diff options
| author | Tim Almdal <tnalmdal@shaw.ca> | 2009-11-18 10:34:39 -0800 |
|---|---|---|
| committer | Tim Almdal <tnalmdal@shaw.ca> | 2009-11-18 10:34:39 -0800 |
| commit | 4fe5801c885088e5e6c11b8a20a561415941b864 (patch) | |
| tree | cf165e7bf32e7782e555f07871ff393ed8e2caeb /modules | |
| parent | 3f600d46e44268ef95734249a12d706bdefd87be (diff) | |
Simplify the maintenance of the xss golden file by having each module contibute its own golden file to a consolidated one. This will make it easier for -contrib modules or themes to be included in the xss security test w/o having to keep modifying a central golden file.
Diffstat (limited to 'modules')
| -rw-r--r-- | modules/akismet/tests/xss_data.txt | 3 | ||||
| -rw-r--r-- | modules/comment/tests/xss_data.txt | 33 | ||||
| -rw-r--r-- | modules/digibug/tests/xss_data.txt | 3 | ||||
| -rw-r--r-- | modules/exif/tests/xss_data.txt | 2 | ||||
| -rw-r--r-- | modules/g2_import/tests/xss_data.txt | 1 | ||||
| -rw-r--r-- | modules/gallery/tests/Xss_Security_Test.php | 14 | ||||
| -rw-r--r-- | modules/gallery/tests/xss_data.txt | 210 | ||||
| -rw-r--r-- | modules/image_block/tests/xss_data.txt | 2 | ||||
| -rw-r--r-- | modules/info/tests/xss_data.txt | 2 | ||||
| -rw-r--r-- | modules/notification/tests/xss_data.txt | 8 | ||||
| -rw-r--r-- | modules/organize/tests/xss_data.txt | 22 | ||||
| -rw-r--r-- | modules/recaptcha/tests/xss_data.txt | 3 | ||||
| -rw-r--r-- | modules/rss/tests/xss_data.txt | 32 | ||||
| -rw-r--r-- | modules/search/tests/xss_data.txt | 4 | ||||
| -rw-r--r-- | modules/server_add/tests/xss_data.txt | 7 | ||||
| -rw-r--r-- | modules/tag/tests/xss_data.txt | 7 | ||||
| -rw-r--r-- | modules/user/tests/xss_data.txt | 15 | ||||
| -rw-r--r-- | modules/watermark/tests/xss_data.txt | 3 |
18 files changed, 160 insertions, 211 deletions
diff --git a/modules/akismet/tests/xss_data.txt b/modules/akismet/tests/xss_data.txt new file mode 100644 index 00000000..97f239a2 --- /dev/null +++ b/modules/akismet/tests/xss_data.txt @@ -0,0 +1,3 @@ +modules/akismet/views/admin_akismet.html.php 16 DIRTY $form +modules/akismet/views/admin_akismet_stats.html.php 9 DIRTY_ATTR $api_key +modules/akismet/views/admin_akismet_stats.html.php 9 DIRTY_ATTR urlencode($blog_url) diff --git a/modules/comment/tests/xss_data.txt b/modules/comment/tests/xss_data.txt new file mode 100644 index 00000000..0a7fb818 --- /dev/null +++ b/modules/comment/tests/xss_data.txt @@ -0,0 +1,33 @@ +modules/comment/views/admin_block_recent_comments.html.php 4 DIRTY_ATTR text::alternate("g-even","g-odd") +modules/comment/views/admin_block_recent_comments.html.php 5 DIRTY_ATTR $comment->author()->avatar_url(32,$theme->url(,true)) +modules/comment/views/admin_block_recent_comments.html.php 10 DIRTY gallery::date_time($comment->created) +modules/comment/views/admin_comments.html.php 43 DIRTY $menu->render() +modules/comment/views/admin_comments.html.php 107 DIRTY_ATTR $comment->id +modules/comment/views/admin_comments.html.php 107 DIRTY_ATTR text::alternate("g-odd","g-even") +modules/comment/views/admin_comments.html.php 110 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) +modules/comment/views/admin_comments.html.php 123 DIRTY_JS $item->url() +modules/comment/views/admin_comments.html.php 125 DIRTY_ATTR $item->thumb_url() +modules/comment/views/admin_comments.html.php 127 DIRTY photo::img_dimensions($item->thumb_width,$item->thumb_height,75) +modules/comment/views/admin_comments.html.php 135 DIRTY gallery::date($comment->created) +modules/comment/views/admin_comments.html.php 142 DIRTY_JS $comment->id +modules/comment/views/admin_comments.html.php 151 DIRTY_JS $comment->id +modules/comment/views/admin_comments.html.php 160 DIRTY_JS $comment->id +modules/comment/views/admin_comments.html.php 169 DIRTY_JS $comment->id +modules/comment/views/admin_comments.html.php 176 DIRTY_JS $comment->id +modules/comment/views/admin_comments.html.php 184 DIRTY_JS $comment->id +modules/comment/views/admin_comments.html.php 197 DIRTY $pager +modules/comment/views/comment.html.php 2 DIRTY_ATTR $comment->id; +modules/comment/views/comment.html.php 5 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) +modules/comment/views/comment.mrss.php 10 DIRTY $feed->uri +modules/comment/views/comment.mrss.php 13 DIRTY_JS $feed->uri +modules/comment/views/comment.mrss.php 16 DIRTY_JS $feed->previous_page_uri +modules/comment/views/comment.mrss.php 19 DIRTY_JS $feed->next_page_uri +modules/comment/views/comment.mrss.php 21 DIRTY $pub_date +modules/comment/views/comment.mrss.php 22 DIRTY $pub_date +modules/comment/views/comment.mrss.php 28 DIRTY $child->item_uri +modules/comment/views/comment.mrss.php 29 DIRTY $child->pub_date +modules/comment/views/comment.mrss.php 34 DIRTY_ATTR $child->thumb_url +modules/comment/views/comment.mrss.php 35 DIRTY_ATTR $child->thumb_height +modules/comment/views/comment.mrss.php 35 DIRTY_ATTR $child->thumb_width +modules/comment/views/comments.html.php 16 DIRTY_ATTR $comment->id +modules/comment/views/comments.html.php 19 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) diff --git a/modules/digibug/tests/xss_data.txt b/modules/digibug/tests/xss_data.txt new file mode 100644 index 00000000..c65afb66 --- /dev/null +++ b/modules/digibug/tests/xss_data.txt @@ -0,0 +1,3 @@ +modules/digibug/views/digibug_form.html.php 4 DIRTY form::open("http://www.digibug.com/dapi/order.php") +modules/digibug/views/digibug_form.html.php 5 DIRTY form::hidden($order_parms) +modules/digibug/views/digibug_form.html.php 6 DIRTY form::close() diff --git a/modules/exif/tests/xss_data.txt b/modules/exif/tests/xss_data.txt new file mode 100644 index 00000000..7ed830ad --- /dev/null +++ b/modules/exif/tests/xss_data.txt @@ -0,0 +1,2 @@ +modules/exif/views/exif_dialog.html.php 14 DIRTY $details[$i]["caption"] +modules/exif/views/exif_dialog.html.php 21 DIRTY $details[$i]["caption"] diff --git a/modules/g2_import/tests/xss_data.txt b/modules/g2_import/tests/xss_data.txt new file mode 100644 index 00000000..e3914a0d --- /dev/null +++ b/modules/g2_import/tests/xss_data.txt @@ -0,0 +1 @@ +modules/g2_import/views/admin_g2_import.html.php 29 DIRTY $form diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index b296d97c..801db8dd 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -302,8 +302,20 @@ class Xss_Security_Test extends Unit_Test_Case { */ $new = TMPPATH . "xss_data.txt"; $fd = fopen($new, "wb"); + $canonical = TMPPATH . "xss_data_golden.txt"; + $fd_canonical = fopen($canonical, "wb"); + $current_type = $current_plugin = ""; ksort($found); foreach ($found as $view => $frames) { + list ($type, $plugin) = explode("/", $view); + if ($type != $current_type || $plugin != $current_plugin) { + $golden_file = ($type == "modules" ? MODPATH : THEMEPATH) . "{$plugin}/tests/xss_data.txt"; + if (file_exists($golden_file)) { + fwrite($fd_canonical, file_get_contents($golden_file)); + } + $current_type = $type; + $current_plugin = $plugin; + } foreach ($frames as $frame) { $state = "DIRTY"; if ($frame->in_script_block() && $frame->in_href_attribute()) { @@ -344,9 +356,9 @@ class Xss_Security_Test extends Unit_Test_Case { } } fclose($fd); + fclose($fd_canonical); // Compare with the expected report from our golden file. - $canonical = MODPATH . "gallery/tests/xss_data.txt"; exec("diff $canonical $new", $output, $return_value); $this->assert_false( $return_value, "XSS golden file mismatch. Output:\n" . implode("\n", $output) ); diff --git a/modules/gallery/tests/xss_data.txt b/modules/gallery/tests/xss_data.txt index 3eaa6561..8814284b 100644 --- a/modules/gallery/tests/xss_data.txt +++ b/modules/gallery/tests/xss_data.txt @@ -1,45 +1,3 @@ -modules/akismet/views/admin_akismet.html.php 16 DIRTY $form -modules/akismet/views/admin_akismet_stats.html.php 9 DIRTY_ATTR $api_key -modules/akismet/views/admin_akismet_stats.html.php 9 DIRTY_ATTR urlencode($blog_url) -modules/comment/views/admin_block_recent_comments.html.php 4 DIRTY_ATTR text::alternate("g-even","g-odd") -modules/comment/views/admin_block_recent_comments.html.php 5 DIRTY_ATTR $comment->author()->avatar_url(32,$theme->url(,true)) -modules/comment/views/admin_block_recent_comments.html.php 10 DIRTY gallery::date_time($comment->created) -modules/comment/views/admin_comments.html.php 43 DIRTY $menu->render() -modules/comment/views/admin_comments.html.php 107 DIRTY_ATTR $comment->id -modules/comment/views/admin_comments.html.php 107 DIRTY_ATTR text::alternate("g-odd","g-even") -modules/comment/views/admin_comments.html.php 110 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) -modules/comment/views/admin_comments.html.php 123 DIRTY_JS $item->url() -modules/comment/views/admin_comments.html.php 125 DIRTY_ATTR $item->thumb_url() -modules/comment/views/admin_comments.html.php 127 DIRTY photo::img_dimensions($item->thumb_width,$item->thumb_height,75) -modules/comment/views/admin_comments.html.php 135 DIRTY gallery::date($comment->created) -modules/comment/views/admin_comments.html.php 142 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 151 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 160 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 169 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 176 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 184 DIRTY_JS $comment->id -modules/comment/views/admin_comments.html.php 197 DIRTY $pager -modules/comment/views/comment.html.php 2 DIRTY_ATTR $comment->id; -modules/comment/views/comment.html.php 5 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) -modules/comment/views/comment.mrss.php 10 DIRTY $feed->uri -modules/comment/views/comment.mrss.php 13 DIRTY_JS $feed->uri -modules/comment/views/comment.mrss.php 16 DIRTY_JS $feed->previous_page_uri -modules/comment/views/comment.mrss.php 19 DIRTY_JS $feed->next_page_uri -modules/comment/views/comment.mrss.php 21 DIRTY $pub_date -modules/comment/views/comment.mrss.php 22 DIRTY $pub_date -modules/comment/views/comment.mrss.php 28 DIRTY $child->item_uri -modules/comment/views/comment.mrss.php 29 DIRTY $child->pub_date -modules/comment/views/comment.mrss.php 34 DIRTY_ATTR $child->thumb_url -modules/comment/views/comment.mrss.php 35 DIRTY_ATTR $child->thumb_height -modules/comment/views/comment.mrss.php 35 DIRTY_ATTR $child->thumb_width -modules/comment/views/comments.html.php 16 DIRTY_ATTR $comment->id -modules/comment/views/comments.html.php 19 DIRTY_ATTR $comment->author()->avatar_url(40,$theme->url(,true)) -modules/digibug/views/digibug_form.html.php 4 DIRTY form::open("http://www.digibug.com/dapi/order.php") -modules/digibug/views/digibug_form.html.php 5 DIRTY form::hidden($order_parms) -modules/digibug/views/digibug_form.html.php 6 DIRTY form::close() -modules/exif/views/exif_dialog.html.php 14 DIRTY $details[$i]["caption"] -modules/exif/views/exif_dialog.html.php 21 DIRTY $details[$i]["caption"] -modules/g2_import/views/admin_g2_import.html.php 29 DIRTY $form modules/gallery/views/admin_advanced_settings.html.php 21 DIRTY_ATTR text::alternate("g-odd","g-even") modules/gallery/views/admin_advanced_settings.html.php 22 DIRTY $var->module_name modules/gallery/views/admin_block_log_entries.html.php 4 DIRTY_ATTR log::severity_class($entry->severity) @@ -216,171 +174,3 @@ modules/gallery/views/upgrader.html.php 77 DIRTY $modul modules/gallery/views/upgrader.html.php 99 DIRTY_ATTR $done?"muted":"" modules/gallery/views/upgrader.html.php 102 DIRTY_ATTR $done?"muted":"" modules/gallery/views/user_languages_block.html.php 2 DIRTY form::dropdown("g-select-session-locale",$installed_locales,$selected) -modules/image_block/views/image_block_block.html.php 3 DIRTY_JS $item->url() -modules/image_block/views/image_block_block.html.php 4 DIRTY $item->thumb_img(array("class"=>"g-thumbnail")) -modules/info/views/info_block.html.php 22 DIRTY date("M j, Y H:i:s",$item->captured) -modules/info/views/info_block.html.php 29 DIRTY_JS $item->owner->url -modules/notification/views/comment_published.html.php 28 DIRTY_JS $comment->item()->abs_url() -modules/notification/views/comment_published.html.php 29 DIRTY $comment->item()->abs_url() -modules/notification/views/item_added.html.php 16 DIRTY_JS $item->abs_url() -modules/notification/views/item_added.html.php 17 DIRTY $item->abs_url() -modules/notification/views/item_deleted.html.php 18 DIRTY_JS $item->parent()->abs_url() -modules/notification/views/item_deleted.html.php 19 DIRTY $item->parent()->abs_url() -modules/notification/views/item_updated.html.php 20 DIRTY_JS $item->abs_url() -modules/notification/views/item_updated.html.php 20 DIRTY $item->abs_url() -modules/organize/views/organize_dialog.html.php 3 DIRTY_JS url::site("organize/move_to/__ALBUM_ID__?csrf=$csrf") -modules/organize/views/organize_dialog.html.php 4 DIRTY_JS url::site("organize/rearrange/__TARGET_ID__/__BEFORE__?csrf=$csrf") -modules/organize/views/organize_dialog.html.php 5 DIRTY_JS url::site("organize/sort_order/__ALBUM_ID__/__COL__/__DIR__?csrf=$csrf") -modules/organize/views/organize_dialog.html.php 6 DIRTY_JS url::site("organize/tree/__ALBUM_ID__") -modules/organize/views/organize_dialog.html.php 14 DIRTY $album_tree -modules/organize/views/organize_dialog.html.php 24 DIRTY $micro_thumb_grid -modules/organize/views/organize_dialog.html.php 32 DIRTY form::dropdown(array("id"=>"g-organize-sort-column"),album::get_sort_order_options(),$album->sort_column) -modules/organize/views/organize_dialog.html.php 33 DIRTY form::dropdown(array("id"=>"g-organize-sort-order"),array("ASC"=>"Ascending","DESC"=>"Descending"),$album->sort_order) -modules/organize/views/organize_thumb_grid.html.php 3 DIRTY_ATTR $child->id -modules/organize/views/organize_thumb_grid.html.php 4 DIRTY_ATTR $child->id -modules/organize/views/organize_thumb_grid.html.php 5 DIRTY_ATTR $child->is_album()?"g-album":"g-photo" -modules/organize/views/organize_thumb_grid.html.php 6 DIRTY $child->thumb_img(array("class"=>"g-thumbnail","ref"=>$child->id),90,true) -modules/organize/views/organize_thumb_grid.html.php 7 DIRTY $child->is_album()?" class=\"ui-icon ui-icon-note\"":"" -modules/organize/views/organize_thumb_grid.html.php 15 DIRTY_JS url::site("organize/album/$album->id/".($offset+25)) -modules/organize/views/organize_tree.html.php 2 DIRTY_ATTR access::can("edit",$album)?"":"g-view-only" -modules/organize/views/organize_tree.html.php 3 DIRTY_ATTR $album->id -modules/organize/views/organize_tree.html.php 6 DIRTY_ATTR $selected&&$album->id==$selected->id?"selected":"" -modules/organize/views/organize_tree.html.php 7 DIRTY_ATTR $album->id -modules/organize/views/organize_tree.html.php 13 DIRTY View::factory("organize_tree.html",array("selected"=>$selected,"album"=>$child)); -modules/organize/views/organize_tree.html.php 15 DIRTY_ATTR access::can("edit",$child)?"":"g-view-only" -modules/organize/views/organize_tree.html.php 16 DIRTY_ATTR $child->id -modules/organize/views/organize_tree.html.php 18 DIRTY_ATTR $child->id -modules/recaptcha/views/admin_recaptcha.html.php 11 DIRTY $form -modules/recaptcha/views/admin_recaptcha.html.php 23 DIRTY_JS $public_key -modules/recaptcha/views/form_recaptcha.html.php 7 DIRTY_JS $public_key -modules/rss/views/feed.mrss.php 10 DIRTY $feed->uri -modules/rss/views/feed.mrss.php 13 DIRTY_JS $feed->uri -modules/rss/views/feed.mrss.php 16 DIRTY_JS $feed->previous_page_uri -modules/rss/views/feed.mrss.php 19 DIRTY_JS $feed->next_page_uri -modules/rss/views/feed.mrss.php 21 DIRTY $pub_date -modules/rss/views/feed.mrss.php 22 DIRTY $pub_date -modules/rss/views/feed.mrss.php 28 DIRTY date("D, d M Y H:i:s T",$child->created); -modules/rss/views/feed.mrss.php 35 DIRTY_ATTR $child->resize_url(true) -modules/rss/views/feed.mrss.php 37 DIRTY_ATTR $child->resize_height -modules/rss/views/feed.mrss.php 37 DIRTY_ATTR $child->resize_width -modules/rss/views/feed.mrss.php 40 DIRTY_ATTR $child->thumb_url(true) -modules/rss/views/feed.mrss.php 42 DIRTY_ATTR $child->thumb_height -modules/rss/views/feed.mrss.php 42 DIRTY_ATTR $child->thumb_width -modules/rss/views/feed.mrss.php 48 DIRTY_ATTR $child->thumb_url(true) -modules/rss/views/feed.mrss.php 49 DIRTY_ATTR $child->thumb_height -modules/rss/views/feed.mrss.php 50 DIRTY_ATTR $child->thumb_width -modules/rss/views/feed.mrss.php 54 DIRTY_ATTR $child->resize_url(true) -modules/rss/views/feed.mrss.php 55 DIRTY_ATTR @filesize($child->resize_path()) -modules/rss/views/feed.mrss.php 56 DIRTY_ATTR $child->mime_type -modules/rss/views/feed.mrss.php 57 DIRTY_ATTR $child->resize_height -modules/rss/views/feed.mrss.php 58 DIRTY_ATTR $child->resize_width -modules/rss/views/feed.mrss.php 62 DIRTY_ATTR $child->file_url(true) -modules/rss/views/feed.mrss.php 63 DIRTY_ATTR @filesize($child->file_path()) -modules/rss/views/feed.mrss.php 64 DIRTY_ATTR $child->mime_type -modules/rss/views/feed.mrss.php 65 DIRTY_ATTR $child->height -modules/rss/views/feed.mrss.php 66 DIRTY_ATTR $child->width -modules/rss/views/feed.mrss.php 70 DIRTY_ATTR $child->file_url(true) -modules/rss/views/feed.mrss.php 71 DIRTY_ATTR @filesize($child->file_path()) -modules/rss/views/feed.mrss.php 72 DIRTY_ATTR $child->height -modules/rss/views/feed.mrss.php 73 DIRTY_ATTR $child->width -modules/rss/views/feed.mrss.php 74 DIRTY_ATTR $child->mime_type -modules/rss/views/rss_block.html.php 6 DIRTY_JS rss::url($url) -modules/search/views/search.html.php 30 DIRTY_ATTR $item_class -modules/search/views/search.html.php 31 DIRTY_JS $item->url() -modules/search/views/search.html.php 32 DIRTY $item->thumb_img() -modules/search/views/search.html.php 43 DIRTY $theme->paginator() -modules/server_add/views/admin_server_add.html.php 5 DIRTY $form -modules/server_add/views/admin_server_add.html.php 15 DIRTY_ATTR $id -modules/server_add/views/server_add_tree.html.php 20 DIRTY_ATTR is_dir($file)?"ui-icon-folder-collapsed":"ui-icon-document" -modules/server_add/views/server_add_tree.html.php 21 DIRTY_ATTR is_dir($file)?"g-directory":"g-file" -modules/server_add/views/server_add_tree_dialog.html.php 3 DIRTY_JS url::site("server_add/children?path=__PATH__") -modules/server_add/views/server_add_tree_dialog.html.php 4 DIRTY_JS url::site("server_add/start?item_id={$item->id}&csrf=$csrf") -modules/server_add/views/server_add_tree_dialog.html.php 21 DIRTY $tree -modules/tag/views/admin_tags.html.php 45 DIRTY_ATTR $tag->id -modules/tag/views/admin_tags.html.php 46 DIRTY $tag->count -modules/tag/views/tag_block.html.php 27 DIRTY $cloud -modules/tag/views/tag_block.html.php 29 DIRTY $form -modules/tag/views/tag_cloud.html.php 4 DIRTY_ATTR (int)(($tag->count/$max_count)*7) -modules/tag/views/tag_cloud.html.php 5 DIRTY $tag->count -modules/tag/views/tag_cloud.html.php 6 DIRTY_JS $tag->url() -modules/user/views/admin_users.html.php 3 DIRTY_JS url::site("admin/users/add_user_to_group/__USERID__/__GROUPID__?csrf=$csrf") -modules/user/views/admin_users.html.php 26 DIRTY_JS url::site("admin/users/group/__GROUPID__") -modules/user/views/admin_users.html.php 36 DIRTY_JS url::site("admin/users/remove_user_from_group/__USERID__/__GROUPID__?csrf=$csrf") -modules/user/views/admin_users.html.php 71 DIRTY_ATTR $user->id -modules/user/views/admin_users.html.php 71 DIRTY_ATTR text::alternate("g-odd","g-even") -modules/user/views/admin_users.html.php 71 DIRTY_ATTR $user->admin?"g-admin":"" -modules/user/views/admin_users.html.php 72 DIRTY_ATTR $user->id -modules/user/views/admin_users.html.php 73 DIRTY_ATTR $user->avatar_url(20,$theme->url(,true)) -modules/user/views/admin_users.html.php 87 DIRTY ($user->last_login==0)?"":gallery::date($user->last_login) -modules/user/views/admin_users.html.php 123 DIRTY_ATTR $group->id -modules/user/views/admin_users.html.php 123 DIRTY_ATTR ($group->special?"g-default-group":"") -modules/user/views/admin_users.html.php 125 DIRTY $v -modules/user/views/admin_users_group.html.php 22 DIRTY_JS $user->id -modules/user/views/admin_users_group.html.php 22 DIRTY_JS $group->id -modules/user/views/user_form.html.php 7 DIRTY $form -modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $width -modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $height -modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $url -themes/admin_wind/views/admin.html.php 16 DIRTY_JS $theme->url() -themes/admin_wind/views/admin.html.php 33 DIRTY $theme->admin_head() -themes/admin_wind/views/admin.html.php 37 DIRTY $theme->admin_page_top() -themes/admin_wind/views/admin.html.php 45 DIRTY $theme->admin_header_top() -themes/admin_wind/views/admin.html.php 60 DIRTY_JS item::root()->url() -themes/admin_wind/views/admin.html.php 64 DIRTY $theme->admin_menu() -themes/admin_wind/views/admin.html.php 66 DIRTY $theme->admin_header_bottom() -themes/admin_wind/views/admin.html.php 73 DIRTY $content -themes/admin_wind/views/admin.html.php 79 DIRTY $sidebar -themes/admin_wind/views/admin.html.php 84 DIRTY $theme->admin_footer() -themes/admin_wind/views/admin.html.php 86 DIRTY $theme->admin_credits() -themes/admin_wind/views/admin.html.php 90 DIRTY $theme->admin_page_bottom() -themes/admin_wind/views/block.html.php 3 DIRTY_ATTR $anchor -themes/admin_wind/views/block.html.php 5 DIRTY $id -themes/admin_wind/views/block.html.php 5 DIRTY_ATTR $css_id -themes/admin_wind/views/block.html.php 13 DIRTY $title -themes/admin_wind/views/block.html.php 16 DIRTY $content -themes/admin_wind/views/pager.html.php 13 DIRTY_JS str_replace('{page}',1,$url) -themes/admin_wind/views/pager.html.php 20 DIRTY_JS str_replace('{page}',$previous_page,$url) -themes/admin_wind/views/pager.html.php 27 DIRTY $from_to_msg -themes/admin_wind/views/pager.html.php 30 DIRTY_JS str_replace('{page}',$next_page,$url) -themes/admin_wind/views/pager.html.php 37 DIRTY_JS str_replace('{page}',$last_page,$url) -themes/wind/views/album.html.php 16 DIRTY_ATTR $child->id -themes/wind/views/album.html.php 16 DIRTY_ATTR $item_class -themes/wind/views/album.html.php 18 DIRTY_JS $child->url() -themes/wind/views/album.html.php 19 DIRTY $child->thumb_img(array("class"=>"g-thumbnail")) -themes/wind/views/album.html.php 23 DIRTY_ATTR $item_class -themes/wind/views/album.html.php 24 DIRTY_JS $child->url() -themes/wind/views/album.html.php 42 DIRTY $theme->paginator() -themes/wind/views/block.html.php 3 DIRTY_ATTR $anchor -themes/wind/views/block.html.php 5 DIRTY_ATTR $css_id -themes/wind/views/block.html.php 6 DIRTY $title -themes/wind/views/block.html.php 8 DIRTY $content -themes/wind/views/dynamic.html.php 11 DIRTY_ATTR $child->is_album()?"g-album":"" -themes/wind/views/dynamic.html.php 13 DIRTY_JS $child->url() -themes/wind/views/dynamic.html.php 14 DIRTY_ATTR $child->id -themes/wind/views/dynamic.html.php 15 DIRTY_ATTR $child->thumb_url() -themes/wind/views/dynamic.html.php 16 DIRTY_ATTR $child->thumb_width -themes/wind/views/dynamic.html.php 17 DIRTY_ATTR $child->thumb_height -themes/wind/views/dynamic.html.php 29 DIRTY $theme->paginator() -themes/wind/views/movie.html.php 5 DIRTY $theme->paginator() -themes/wind/views/movie.html.php 8 DIRTY $item->movie_img(array("class"=>"g-movie","id"=>"g-movie-id-{$item->id}")) -themes/wind/views/page.html.php 9 DIRTY $page_title -themes/wind/views/page.html.php 33 DIRTY_JS $theme->url() -themes/wind/views/page.html.php 42 DIRTY $new_width -themes/wind/views/page.html.php 43 DIRTY $new_height -themes/wind/views/page.html.php 44 DIRTY $thumb_proportion -themes/wind/views/page.html.php 81 DIRTY $header_text -themes/wind/views/page.html.php 83 DIRTY_JS item::root()->url() -themes/wind/views/page.html.php 87 DIRTY $theme->user_menu() -themes/wind/views/page.html.php 104 DIRTY_JS $parent->url($parent==$theme->item()->parent()?"show={$theme->item()->id}":null) -themes/wind/views/page.html.php 120 DIRTY $content -themes/wind/views/page.html.php 126 DIRTY newView("sidebar.html") -themes/wind/views/page.html.php 133 DIRTY $footer_text -themes/wind/views/paginator.html.php 33 DIRTY_JS $first_page_url -themes/wind/views/paginator.html.php 42 DIRTY_JS $previous_page_url -themes/wind/views/paginator.html.php 70 DIRTY_JS $next_page_url -themes/wind/views/paginator.html.php 79 DIRTY_JS $last_page_url -themes/wind/views/photo.html.php 8 DIRTY_JS $theme->item()->width -themes/wind/views/photo.html.php 8 DIRTY_JS $theme->item()->height -themes/wind/views/photo.html.php 18 DIRTY $theme->paginator() -themes/wind/views/photo.html.php 23 DIRTY_JS $item->file_url() -themes/wind/views/photo.html.php 25 DIRTY $item->resize_img(array("id"=>"g-photo-id-{$item->id}","class"=>"g-resize")) diff --git a/modules/image_block/tests/xss_data.txt b/modules/image_block/tests/xss_data.txt new file mode 100644 index 00000000..1e7ce6ce --- /dev/null +++ b/modules/image_block/tests/xss_data.txt @@ -0,0 +1,2 @@ +modules/image_block/views/image_block_block.html.php 3 DIRTY_JS $item->url() +modules/image_block/views/image_block_block.html.php 4 DIRTY $item->thumb_img(array("class"=>"g-thumbnail")) diff --git a/modules/info/tests/xss_data.txt b/modules/info/tests/xss_data.txt new file mode 100644 index 00000000..c4dd00cc --- /dev/null +++ b/modules/info/tests/xss_data.txt @@ -0,0 +1,2 @@ +modules/info/views/info_block.html.php 22 DIRTY date("M j, Y H:i:s",$item->captured) +modules/info/views/info_block.html.php 29 DIRTY_JS $item->owner->url diff --git a/modules/notification/tests/xss_data.txt b/modules/notification/tests/xss_data.txt new file mode 100644 index 00000000..1a80a6e8 --- /dev/null +++ b/modules/notification/tests/xss_data.txt @@ -0,0 +1,8 @@ +modules/notification/views/comment_published.html.php 28 DIRTY_JS $comment->item()->abs_url() +modules/notification/views/comment_published.html.php 29 DIRTY $comment->item()->abs_url() +modules/notification/views/item_added.html.php 16 DIRTY_JS $item->abs_url() +modules/notification/views/item_added.html.php 17 DIRTY $item->abs_url() +modules/notification/views/item_deleted.html.php 18 DIRTY_JS $item->parent()->abs_url() +modules/notification/views/item_deleted.html.php 19 DIRTY $item->parent()->abs_url() +modules/notification/views/item_updated.html.php 20 DIRTY_JS $item->abs_url() +modules/notification/views/item_updated.html.php 20 DIRTY $item->abs_url() diff --git a/modules/organize/tests/xss_data.txt b/modules/organize/tests/xss_data.txt new file mode 100644 index 00000000..ced5602b --- /dev/null +++ b/modules/organize/tests/xss_data.txt @@ -0,0 +1,22 @@ +modules/organize/views/organize_dialog.html.php 3 DIRTY_JS url::site("organize/move_to/__ALBUM_ID__?csrf=$csrf") +modules/organize/views/organize_dialog.html.php 4 DIRTY_JS url::site("organize/rearrange/__TARGET_ID__/__BEFORE__?csrf=$csrf") +modules/organize/views/organize_dialog.html.php 5 DIRTY_JS url::site("organize/sort_order/__ALBUM_ID__/__COL__/__DIR__?csrf=$csrf") +modules/organize/views/organize_dialog.html.php 6 DIRTY_JS url::site("organize/tree/__ALBUM_ID__") +modules/organize/views/organize_dialog.html.php 14 DIRTY $album_tree +modules/organize/views/organize_dialog.html.php 24 DIRTY $micro_thumb_grid +modules/organize/views/organize_dialog.html.php 32 DIRTY form::dropdown(array("id"=>"g-organize-sort-column"),album::get_sort_order_options(),$album->sort_column) +modules/organize/views/organize_dialog.html.php 33 DIRTY form::dropdown(array("id"=>"g-organize-sort-order"),array("ASC"=>"Ascending","DESC"=>"Descending"),$album->sort_order) +modules/organize/views/organize_thumb_grid.html.php 3 DIRTY_ATTR $child->id +modules/organize/views/organize_thumb_grid.html.php 4 DIRTY_ATTR $child->id +modules/organize/views/organize_thumb_grid.html.php 5 DIRTY_ATTR $child->is_album()?"g-album":"g-photo" +modules/organize/views/organize_thumb_grid.html.php 6 DIRTY $child->thumb_img(array("class"=>"g-thumbnail","ref"=>$child->id),90,true) +modules/organize/views/organize_thumb_grid.html.php 7 DIRTY $child->is_album()?" class=\"ui-icon ui-icon-note\"":"" +modules/organize/views/organize_thumb_grid.html.php 15 DIRTY_JS url::site("organize/album/$album->id/".($offset+25)) +modules/organize/views/organize_tree.html.php 2 DIRTY_ATTR access::can("edit",$album)?"":"g-view-only" +modules/organize/views/organize_tree.html.php 3 DIRTY_ATTR $album->id +modules/organize/views/organize_tree.html.php 6 DIRTY_ATTR $selected&&$album->id==$selected->id?"selected":"" +modules/organize/views/organize_tree.html.php 7 DIRTY_ATTR $album->id +modules/organize/views/organize_tree.html.php 13 DIRTY View::factory("organize_tree.html",array("selected"=>$selected,"album"=>$child)); +modules/organize/views/organize_tree.html.php 15 DIRTY_ATTR access::can("edit",$child)?"":"g-view-only" +modules/organize/views/organize_tree.html.php 16 DIRTY_ATTR $child->id +modules/organize/views/organize_tree.html.php 18 DIRTY_ATTR $child->id diff --git a/modules/recaptcha/tests/xss_data.txt b/modules/recaptcha/tests/xss_data.txt new file mode 100644 index 00000000..2729d196 --- /dev/null +++ b/modules/recaptcha/tests/xss_data.txt @@ -0,0 +1,3 @@ +modules/recaptcha/views/admin_recaptcha.html.php 11 DIRTY $form +modules/recaptcha/views/admin_recaptcha.html.php 23 DIRTY_JS $public_key +modules/recaptcha/views/form_recaptcha.html.php 7 DIRTY_JS $public_key diff --git a/modules/rss/tests/xss_data.txt b/modules/rss/tests/xss_data.txt new file mode 100644 index 00000000..468e403b --- /dev/null +++ b/modules/rss/tests/xss_data.txt @@ -0,0 +1,32 @@ +modules/rss/views/feed.mrss.php 10 DIRTY $feed->uri +modules/rss/views/feed.mrss.php 13 DIRTY_JS $feed->uri +modules/rss/views/feed.mrss.php 16 DIRTY_JS $feed->previous_page_uri +modules/rss/views/feed.mrss.php 19 DIRTY_JS $feed->next_page_uri +modules/rss/views/feed.mrss.php 21 DIRTY $pub_date +modules/rss/views/feed.mrss.php 22 DIRTY $pub_date +modules/rss/views/feed.mrss.php 28 DIRTY date("D, d M Y H:i:s T",$child->created); +modules/rss/views/feed.mrss.php 35 DIRTY_ATTR $child->resize_url(true) +modules/rss/views/feed.mrss.php 37 DIRTY_ATTR $child->resize_height +modules/rss/views/feed.mrss.php 37 DIRTY_ATTR $child->resize_width +modules/rss/views/feed.mrss.php 40 DIRTY_ATTR $child->thumb_url(true) +modules/rss/views/feed.mrss.php 42 DIRTY_ATTR $child->thumb_height +modules/rss/views/feed.mrss.php 42 DIRTY_ATTR $child->thumb_width +modules/rss/views/feed.mrss.php 48 DIRTY_ATTR $child->thumb_url(true) +modules/rss/views/feed.mrss.php 49 DIRTY_ATTR $child->thumb_height +modules/rss/views/feed.mrss.php 50 DIRTY_ATTR $child->thumb_width +modules/rss/views/feed.mrss.php 54 DIRTY_ATTR $child->resize_url(true) +modules/rss/views/feed.mrss.php 55 DIRTY_ATTR @filesize($child->resize_path()) +modules/rss/views/feed.mrss.php 56 DIRTY_ATTR $child->mime_type +modules/rss/views/feed.mrss.php 57 DIRTY_ATTR $child->resize_height +modules/rss/views/feed.mrss.php 58 DIRTY_ATTR $child->resize_width +modules/rss/views/feed.mrss.php 62 DIRTY_ATTR $child->file_url(true) +modules/rss/views/feed.mrss.php 63 DIRTY_ATTR @filesize($child->file_path()) +modules/rss/views/feed.mrss.php 64 DIRTY_ATTR $child->mime_type +modules/rss/views/feed.mrss.php 65 DIRTY_ATTR $child->height +modules/rss/views/feed.mrss.php 66 DIRTY_ATTR $child->width +modules/rss/views/feed.mrss.php 70 DIRTY_ATTR $child->file_url(true) +modules/rss/views/feed.mrss.php 71 DIRTY_ATTR @filesize($child->file_path()) +modules/rss/views/feed.mrss.php 72 DIRTY_ATTR $child->height +modules/rss/views/feed.mrss.php 73 DIRTY_ATTR $child->width +modules/rss/views/feed.mrss.php 74 DIRTY_ATTR $child->mime_type +modules/rss/views/rss_block.html.php 6 DIRTY_JS rss::url($url) diff --git a/modules/search/tests/xss_data.txt b/modules/search/tests/xss_data.txt new file mode 100644 index 00000000..f0665988 --- /dev/null +++ b/modules/search/tests/xss_data.txt @@ -0,0 +1,4 @@ +modules/search/views/search.html.php 30 DIRTY_ATTR $item_class +modules/search/views/search.html.php 31 DIRTY_JS $item->url() +modules/search/views/search.html.php 32 DIRTY $item->thumb_img() +modules/search/views/search.html.php 43 DIRTY $theme->paginator() diff --git a/modules/server_add/tests/xss_data.txt b/modules/server_add/tests/xss_data.txt new file mode 100644 index 00000000..0e52c313 --- /dev/null +++ b/modules/server_add/tests/xss_data.txt @@ -0,0 +1,7 @@ +modules/server_add/views/admin_server_add.html.php 5 DIRTY $form +modules/server_add/views/admin_server_add.html.php 15 DIRTY_ATTR $id +modules/server_add/views/server_add_tree.html.php 20 DIRTY_ATTR is_dir($file)?"ui-icon-folder-collapsed":"ui-icon-document" +modules/server_add/views/server_add_tree.html.php 21 DIRTY_ATTR is_dir($file)?"g-directory":"g-file" +modules/server_add/views/server_add_tree_dialog.html.php 3 DIRTY_JS url::site("server_add/children?path=__PATH__") +modules/server_add/views/server_add_tree_dialog.html.php 4 DIRTY_JS url::site("server_add/start?item_id={$item->id}&csrf=$csrf") +modules/server_add/views/server_add_tree_dialog.html.php 21 DIRTY $tree diff --git a/modules/tag/tests/xss_data.txt b/modules/tag/tests/xss_data.txt new file mode 100644 index 00000000..7306a10c --- /dev/null +++ b/modules/tag/tests/xss_data.txt @@ -0,0 +1,7 @@ +modules/tag/views/admin_tags.html.php 45 DIRTY_ATTR $tag->id +modules/tag/views/admin_tags.html.php 46 DIRTY $tag->count +modules/tag/views/tag_block.html.php 27 DIRTY $cloud +modules/tag/views/tag_block.html.php 29 DIRTY $form +modules/tag/views/tag_cloud.html.php 4 DIRTY_ATTR (int)(($tag->count/$max_count)*7) +modules/tag/views/tag_cloud.html.php 5 DIRTY $tag->count +modules/tag/views/tag_cloud.html.php 6 DIRTY_JS $tag->url() diff --git a/modules/user/tests/xss_data.txt b/modules/user/tests/xss_data.txt new file mode 100644 index 00000000..38e52c0d --- /dev/null +++ b/modules/user/tests/xss_data.txt @@ -0,0 +1,15 @@ +modules/user/views/admin_users.html.php 3 DIRTY_JS url::site("admin/users/add_user_to_group/__USERID__/__GROUPID__?csrf=$csrf") +modules/user/views/admin_users.html.php 26 DIRTY_JS url::site("admin/users/group/__GROUPID__") +modules/user/views/admin_users.html.php 36 DIRTY_JS url::site("admin/users/remove_user_from_group/__USERID__/__GROUPID__?csrf=$csrf") +modules/user/views/admin_users.html.php 71 DIRTY_ATTR $user->id +modules/user/views/admin_users.html.php 71 DIRTY_ATTR text::alternate("g-odd","g-even") +modules/user/views/admin_users.html.php 71 DIRTY_ATTR $user->admin?"g-admin":"" +modules/user/views/admin_users.html.php 72 DIRTY_ATTR $user->id +modules/user/views/admin_users.html.php 73 DIRTY_ATTR $user->avatar_url(20,$theme->url(,true)) +modules/user/views/admin_users.html.php 87 DIRTY ($user->last_login==0)?"":gallery::date($user->last_login) +modules/user/views/admin_users.html.php 123 DIRTY_ATTR $group->id +modules/user/views/admin_users.html.php 123 DIRTY_ATTR ($group->special?"g-default-group":"") +modules/user/views/admin_users.html.php 125 DIRTY $v +modules/user/views/admin_users_group.html.php 22 DIRTY_JS $user->id +modules/user/views/admin_users_group.html.php 22 DIRTY_JS $group->id +modules/user/views/user_form.html.php 7 DIRTY $form diff --git a/modules/watermark/tests/xss_data.txt b/modules/watermark/tests/xss_data.txt new file mode 100644 index 00000000..b131ea1a --- /dev/null +++ b/modules/watermark/tests/xss_data.txt @@ -0,0 +1,3 @@ +modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $width +modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $height +modules/watermark/views/admin_watermarks.html.php 20 DIRTY_ATTR $url |