Index: openacs-4/packages/acs-tcl/tcl/test/text-html-procs.tcl
===================================================================
RCS file: /usr/local/cvsroot/openacs-4/packages/acs-tcl/tcl/test/text-html-procs.tcl,v
diff -u -N -r1.11.2.11 -r1.11.2.12
--- openacs-4/packages/acs-tcl/tcl/test/text-html-procs.tcl 16 Feb 2024 11:36:46 -0000 1.11.2.11
+++ openacs-4/packages/acs-tcl/tcl/test/text-html-procs.tcl 18 Mar 2024 13:12:44 -0000 1.11.2.12
@@ -722,20 +722,33 @@
aa_true "$msg with validate?" $valid_p
aa_false $msg? [regexp {<([a-z]\w*)\s+[^>]*(href|src|content|action)="(http|https|//):.*"[^>]*>} $result]
+
#
- # Replicate XSS detected by penetration tool in 2024
+ # Replicate some notorious XSS attempts by penetration tools
#
- set content {}
- set outcome false
- aa_false "Injecting via quoting the colon character fails" \
- [ad_dom_sanitize_html \
- -allowed_tags * \
- -allowed_attributes * \
- -allowed_protocols * \
- -html $content \
- -no_js \
- -validate]
+ set cases [list]
+
+ lappend cases \
+ {Disguising the colon ":" character} \
+ {} \
+ false
+
+ lappend cases \
+ {Disguising the word "javascript" by replacing letters with entities} \
+ {} \
+ false
+
+ foreach {description content outcome} $cases {
+ aa_${outcome} $description \
+ [ad_dom_sanitize_html \
+ -allowed_tags * \
+ -allowed_attributes * \
+ -allowed_protocols * \
+ -html $content \
+ -no_js \
+ -validate]
+ }
}
aa_register_case \