summaryrefslogtreecommitdiff
path: root/modules/gallery/tests/Xss_Security_Test.php
AgeCommit message (Collapse)Author
2013-01-21Update copyright to 2013. Fixes #1953.Bharat Mediratta
2012-02-27Update copyright to 2012. #1822Bharat Mediratta
2011-01-21Update copyright to 2011.Bharat Mediratta
2010-03-03Update the copyright to 2010. It's only 3 months into the year :-)Bharat Mediratta
2010-01-19Extend Gallery_Unit_Test_Case instead of Unit_Test_Case.Bharat Mediratta
2009-09-23Correct indentationTim Almdal
2009-09-17- Add theme->movie_menu() to whitelisted methods.Andy Staudacher
- xss_data checkpoint
2009-09-01Remove debugging codeAndy Staudacher
2009-09-01Fix bug in XSS scanner for <script> block @ position 0 of inline_htmlAndy Staudacher
2009-08-31Add XSS check for HTML attributesAndy Staudacher
2009-08-31Add XSS check to ensure that html::js_string() is not preceded by a quote.Andy Staudacher
2009-08-31Adding XSS test for href="javascript: and onclick="..."Andy Staudacher
2009-08-31Rename mark_safe() to mark_clean()Andy Staudacher
2009-08-30Check for href="<?= $foo ?>" (malicious "javascript:..." string)Andy Staudacher
2009-08-30Tabs to spaces cleanupAndy Staudacher
2009-08-30Rename clean_js to js_string and have it return a complete JS string (with ↵Andy Staudacher
delimiters) instead of just the string contents. Benefits: Using json_encode(), which is very robust. And as a user, it's clearer how to use this API compared to what it was before.
2009-08-30Add $theme-> methods to Xss whitelist for HTML safety.Andy Staudacher
Updating XSS golden file.
2009-08-29Update all code to use helper method html::clean(), html::purify(), ... ↵Andy Staudacher
instead of SafeString directly.
2009-08-29Adding html::clean(), ::purify(), etc.Andy Staudacher
2009-08-29Undo url helper changes - url methods no longer return a SafeString.Andy Staudacher
Adding SafeString::of_safe_html() calls where urls are passed as parameters to t() and t2().
2009-08-29Fixing all detected XSS vectors in PHP->JS code.Andy Staudacher
Xss: Rename UNKNOWN back to DIRTY, JS_XSS to DIRTY_JS. (using a different flag value to highlight potential XSS vectors in JS)
2009-08-29Add more factory methods for convenience:Andy Staudacher
SafeString::purify() and SafeString::of_safe_html(). Removing SafeString::mark_html_safe() since it's no longer needed.
2009-08-29Have url::site() and other methods return a SafeString, just as t() and t2().Andy Staudacher
Benefits: - url::site() is often used in views and we can ensure in the url class that returned strings are indeed safe for use in HTML. Makes the list of vars of unknown safety status shorter. - url::site() is often used as message parameter to t() and t2(). The parameter would be HTML-escaped if it wasn't marked as safe HTML already. Makes the usage simpler / shorter.
2009-08-29Adding SafeString which is going to replace p::clean() and p::purify().Andy Staudacher
Refactoring of Xss_Security_Test. t() and t2() return a SafeString instance. TODO: - Update all code to use SafeString where appropriate. - Update golden fole of Xss_Security_Test - Stop reporting CLEAN vars in Xss_Security_Test
2009-07-16Update Xss_Security_Test to know about p::purify() and checkpoint theBharat Mediratta
golden file.
2009-06-05Remove source code copy artefactAndy Staudacher
2009-06-04Change "CLEAN" to an empty string to see if it's better visually.Bharat Mediratta
Looks like it is.
2009-05-31Update the clean/dirty format, check all ffiles instead of just one (which ↵Bharat Mediratta
was for debugging)
2009-05-31First pass at an XSS security test, along with the "p" helper whichBharat Mediratta
can clean HTML output.
generated by cgit v1.2.3 (git 2.46.0) at 2025-10-13 07:58:35 +0000