fix(xss): test xss against original form (#200)

fixes #183
adobe · Jun 30, 2020 · 56f6733 · 56f6733
1 parent ddc849c
commit 56f6733
Show file tree

Hide file tree

Showing 5 changed files with 16 additions and 13 deletions.
diff --git a/src/runtime/xss_api.js b/src/runtime/xss_api.js
@@ -136,8 +136,7 @@ function escapeJSToken(input) {
 
 function sanitizeURL(url) {
   try {
-    const decodedUrl = decodeURIComponent(url);
-    if (XRegExp(RELATIVE_REF).test(decodedUrl) || XRegExp(URI).test(decodedUrl)) {
+    if (XRegExp(RELATIVE_REF).test(url) || XRegExp(URI).test(url)) {
       return url;
     }
   } catch (e) {

diff --git a/test/runtime_test.js b/test/runtime_test.js
@@ -59,6 +59,7 @@ const GLOBALS = {
     url4: 'javascript:alert(String.fromCharCode(48))', // avoiding quotes
     url5: '/foo', // rel part
     url6: 'https://www.primordialsoup.life/image.png', // absolute url
+    url7: 'https://via.placeholder.com/1280x550&text=desktop%201280x550', // escaped url
     breakAttr: '"><script>alert(0);</script>', // break out of html tag
     eventHandler: 'alert(0)',
     imgTag1: '<img src="javascript:alert(0)"/>',

diff --git a/test/templates/xss.htl b/test/templates/xss.htl
@@ -33,13 +33,14 @@
     <li>${xss.imgTag5}</li>
     <li><img src="fake.jpg" onerror="${xss.eventHandler}"/></li>
   </ul>
-  ${xss.scriptTag1}
-  ${xss.scriptTag2}
-  ${xss.scriptTag3}
+${xss.scriptTag1}
+${xss.scriptTag2}
+${xss.scriptTag3}
   <form action="${xss.breakAttr}" onsubmit="${xss.eventHandler}">
     <input name="test" value="${xss.breakAttr}"/>
   </form>
   <img src="${xss.url5}/bla.jpg" />
   <img src="${xss.url6}" />
+  <img src="${xss.url7}" />
 </body>
-</html>
+</html>
diff --git a/test/templates/xss.html b/test/templates/xss.html
@@ -33,13 +33,14 @@
     <li><img></li>
     <li><img src="fake.jpg" onerror="alert&#x28;0&#x29;"/></li>
   </ul>
-  
-  
-  
+
+
+
   <form action="&quot;&gt;&lt;script&gt;alert&#x28;0&#x29;&#x3b;&lt;&#x2f;script&gt;" onsubmit="alert&#x28;0&#x29;">
     <input name="test" value="&quot;&gt;&lt;script&gt;alert&#x28;0&#x29;&#x3b;&lt;&#x2f;script&gt;"/>
   </form>
   <img src="/foo/bla.jpg"/>
   <img src="https://www.primordialsoup.life/image.png"/>
+  <img src="https://via.placeholder.com/1280x550&text=desktop%201280x550"/>
 </body>
-</html>
+</html>
diff --git a/test/templates/xss_unsafe.html b/test/templates/xss_unsafe.html
@@ -33,13 +33,14 @@
     <li><img src="java&#x0A;script:alert(0)"/></li>
     <li><img src="fake.jpg" onerror="alert&#x28;0&#x29;"/></li>
   </ul>
-  <script>alert(0);</script>
-  <script src="http://do.not.serve/this.js"></script>
-  <script src="//do.not.serve/this.js"></script>
+<script>alert(0);</script>
+<script src="http://do.not.serve/this.js"></script>
+<script src="//do.not.serve/this.js"></script>
   <form action="&quot;&gt;&lt;script&gt;alert&#x28;0&#x29;&#x3b;&lt;&#x2f;script&gt;" onsubmit="alert&#x28;0&#x29;">
     <input name="test" value="&quot;&gt;&lt;script&gt;alert&#x28;0&#x29;&#x3b;&lt;&#x2f;script&gt;"/>
   </form>
   <img src="/foo/bla.jpg"/>
   <img src="https://www.primordialsoup.life/image.png"/>
+  <img src="https://via.placeholder.com/1280x550&text=desktop%201280x550"/>
 </body>
 </html>