public void testSAK_18269() {
// http://jira.sakaiproject.org/browse/SAK-18269
String strFromBrowser = null;
String result = null;
StringBuilder errorMessages = null;
String SVG_GOOD =
"<div>hello</div><embed allowscriptaccess=\"always\" type=\"image/svg+xml\" src=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dHA6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcvMjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hsaW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAwIiBpZD0ieHNzIj5pbWFnZTwvc3ZnPg==\"></embed>";
String SVG_BAD =
"<div>hello</div><embed allowscriptaccess=\"always\" type=\"image/svg+xml\" src=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\"></embed>";
strFromBrowser = SVG_GOOD;
errorMessages = new StringBuilder();
result = FormattedText.processFormattedText(strFromBrowser, errorMessages, true);
assertNotNull(result);
assertTrue(errorMessages.length() == 0);
assertTrue(result.contains("<div"));
assertTrue(result.contains("<embed"));
assertTrue(result.contains("src="));
assertTrue(result.contains("data:image/svg+xml;base64"));
assertFalse(result.contains("<script"));
strFromBrowser = SVG_BAD;
errorMessages = new StringBuilder();
result = FormattedText.processFormattedText(strFromBrowser, errorMessages, true);
assertNotNull(result);
assertTrue(errorMessages.length() > 10);
assertTrue(result.contains("<div"));
assertTrue(result.contains("<embed"));
assertFalse(result.contains("src="));
assertFalse(result.contains("data:image/svg+xml;base64"));
assertFalse(result.contains("<script"));
}
public void testLegacyProcessFormattedText() {
// TESTs using the legacy Sakai library
String strFromBrowser = null;
String result = null;
StringBuilder errorMessages = null;
strFromBrowser = TEST1;
errorMessages = new StringBuilder();
result = FormattedText.processFormattedText(strFromBrowser, errorMessages, true);
assertNotNull(result);
// NOTE: FT adds a bunch of spaces so it is hard to predict the output
assertTrue(result.contains("href=\"blah.html\""));
assertFalse(result.contains("style=\"font-weight:bold;\"")); // strips this out
assertTrue(result.contains("target=\"_blank\"")); // adds target in
assertTrue(result.contains("<div>hello there</div>"));
assertEquals(
"<a href=\"blah.html\" target=\"_blank\" >blah</a><div>hello there</div>", result);
strFromBrowser = TEST2;
errorMessages = new StringBuilder();
result = FormattedText.processFormattedText(strFromBrowser, errorMessages, true);
assertNotNull(result);
assertEquals(
"<span>this is my span</span><script>alert('oh noes, a XSS attack!');</script><div>hello there from a div</div>",
result);
}
// DISABLED TEST
public void donottestAntisamyProcessFormattedText() {
// TESTS using the antiSamy library
String strFromBrowser = null;
String result = null;
StringBuilder errorMessages = null;
strFromBrowser = TEST1;
errorMessages = new StringBuilder();
result = FormattedText.processFormattedText(strFromBrowser, errorMessages, false);
assertNotNull(result);
assertTrue(result.contains("href=\"blah.html\""));
// assertFalse( result.contains("style=\"font-weight:bold;\"")); // strips this out
// assertTrue( result.contains("target=\"_blank\"")); // adds target in
assertTrue(result.contains("<div>hello there</div>"));
assertEquals(
"<a href=\"blah.html\" style=\"font-weight: bold;\">blah</a>\n<div>hello there</div>",
result);
strFromBrowser = TEST2;
errorMessages = new StringBuilder();
result = FormattedText.processFormattedText(strFromBrowser, errorMessages, false);
assertNotNull(result);
assertEquals("<span>this is my span</span>\n<div>hello there from a div</div>", result);
String SVG_BAD =
"<div>hello</div><embed allowscriptaccess=\"always\" type=\"image/svg+xml\" src=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\"></embed>";
strFromBrowser = SVG_BAD;
errorMessages = new StringBuilder();
result = FormattedText.processFormattedText(strFromBrowser, errorMessages, false);
assertNotNull(result);
assertEquals("", result);
}
public void testKNL_579() {
// http://jira.sakaiproject.org/browse/KNL-579
String SCRIPT1 = "<div>testing</div><SCRIPT>alert(\"XSS\");//</SCRIPT>";
String SCRIPT2 = "<div>testing</div><SCRIPT>alert(\"XSS\");//<</SCRIPT>";
String SCRIPT3 = "<div>testing</div><<SCRIPT>alert(\"XSS\");//<</SCRIPT>";
String SCRIPT4 = "<div>testing</div><<SCRIPT>>alert(\"XSS\");//<</SCRIPT>";
String strFromBrowser = null;
String result = null;
StringBuilder errorMessages = null;
strFromBrowser = SCRIPT1;
errorMessages = new StringBuilder();
result = FormattedText.processFormattedText(strFromBrowser, errorMessages, true);
assertNotNull(result);
assertTrue(errorMessages.length() > 10);
assertTrue(result.contains("<div>testing</div>"));
assertTrue(result.contains("XSS"));
assertFalse(result.contains("<SCRIPT"));
strFromBrowser = SCRIPT2;
errorMessages = new StringBuilder();
result = FormattedText.processFormattedText(strFromBrowser, errorMessages, true);
assertNotNull(result);
assertTrue(errorMessages.length() > 10);
assertTrue(result.contains("<div>testing</div>"));
assertTrue(result.contains("XSS"));
assertFalse(result.contains("<SCRIPT"));
strFromBrowser = SCRIPT3;
errorMessages = new StringBuilder();
result = FormattedText.processFormattedText(strFromBrowser, errorMessages, true);
assertNotNull(result);
assertTrue(errorMessages.length() > 10);
assertTrue(result.contains("<div>testing</div>"));
assertTrue(result.contains("XSS"));
assertFalse(result.contains("<SCRIPT"));
strFromBrowser = SCRIPT4;
errorMessages = new StringBuilder();
result = FormattedText.processFormattedText(strFromBrowser, errorMessages, true);
assertNotNull(result);
assertTrue(errorMessages.length() > 10);
assertTrue(result.contains("<div>testing</div>"));
assertTrue(result.contains("XSS"));
assertFalse(result.contains("<SCRIPT"));
}
public void testUnbalancedMarkup() {
StringBuilder errorMessages = new StringBuilder();
String strFromBrowser = "A<B Test";
String result = FormattedText.processFormattedText(strFromBrowser, errorMessages, true);
assertNull(result);
}
public void decode(FacesContext context, UIComponent component) {
if (null == context
|| null == component
|| !(component instanceof org.sakaiproject.jsf.component.RichTextEditArea)) {
throw new IllegalArgumentException();
}
String clientId = component.getClientId(context);
Map requestParameterMap = context.getExternalContext().getRequestParameterMap();
String newValue = (String) requestParameterMap.get(clientId + "_textinput");
String current_status =
(String) requestParameterMap.get(clientId + "_textinput_current_status");
String finalValue = newValue;
// if use hid the FCK editor, we treat it as text editor
if ("firsttime".equals(current_status)) {
finalValue = TextFormat.convertPlaintextToFormattedTextNoHighUnicode(log, newValue);
} else {
StringBuilder alertMsg = new StringBuilder();
try {
finalValue = FormattedText.processFormattedText(newValue, alertMsg);
if (alertMsg.length() > 0) {
log.debug(alertMsg.toString());
}
} catch (Exception e) {
log.info(e.getMessage());
}
}
org.sakaiproject.jsf.component.RichTextEditArea comp =
(org.sakaiproject.jsf.component.RichTextEditArea) component;
comp.setSubmittedValue(finalValue);
}
public void testKNL_528() {
// http://jira.sakaiproject.org/browse/KNL-528
String SVG_BAD_CAPS =
"<div>hello</div><EMBED ALLOWSCRIPTACCESS=\"always\" type=\"image/svg+xml\" SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\"></EMBED>";
String SVG_BAD =
"<div>hello</div><embed allowscriptaccess=\"always\" type=\"image/svg+xml\" src=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\"></embed>";
String strFromBrowser = null;
String result = null;
StringBuilder errorMessages = null;
strFromBrowser = SVG_BAD;
errorMessages = new StringBuilder();
result = FormattedText.processFormattedText(strFromBrowser, errorMessages, true);
assertNotNull(result);
assertTrue(errorMessages.length() > 10);
assertTrue(result.contains("<div"));
assertTrue(result.contains("<embed"));
assertFalse(result.contains("src="));
assertFalse(result.contains("data:image/svg+xml;base64"));
assertFalse(result.contains("<script"));
strFromBrowser = SVG_BAD_CAPS;
errorMessages = new StringBuilder();
result = FormattedText.processFormattedText(strFromBrowser, errorMessages, true);
assertNotNull(result);
assertTrue(errorMessages.length() > 10);
assertTrue(result.contains("<div"));
assertTrue(result.contains("<EMBED"));
assertFalse(result.contains("SRC="));
assertFalse(result.contains("data:image/svg+xml;base64"));
assertFalse(result.contains("<script"));
/* CDATA is ignored so it will not be cleaned
String TRICKY = "<div><![CDATA[<EMBED SRC=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></EMBED>]]></div>";
String CDATA_TRICKY = "<div><![CDATA[<embed src=\"data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==\" type=\"image/svg+xml\" AllowScriptAccess=\"always\"></embed>]]></div>";
strFromBrowser = CDATA_TRICKY;
errorMessages = new StringBuilder();
result = FormattedText.processFormattedText(strFromBrowser, errorMessages, true);
assertNotNull(result);
assertTrue( errorMessages.length() > 10 );
assertTrue( result.contains("<div"));
assertTrue( result.contains("<embed"));
assertFalse( result.contains("src="));
assertFalse( result.contains("data:image/svg+xml;base64"));
assertFalse( result.contains("<script"));
strFromBrowser = TRICKY;
errorMessages = new StringBuilder();
result = FormattedText.processFormattedText(strFromBrowser, errorMessages, true);
assertNotNull(result);
assertTrue( errorMessages.length() > 10 );
assertTrue( result.contains("<div"));
assertTrue( result.contains("<EMBED"));
assertFalse( result.contains("SRC="));
assertFalse( result.contains("data:image/svg+xml;base64"));
assertFalse( result.contains("<script"));
*/
}