Commit d12bfa09 authored by abarth@webkit.org's avatar abarth@webkit.org
Browse files

Revert 44977 because Tiger and Windows don't like the new tests.

git-svn-id: http://svn.webkit.org/repository/webkit/trunk@44978 268f45cc-cd09-0410-ab3c-d52691b4dbfc
parent 84ff6150
2009-06-23 Adam Barth <abarth@webkit.org>
Reviewed by Sam Weinig.
https://bugs.webkit.org/show_bug.cgi?id=26589
More tests for the XSSAuditor.
* http/tests/security/xssAuditor/link-onclick-expected.txt: Added.
* http/tests/security/xssAuditor/link-onclick.html: Added.
* http/tests/security/xssAuditor/property-escape-expected.txt: Added.
* http/tests/security/xssAuditor/property-escape.html: Added.
* http/tests/security/xssAuditor/resources/echo-intertag-post-and-notify.php: Added.
* http/tests/security/xssAuditor/resources/echo-intertag-post.php: Added.
* http/tests/security/xssAuditor/resources/echo-intertag-utf-7.php: Added.
* http/tests/security/xssAuditor/resources/echo-intertag.php:
* http/tests/security/xssAuditor/resources/echo-property.php: Added.
* http/tests/security/xssAuditor/resources/redir.php: Added.
* http/tests/security/xssAuditor/resources/xss.js: Added.
* http/tests/security/xssAuditor/script-tag-convoluted-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-convoluted.html: Added.
* http/tests/security/xssAuditor/script-tag-open-redirect-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-open-redirect.html: Added.
* http/tests/security/xssAuditor/script-tag-post-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-post.html: Added.
* http/tests/security/xssAuditor/script-tag-redirect-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-redirect.html: Added.
* http/tests/security/xssAuditor/script-tag-utf-7-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-utf-7.html: Added.
* http/tests/security/xssAuditor/script-tag-with-source-expected.txt: Added.
* http/tests/security/xssAuditor/script-tag-with-source.html: Added.
2009-06-22 Shinichiro Hamaji <hamaji@chromium.org>
Reviewed by Alexey Proskuryakov.
......
CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
<!DOCTYPE html>
<html>
<head>
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.setXSSAuditorEnabled(true);
}
</script>
</head>
<body>
<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-intertag.php?q=<a href='http://webblaze.cs.berkeley.edu' onclick='alert(/XSS/);return false'>Click me to get haxored!</a>">
</iframe>
</body>
</html>
CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
<!DOCTYPE html>
<html>
<head>
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.setXSSAuditorEnabled(true);
}
</script>
</head>
<body>
<iframe src="http://localhost:8000/security/xssAuditor/resources/echo-property.php?q=%22%20onload=%22alert(/XSS/)">
</iframe>
</body>
</html>
<?php
# Silly magic quotes. We're using an old version of PHP.
if (get_magic_quotes_gpc()) {
function stripslashes_gpc(&$value) {
$value = stripslashes($value);
}
array_walk_recursive($_GET, 'stripslashes_gpc');
array_walk_recursive($_POST, 'stripslashes_gpc');
array_walk_recursive($_COOKIE, 'stripslashes_gpc');
array_walk_recursive($_REQUEST, 'stripslashes_gpc');
}
?>
<!DOCTYPE html>
<html>
<body>
<?php
echo $_POST['q'];
?>
<script>
if (window.layoutTestController)
layoutTestController.notifyDone();
</script>
</body>
</html>
<?php
# Silly magic quotes. We're using an old version of PHP.
if (get_magic_quotes_gpc()) {
function stripslashes_gpc(&$value) {
$value = stripslashes($value);
}
array_walk_recursive($_GET, 'stripslashes_gpc');
array_walk_recursive($_POST, 'stripslashes_gpc');
array_walk_recursive($_COOKIE, 'stripslashes_gpc');
array_walk_recursive($_REQUEST, 'stripslashes_gpc');
}
?>
<!DOCTYPE html>
<html>
<body>
<?php
echo $_POST['q'];
?>
</body>
</html>
<?php
header("Content-Type: text/html; charset=UTF-7");
# Silly magic quotes. We're using an old version of PHP.
if (get_magic_quotes_gpc()) {
function stripslashes_gpc(&$value) {
$value = stripslashes($value);
}
array_walk_recursive($_GET, 'stripslashes_gpc');
array_walk_recursive($_POST, 'stripslashes_gpc');
array_walk_recursive($_COOKIE, 'stripslashes_gpc');
array_walk_recursive($_REQUEST, 'stripslashes_gpc');
}
?>
<!DOCTYPE html>
<html>
<body>
<?php
echo $_GET['q'];
?>
</body>
</html>
<?php
# Silly magic quotes. We're using an old version of PHP.
if (get_magic_quotes_gpc()) {
function stripslashes_gpc(&$value) {
$value = stripslashes($value);
}
array_walk_recursive($_GET, 'stripslashes_gpc');
array_walk_recursive($_POST, 'stripslashes_gpc');
array_walk_recursive($_COOKIE, 'stripslashes_gpc');
array_walk_recursive($_REQUEST, 'stripslashes_gpc');
}
?>
<!DOCTYPE html>
<html>
<body>
......
<?php
# Silly magic quotes. We're using an old version of PHP.
if (get_magic_quotes_gpc()) {
function stripslashes_gpc(&$value) {
$value = stripslashes($value);
}
array_walk_recursive($_GET, 'stripslashes_gpc');
array_walk_recursive($_POST, 'stripslashes_gpc');
array_walk_recursive($_COOKIE, 'stripslashes_gpc');
array_walk_recursive($_REQUEST, 'stripslashes_gpc');
}
?>
<!DOCTYPE html>
<html>
<body foo="<?php
echo $_GET['q'];
?>">
</body>
</html>
CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
<!DOCTYPE html>
<html>
<head>
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.setXSSAuditorEnabled(true);
}
</script>
</head>
<body>
<iframe src='http://localhost:8000/security/xssAuditor/resources/echo-intertag.php?q=<script>document.write("scri")</script>pt src="xss.js"></script>'>
</iframe>
</body>
</html>
CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
<!DOCTYPE html>
<html>
<head>
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.setXSSAuditorEnabled(true);
}
</script>
</head>
<body>
<iframe src="http://localhost:8000/security/xssAuditor/resources/redir.php?url=http://localhost:8000/security/xssAuditor/resources/echo-intertag.php?q=<script>alert(/XSS/)</script>">
</iframe>
</body>
</html>
CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
<!DOCTYPE html>
<html>
<head>
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.waitUntilDone();
layoutTestController.setXSSAuditorEnabled(true);
}
</script>
</head>
<body>
<iframe name="tg" src="about:blank"></iframe>
<form target="tg" method="POST" id="theForm"
action="http://localhost:8000/security/xssAuditor/resources/echo-intertag-post-and-notify.php">
<input type="text" name="q" value="<script>alert(/XSS/)</script>">
</form>
<script>
document.getElementById('theForm').submit();
</script>
</body>
</html>
CONSOLE MESSAGE: line 1: Refused to execute a JavaScript script. Source code of script found within request.
<!DOCTYPE html>
<html>
<head>
<script>
if (window.layoutTestController) {
layoutTestController.dumpAsText();
layoutTestController.setXSSAuditorEnabled(true);
}
</script>
</head>
<body>
<iframe src="resources/redir.php?url=http://localhost:8000/security/xssAuditor/resources/echo-intertag.php?q=<script>alert(/XSS/)</script>">
</iframe>
</body>
</html>
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment