diff options
| author | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2009-03-02 14:46:12 +0000 |
|---|---|---|
| committer | thomasb <thomasb@208e9e7b-5314-0410-a742-e7e81cd9613c> | 2009-03-02 14:46:12 +0000 |
| commit | 8cca782e9d0cc388bc3fe3edd66c879a7f9216ab (patch) | |
| tree | 6f7105c7f996cc4ffc3db700bad4e1ffd0ca92dc /roundcubemail/tests/modcss.php | |
| parent | 9ce66dd16c281d6fb3f927edaa16ec32c656a0a8 (diff) | |
Create some basic unit tests based in simpletest.org
git-svn-id: https://svn.roundcube.net/trunk@2323 208e9e7b-5314-0410-a742-e7e81cd9613c
Diffstat (limited to 'roundcubemail/tests/modcss.php')
| -rw-r--r-- | roundcubemail/tests/modcss.php | 45 |
1 files changed, 45 insertions, 0 deletions
diff --git a/roundcubemail/tests/modcss.php b/roundcubemail/tests/modcss.php new file mode 100644 index 000000000..f9271ff65 --- /dev/null +++ b/roundcubemail/tests/modcss.php @@ -0,0 +1,45 @@ +<?php + +/** + * Test class to test rcmail_mod_css_styles and XSS vulnerabilites + * + * @package Tests + */ +class rcube_test_modcss extends UnitTestCase +{ + + function __construct() + { + $this->UnitTestCase('CSS modification and vulnerability tests'); + } + + function test_modcss() + { + $css = file_get_contents(TESTS_DIR . 'src/valid.css'); + $mod = rcmail_mod_css_styles($css, 'rcmbody'); + + $this->assertPattern('/#rcmbody div.rcmBody\s+\{/', $mod, "Replace body style definition"); + $this->assertPattern('/#rcmbody h1\s\{/', $mod, "Prefix tag styles (single)"); + $this->assertPattern('/#rcmbody h1, #rcmbody h2, #rcmbody h3, #rcmbody textarea\s+\{/', $mod, "Prefix tag styles (multiple)"); + $this->assertPattern('/#rcmbody \.noscript\s+\{/', $mod, "Prefix class styles"); + } + + function test_xss() + { + $mod = rcmail_mod_css_styles("body.main2cols { background-image: url('../images/leftcol.png'); }", 'rcmbody'); + $this->assertEqual("/* evil! */", $mod, "No url() values allowed"); + + $mod = rcmail_mod_css_styles("@import url('http://localhost/somestuff/css/master.css');", 'rcmbody'); + $this->assertEqual("/* evil! */", $mod, "No import statements"); + + $mod = rcmail_mod_css_styles("left:expression(document.body.offsetWidth-20)", 'rcmbody'); + $this->assertEqual("/* evil! */", $mod, "No expression properties"); + + $mod = rcmail_mod_css_styles("left:exp/* */ression( alert('xss3') )", 'rcmbody'); + $this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks"); + + $mod = rcmail_mod_css_styles("background:\\0075\\0072\\006c( javascript:alert('xss') )", 'rcmbody'); + $this->assertEqual("/* evil! */", $mod, "Don't allow encoding quirks (2)"); + } + +}
\ No newline at end of file |