From 56f6733d3b9f1b1535d2ad738e520200ed5f9e90 Mon Sep 17 00:00:00 2001
From: Tobias Bocanegra <tripodsan@users.noreply.github.com>
Date: Tue, 30 Jun 2020 13:44:51 +0900
Subject: [PATCH] fix(xss): test xss against original form (#200)

fixes #183
---
 src/runtime/xss_api.js         | 3 +--
 test/runtime_test.js           | 1 +
 test/templates/xss.htl         | 9 +++++----
 test/templates/xss.html        | 9 +++++----
 test/templates/xss_unsafe.html | 7 ++++---
 5 files changed, 16 insertions(+), 13 deletions(-)

diff --git a/src/runtime/xss_api.js b/src/runtime/xss_api.js
index ce06ca5..f5470ff 100644
--- a/src/runtime/xss_api.js
+++ b/src/runtime/xss_api.js
@@ -136,8 +136,7 @@ function escapeJSToken(input) {
 
 function sanitizeURL(url) {
   try {
-    const decodedUrl = decodeURIComponent(url);
-    if (XRegExp(RELATIVE_REF).test(decodedUrl) || XRegExp(URI).test(decodedUrl)) {
+    if (XRegExp(RELATIVE_REF).test(url) || XRegExp(URI).test(url)) {
       return url;
     }
   } catch (e) {
diff --git a/test/runtime_test.js b/test/runtime_test.js
index 41070d5..c6ecaf6 100644
--- a/test/runtime_test.js
+++ b/test/runtime_test.js
@@ -59,6 +59,7 @@ const GLOBALS = {
     url4: 'javascript:alert(String.fromCharCode(48))', // avoiding quotes
     url5: '/foo', // rel part
     url6: 'https://www.primordialsoup.life/image.png', // absolute url
+    url7: 'https://via.placeholder.com/1280x550&text=desktop%201280x550', // escaped url
     breakAttr: '"><script>alert(0);</script>', // break out of html tag
     eventHandler: 'alert(0)',
     imgTag1: '<img src="javascript:alert(0)"/>',
diff --git a/test/templates/xss.htl b/test/templates/xss.htl
index fa05f8c..be30346 100644
--- a/test/templates/xss.htl
+++ b/test/templates/xss.htl
@@ -33,13 +33,14 @@
     <li>${xss.imgTag5}</li>
     <li><img src="fake.jpg" onerror="${xss.eventHandler}"/></li>
   </ul>
-  ${xss.scriptTag1}
-  ${xss.scriptTag2}
-  ${xss.scriptTag3}
+${xss.scriptTag1}
+${xss.scriptTag2}
+${xss.scriptTag3}
   <form action="${xss.breakAttr}" onsubmit="${xss.eventHandler}">
     <input name="test" value="${xss.breakAttr}"/>
   </form>
   <img src="${xss.url5}/bla.jpg" />
   <img src="${xss.url6}" />
+  <img src="${xss.url7}" />
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/test/templates/xss.html b/test/templates/xss.html
index 31e4b3e..8d9e655 100644
--- a/test/templates/xss.html
+++ b/test/templates/xss.html
@@ -33,13 +33,14 @@
     <li><img></li>
     <li><img src="fake.jpg" onerror="alert&#x28;0&#x29;"/></li>
   </ul>
-  
-  
-  
+
+
+
   <form action="&quot;&gt;&lt;script&gt;alert&#x28;0&#x29;&#x3b;&lt;&#x2f;script&gt;" onsubmit="alert&#x28;0&#x29;">
     <input name="test" value="&quot;&gt;&lt;script&gt;alert&#x28;0&#x29;&#x3b;&lt;&#x2f;script&gt;"/>
   </form>
   <img src="/foo/bla.jpg"/>
   <img src="https://www.primordialsoup.life/image.png"/>
+  <img src="https://via.placeholder.com/1280x550&text=desktop%201280x550"/>
 </body>
-</html>
\ No newline at end of file
+</html>
diff --git a/test/templates/xss_unsafe.html b/test/templates/xss_unsafe.html
index d41e9b1..40da816 100644
--- a/test/templates/xss_unsafe.html
+++ b/test/templates/xss_unsafe.html
@@ -33,13 +33,14 @@
     <li><img src="java&#x0A;script:alert(0)"/></li>
     <li><img src="fake.jpg" onerror="alert&#x28;0&#x29;"/></li>
   </ul>
-  <script>alert(0);</script>
-  <script src="http://do.not.serve/this.js"></script>
-  <script src="//do.not.serve/this.js"></script>
+<script>alert(0);</script>
+<script src="http://do.not.serve/this.js"></script>
+<script src="//do.not.serve/this.js"></script>
   <form action="&quot;&gt;&lt;script&gt;alert&#x28;0&#x29;&#x3b;&lt;&#x2f;script&gt;" onsubmit="alert&#x28;0&#x29;">
     <input name="test" value="&quot;&gt;&lt;script&gt;alert&#x28;0&#x29;&#x3b;&lt;&#x2f;script&gt;"/>
   </form>
   <img src="/foo/bla.jpg"/>
   <img src="https://www.primordialsoup.life/image.png"/>
+  <img src="https://via.placeholder.com/1280x550&text=desktop%201280x550"/>
 </body>
 </html>