 

  84.     // '<link rel="image_src" href="' . $xssImageString . '" />'
    85. 

  85.     $prefix = '<link rel="image_src" href="';
    86. 

  86.     // The image tag will be automatically prefixed by the current hostname,
    87. 

  87.     // so adjust the escaped string.
    88. 

  88.     $url = url('', array('absolute' => TRUE));
    89. 

  89.     // Convert the raw string to what it will be when output in the HTML.
    90. 

  90.     $value = ltrim($this->xssImageString, '/');
    91. 

  91.     $value = urlencode($value);
    92. 

  92.     $value = str_replace('+', '%20', $value);
    93. 

  93.     $value = str_replace('%2F', '/', $value);
    94. 

  94.     $suffix = '" />';
    95. 

  95.     $this->escapedXssImageTag = $prefix . $url . $value . $suffix;
    96. 

  96.   }
    97. 

  97. 

  98.   /**
    99. 

  99.    * Verify XSS injected in global Node config is not rendered.
    100. 

  100.    */
    101. 

  101.   function testXssMetatagConfig() {
    102. 

  102.     // Submit the form with some example XSS values.
    103. 

  103.     $this->drupalGet('admin/config/search/metatags/config/global');
    104. 

  104.     $this->assertResponse(200);
    105. 

  105.     $edit = array(
    106. 

  106.       'metatags[und][title][value]' => $this->xssTitleString,
    107. 

  107.       'metatags[und][abstract][value]' => $this->xssString,
    108. 

  108.       'metatags[und][image_src][value]' => $this->xssImageString,
    109. 

  109.     );
    110. 

  110.     $this->drupalPost(NULL, $edit, t('Save'));
    111. 

  111.     $this->assertResponse(200);
    112. 

  112. 

  113.     // Use front page to test.
    114. 

  114.     $this->drupalGet('<front>');
    115. 

  115. 

  116.     // Verify title is clean.
    117. 

  117.     $this->assertNoTitle($this->xssTitleString);
    118. 

  118.     $this->assertNoRaw($this->xssTitleString);
    119. 

  119. 

  120.     // Verify the abstract is clean.
    121. 

  121.     $this->assertRaw($this->escapedXssTag);
    122. 

  122.     $this->assertNoRaw($this->xssString);
    123. 

  123. 

  124.     // Verify the image_src is clean.
    125. 

  125.     $this->assertRaw($this->escapedXssImageTag);
    126. 

  126.     $this->assertNoRaw($this->xssImageString);
    127. 

  127.   }
    128. 

  128. 

  129.   /**
    130. 

  130.    * Verify XSS injected in the entity metatag override field is not rendered.
    131. 

  131.    */
    132. 

  132.   public function testXssEntityOverride() {
    133. 

  133.     $title = 'Test Page';
    134. 

  134. 

  135.     // Load a page node.
    136. 

  136.     $this->drupalGet('node/add/page');
    137. 

  137.     $this->assertResponse(200);
    138. 

  138. 

  139.     // Submit the node with some example XSS values.
    140. 

  140.     $edit = array(
    141. 

  141.       'title' => $title,
    142. 

  142.       'metatags[und][title][value]' => $this->xssTitleString,
    143. 

  143.       'metatags[und][description][value]' => $this->xssString,
    144. 

  144.       'metatags[und][abstract][value]' => $this->xssString,
    145. 

  145.     );
    146. 

  146.     $this->drupalPost(NULL, $edit, t('Save'));
    147. 

  147. 

  148.     // Verify the page saved.
    149. 

  149.     $this->assertResponse(200);
    150. 

  150.     $this->assertText(t('Basic page @title has been created.', array('@title' => $title)));
    151. 

  151. 

  152.     // Verify title is not the injected string and thus cleaned.
    153. 

  153.     $this->assertNoTitle($this->xssTitleString);
    154. 

  154.     $this->assertNoRaw($this->xssTitleString);
    155. 

  155. 

  156.     // Verify the description and abstract are clean.
    157. 

  157.     $this->assertRaw($this->escapedXssTag);
    158. 

  158.     $this->assertNoRaw($this->xssString);
    159. 

  159.   }
    160. 

  160. 

  161.   /**
    162. 

  162.    * Verify XSS injected in the entity titles are not rendered.
    163. 

  163.    */
    164. 

  164.   public function testXssEntityTitle() {
    165. 

  165.     // Load a page node.
    166. 

  166.     $this->drupalGet('node/add/page');
    167. 

  167.     $this->assertResponse(200);
    168. 

  168. 

  169.     // Submit the node with some example XSS values.
    170. 

  170.     $edit = array(
    171. 

  171.       'title' => $this->xssTitleString,
    172. 

  172.       'body[und][0][value]' => 'hello world',
    173. 

  173.     );
    174. 

  174.     $this->drupalPost(NULL, $edit, t('Save'));
    175. 

  175. 

  176.     // Verify the page saved.
    177. 

  177.     $this->assertResponse(200);
    178. 

  178.     $this->assertText(t('has been created.'));
    179. 

  179. 

  180.     // Verify title is not the injected string and thus cleaned.
    181. 

  181.     $this->assertNoRaw($this->xssTitleString);
    182. 

  182.   }
    183. 

  183. 

  184.   /**
    185. 

  185.    * Verify XSS injected in the body field is not rendered.
    186. 

  186.    */
    187. 

  187.   public function testXssEntityBody() {
    188. 

  188.     $title = 'Hello World';
    189. 

  189. 

  190.     // Load a page node.
    191. 

  191.     $this->drupalGet('node/add/page');
    192. 

  192.     $this->assertResponse(200);
    193. 

  193. 

  194.     // Submit the node with a test body value.
    195. 

  195.     $edit = array(
    196. 

  196.       'title' => $title,
    197. 

  197.       'body[und][0][value]' => $this->xssString,
    198. 

  198.     );
    199. 

  199.     $this->drupalPost(NULL, $edit, t('Save'));
    200. 

  200. 

  201.     // Verify the page saved.
    202. 

  202.     $this->assertResponse(200);
    203. 

  203.     $this->assertText(t('Basic page @title has been created.', array('@title' => $title)));
    204. 

  204. 

  205.     // Verify body field is clean.
    206. 

  206.     $this->assertNoRaw($this->xssString);
    207. 

  207.   }
    208. 

  208. 

  209. }
    210.