Hello, world!

Hello, world!

Hello, world!

Hello, world!

Hello, world!

Hello, world!

Hello, world!

Hello, world!

• XSS
  ', 'li {list-style-image: url("javascript:alert(\'XSS\')");}
  • XSS
    ']; // VBscript in an image. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#VBscript_in_an_image $data[] = ['', '']; // Livescript (older versions of Netscape only). // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Livescript_.28older_versions_of_Netscape_only.29 $data[] = ['', '']; // BODY tag. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BODY_tag $data[] = ['', '']; // Event handlers. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Event_Handlers $events = [ 'onAbort', 'onActivate', 'onAfterPrint', 'onAfterUpdate', 'onBeforeActivate', 'onBeforeCopy', 'onBeforeCut', 'onBeforeDeactivate', 'onBeforeEditFocus', 'onBeforePaste', 'onBeforePrint', 'onBeforeUnload', 'onBeforeUpdate', 'onBegin', 'onBlur', 'onBounce', 'onCellChange', 'onChange', 'onClick', 'onContextMenu', 'onControlSelect', 'onCopy', 'onCut', 'onDataAvailable', 'onDataSetChanged', 'onDataSetComplete', 'onDblClick', 'onDeactivate', 'onDrag', 'onDragEnd', 'onDragLeave', 'onDragEnter', 'onDragOver', 'onDragDrop', 'onDragStart', 'onDrop', 'onEnd', 'onError', 'onErrorUpdate', 'onFilterChange', 'onFinish', 'onFocus', 'onFocusIn', 'onFocusOut', 'onHashChange', 'onHelp', 'onInput', 'onKeyDown', 'onKeyPress', 'onKeyUp', 'onLayoutComplete', 'onLoad', 'onLoseCapture', 'onMediaComplete', 'onMediaError', 'onMessage', 'onMousedown', 'onMouseEnter', 'onMouseLeave', 'onMouseMove', 'onMouseOut', 'onMouseOver', 'onMouseUp', 'onMouseWheel', 'onMove', 'onMoveEnd', 'onMoveStart', 'onOffline', 'onOnline', 'onOutOfSync', 'onPaste', 'onPause', 'onPopState', 'onProgress', 'onPropertyChange', 'onReadyStateChange', 'onRedo', 'onRepeat', 'onReset', 'onResize', 'onResizeEnd', 'onResizeStart', 'onResume', 'onReverse', 'onRowsEnter', 'onRowExit', 'onRowDelete', 'onRowInserted', 'onScroll', 'onSeek', 'onSelect', 'onSelectionChange', 'onSelectStart', 'onStart', 'onStop', 'onStorage', 'onSyncRestored', 'onSubmit', 'onTimeError', 'onTrackChange', 'onUndo', 'onUnload', 'onURLFlip', ]; foreach ($events as $event) { $data[] = ['

    Dangerous llama!

    ', '

    Dangerous llama!

    ']; } // BGSOUND. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BGSOUND $data[] = ['', '']; // & JavaScript includes. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#.26_JavaScript_includes $data[] = ['
    ', '
    ']; // STYLE sheet. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_sheet $data[] = ['', '']; // Remote style sheet. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet $data[] = ['', '']; // Remote style sheet part 2. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet_part_2 $data[] = ['', '@import\'http://ha.ckers.org/xss.css\';']; // Remote style sheet part 3. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet_part_3 $data[] = ['', '; REL=stylesheet">']; // Remote style sheet part 4. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet_part_4 $data[] = ['', 'BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}']; // STYLE tags with broken up JavaScript for XSS. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tags_with_broken_up_JavaScript_for_XSS $data[] = ['', '@im\port\'\ja\vasc\ript:alert("XSS")\';']; // STYLE attribute using a comment to break up expression. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_attribute_using_a_comment_to_break_up_expression $data[] = ['', '']; // IMG STYLE with expression. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_STYLE_with_expression $data[] = [ 'exp/*', 'exp/*', ]; // STYLE tag (Older versions of Netscape only). // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tag_.28Older_versions_of_Netscape_only.29 $data[] = ['', 'alert(\'XSS\');']; // STYLE tag using background-image. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tag_using_background-image $data[] = ['', '.XSS{background-image:url("javascript:alert(\'XSS\')");}']; // STYLE tag using background. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tag_using_background $data[] = ['', 'BODY{background:url("javascript:alert(\'XSS\')")}']; // Anonymous HTML with STYLE attribute. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Anonymous_HTML_with_STYLE_attribute $data[] = ['', '']; // Local htc file. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Local_htc_file $data[] = ['', '']; // US-ASCII encoding. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#US-ASCII_encoding // This one is irrelevant for Drupal; Drupal *always* outputs UTF-8. // META. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#META $data[] = ['', '']; // META using data. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#META_using_data $data[] = ['', '']; // META with additional URL parameter // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#META $data[] = ['', '']; // IFRAME. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IFRAME $data[] = ['', '']; // IFRAME Event based. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IFRAME_Event_based $data[] = ['', '']; // FRAME. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#FRAME $data[] = ['', '']; // TABLE. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#TABLE $data[] = ['', '']; // TD. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#TD $data[] = ['

    ', ' ']; // DIV background-image. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_background-image $data[] = [' ', ' ']; // DIV background-image with unicoded XSS exploit. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_background-image_with_unicoded_XSS_exploit $data[] = [' ', ' ']; // DIV background-image plus extra characters. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_background-image_plus_extra_characters $data[] = [' ', ' ']; // DIV expression. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_expression $data[] = [' ', ' ']; // Downlevel-Hidden block. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Downlevel-Hidden_block $data[] = ['', "\n alert('XSS');\n ", ]; // BASE tag. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BASE_tag $data[] = ['', '']; // OBJECT tag. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#OBJECT_tag $data[] = ['', '']; // Using an EMBED tag you can embed a Flash movie that contains XSS. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Using_an_EMBED_tag_you_can_embed_a_Flash_movie_that_contains_XSS $data[] = ['', '']; // You can EMBED SVG which can contain your XSS vector. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#You_can_EMBED_SVG_which_can_contain_your_XSS_vector $data[] = ['', '']; // XML data island with CDATA obfuscation. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XML_data_island_with_CDATA_obfuscation $data[] = ['', 'cript:alert(\'XSS\')">']; // Locally hosted XML with embedded JavaScript that is generated using an XML data island. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Locally_hosted_XML_with_embedded_JavaScript_that_is_generated_using_an_XML_data_island // This one is irrelevant for Drupal; Drupal disallows XML uploads by // default. // HTML+TIME in XML. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#HTML.2BTIME_in_XML $data[] = ['">', '<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2">alert("XSS")">']; // Assuming you can only fit in a few characters and it filters against ".js". // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Assuming_you_can_only_fit_in_a_few_characters_and_it_filters_against_.22.js.22 $data[] = ['', '']; // IMG Embedded commands. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_Embedded_commands // This one is irrelevant for Drupal; this is actually a CSRF, for which // Drupal has CSRF protection. See https://www.drupal.org/node/178896. // Cookie manipulation. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Cookie_manipulation $data[] = ['', 'alert(\'XSS\')">']; // UTF-7 encoding. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#UTF-7_encoding // This one is irrelevant for Drupal; Drupal *always* outputs UTF-8. // XSS using HTML quote encapsulation. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XSS_using_HTML_quote_encapsulation $data[] = ['', '" SRC="http://ha.ckers.org/xss.js">']; $data[] = ['', '" SRC="http://ha.ckers.org/xss.js">']; $data[] = ['', '" \'\' SRC="http://ha.ckers.org/xss.js">']; $data[] = ['', '\'" SRC="http://ha.ckers.org/xss.js">']; $data[] = ['', '` SRC="http://ha.ckers.org/xss.js">']; $data[] = ['', '\'>" SRC="http://ha.ckers.org/xss.js">']; $data[] = ['PT SRC="http://ha.ckers.org/xss.js">', 'document.write("PT SRC="http://ha.ckers.org/xss.js">']; // URL string evasion. // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#URL_string_evasion // This one is irrelevant for Drupal; Drupal doesn't forbid linking to some // sites, it only forbids linking to any protocols other than those that are // whitelisted. // Test XSS filtering on data-attributes. // @see \Drupal\editor\EditorXssFilter::filterXssDataAttributes() // The following two test cases verify that XSS attack vectors are filtered. $data[] = ['', '']; $data[] = ['', '']; // When including HTML-tags as visible content, they are double-escaped. // This test case ensures that we leave that content unchanged. $data[] = ['', '']; return $data; } /** * Tests the method for filtering XSS. * * @param string $input * The input. * @param string $expected_output * The expected output. * * @dataProvider providerTestFilterXss */ public function testFilterXss($input, $expected_output) { $output = Standard::filterXss($input, $this->format); $this->assertSame($expected_output, $output); } /** * Tests removing disallowed tags and XSS prevention. * * \Drupal\Component\Utility\Xss::filter() has the ability to run in blacklist * mode, in which it still applies the exact same filtering, with one * exception: it no longer works with a list of allowed tags, but with a list * of disallowed tags. * * @param string $value * The value to filter. * @param string $expected * The string that is expected to be missing. * @param string $message * The assertion message to display upon failure. * @param array $disallowed_tags * (optional) The disallowed HTML tags to be passed to \Drupal\Component\Utility\Xss::filter(). * * @dataProvider providerTestBlackListMode */ public function testBlacklistMode($value, $expected, $message, array $disallowed_tags) { $value = Standard::filter($value, $disallowed_tags); $this->assertSame($expected, $value, $message); } /** * Data provider for testBlacklistMode(). * * @see testBlacklistMode() * * @return array * An array of arrays containing the following elements: * - The value to filter. * - The value to expect after filtering. * - The assertion message. * - (optional) The disallowed HTML tags to be passed to \Drupal\Component\Utility\Xss::filter(). */ public function providerTestBlackListMode() { return [ [ 'Pink Fairy Armadillo