use strict; use Test::More tests => 100; BEGIN { $^W = 1 } use HTML::StripScripts::Parser; my @tests; my $p = HTML::StripScripts::Parser->new( { AllowHref => 1, AllowRelURL => 1, AllowMailto => 1, strict_names => 1, strict_comments => 1, } ); isa_ok( $p, "HTML::StripScripts::Parser" ); my $i = 0; while (@tests) { $i++; my $in = shift @tests; my $out = shift @tests; my $result = $p->filter_html($in); is( $result, $out, "xss $i" ); } # These XSS tests are from http://ha.ckers.org/xss.html # I have excluded the google.com URL tests, as all of them are valid URLs (I think) BEGIN { @tests = ( # 1 q{';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>=&\{\}}, q{';alert(String.fromCharCode(88,83,83))//\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\";alert(String.fromCharCode(88,83,83))//-->">'>=&{}}, # 2 q{'';!--"=&\{()\}}, q{'';!--"=&{()}}, # 3 q{}, q{}, # 4 q{}, q{}, # 5 q{}, q{}, # 6 q{}, q{}, # 7 q{}, q{}, # 8 q{}, q{}, # 9 q{}, q{}, # 10 q{

}, q{

}, # 11 q{

}, q{

}, # 12 q{

}, q{

}, # 13 q{}, q{}, # 14 q{}, q{}, # 15 q{}, q{}, # 16 q{

}, q{}, # 17 q{

}, q{}, # 18 q{}, q{}, # 19 q{}, q{}, # 20 q{exp/*

XSS}, q{exp/*}, # 21 q{}, q{}, # 22 q{}, q{}, # 23 q{}, q{}, # 24 q{}, q{}, # 25 q{}, q{}, # 26 q{}, q{}, # 27 q{}, q{}, # 28 q{}, q{}, # 29 q{}, q{}, # 30 q{}, q{}, # 31 q{a="get"; b="URL(""; c="javascript:"; d="alert('XSS');")";}, q{a="get"; b="URL(""; c="javascript:"; d="alert('XSS');")";}, # 32 q{}, q{}, # 33 q{}, q{}, # 34 q{}, q{}, # 35 q{}, q{}, # 36 q{}, q{}, # 37 q{}, q{}, # 38 q{}, q{}, # 39 q{}, q{}, # 40 q{}, q{}, # 41 q{}, q{}, # 42 q{
}, q{
}, # 43 q{
}, q{
}, # 44 q{}, q{}, # 45 q{]]>}, q{]]>}, # 46 q{}, q{}, # 47 q{}, q{}, # 48 q{}, q{}, # 49 q{}, # 50 q{}, q{}, # 51 q{}, q{}, # 52 q{}, q{}, # 53 q{}, q{'"-->}, # 54 q{}, # 55 q{
}, q{
}, # 56 q{<}, q{}, # 57 q{}, q{}, # 58 q{}, q{}, # 59 q{}, q{}, # 60 q{}, q{}, # 61 q{}, q{}, # 62 q{}, q{}, # 63 q{
}, q{
}, # 64 q{}, q{}, # 65 q{ +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-}, q{ +ADw-SCRIPT+AD4-alert('XSS');+ADw-/SCRIPT+AD4-}, # 66 q{\";alert('XSS');//}, q{\";alert('XSS');//}, # 67 q{}, q{}, # 68 q{}, q{}, # 69 q{}, q{}, # 70 q{}, q{}, # 71 q{}, q{}, # 72 q{}, q{}, # 73 q{}, # 74 q{perl -e 'print "";'> out}, q{perl -e 'print "";'> out}, # 75 q{perl -e 'print "&alert("XSS")";' > out}, q{perl -e 'print "&alert("XSS")";' > out}, # 76 q{}, q{}, # 77 q{}, q{}, # 78 q{}, q{}, # 79 q{}, q{<}, # 84 q{">}, q{">}, # 85 q{}, q{}, # 87 q{}, q{}, # 88 q{}, q{}, # 89 q{}, q{}, # 90 q{}, q{}, # 91 q{PT SRC="http://ha.ckers.org/xss.js">}, q{PT SRC="http://ha.ckers.org/xss.js">}, # 92 q{}, q{}, # 93 q{XSS}, q{XSS}, # 95 q{XSS}, q{XSS}, # 96 q{XSS}, q{XSS}, # 97 q{XSS}, q{XSS}, # 98 q{}, q{}, # 99 q{}, q{}, ); }