From 2db5d1c8e469d2943a6a851bc0ff3ede070e448b Mon Sep 17 00:00:00 2001
From: Waylan Limberg <waylan@gmail.com>
Date: Tue, 18 Mar 2008 04:41:33 +0000
Subject: Added sanatition of link urls when in safe_mode to no longer allow
 javascript. Not yet convinced I got all cases, but it's much better than
 before. Also added some tests although testing framework doesn't currently
 have the option to run in safe_mode. See [1914685] for more info.

---
 tests/safe_mode/unsafe_urls.html | 24 ++++++++++++++++++++++++
 tests/safe_mode/unsafe_urls.txt  | 27 +++++++++++++++++++++++++++
 2 files changed, 51 insertions(+)
 create mode 100644 tests/safe_mode/unsafe_urls.html
 create mode 100644 tests/safe_mode/unsafe_urls.txt

(limited to 'tests')

diff --git a/tests/safe_mode/unsafe_urls.html b/tests/safe_mode/unsafe_urls.html
new file mode 100644
index 0000000..8eda30d
--- /dev/null
+++ b/tests/safe_mode/unsafe_urls.html
@@ -0,0 +1,24 @@
+<p>These links should be unsafe and not allowed in safe_mode
+</p>
+<p><a href="">link</a>
+   <a href="">link</a>
+   <a href="">link</a>
+   <a href="">link</a>
+   <a href="">link</a>
+   <a href="">link</a>
+   <a href="">link</a>
+   <a href="">link</a>
+   <a href="">link</a>
+   <a href="">link</a>
+   <a href="">link</a>
+</p>
+<p><img src="" alt="img"/><a href="">ref</a>
+   <img src="" alt="imgref"/>
+</p>
+<p>These should work regardless:
+</p>
+<p><a href="relative/url.html">relative</a>
+   <a href="mailto:foo@bar.com">email</a>
+   <a href="news:some.news.group.com">news scheme</a>
+   <a href="http://example.com">http link</a>
+</p>
\ No newline at end of file
diff --git a/tests/safe_mode/unsafe_urls.txt b/tests/safe_mode/unsafe_urls.txt
new file mode 100644
index 0000000..7bfd81d
--- /dev/null
+++ b/tests/safe_mode/unsafe_urls.txt
@@ -0,0 +1,27 @@
+These links should be unsafe and not allowed in safe_mode
+
+[link](javascript:alert%28'Hello%20world!'%29)
+[link](vbscript:msgbox%28%22Hello%20world!%22%29)
+[link](livescript:alert%28'Hello%20world!'%29)
+[link](mocha:[code])
+[link](jAvAsCrIpT:alert%28'Hello%20world!'%29)
+[link](ja&#32;vas&#32;cr&#32;ipt:alert%28'Hello%20world!'%29)
+[link](ja&#00032;vas&#32;cr&#32;ipt:alert%28'Hello%20world!'%29)
+[link](ja&#x00020;vas&#32;cr&#32;ipt:alert%28'Hello%20world!'%29)
+[link](ja%09&#x20;%0Avas&#32;cr&#x0a;ipt:alert%28'Hello%20world!'%29)
+[link](ja%20vas%20cr%20ipt:alert%28'Hello%20world!'%29)
+[link](live%20script:alert%28'Hello%20world!'%29)
+
+![img](javascript:alert%29'XSS'%29)
+[ref][]
+![imgref][]
+
+[ref]: javascript:alert%29'XSS'%29
+[imgref]: javascript:alert%29'XSS'%29
+
+These should work regardless:
+
+[relative](relative/url.html)
+[email](mailto:foo@bar.com)
+[news scheme](news:some.news.group.com)
+[http link](http://example.com)
-- 
cgit v1.2.3