Updated: Comment #0

Problem/Motivation

This test case fails:

    // Spaces and meta chars before the JavaScript in images for XSS.
    // @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Spaces_and_meta_chars_before_the_JavaScript_in_images_for_XSS
    $data[] = array('<IMG SRC=" &#14;  javascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">');

Like this:

1) Drupal\editor\Tests\EditorXssFilter\StandardTest::testFilterXss with data set #25 ('<IMG SRC=" &#14;  javascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">')
Failed asserting that two strings are identical.
--- Expected
+++ Actual
@@ @@
-<IMG src="alert(&#039;XSS&#039;);">
+<IMG src=" &amp;#14;  javascript:alert(&#039;XSS&#039;);">

… but only on PHP 5.4!

Proposed resolution

TBD.

Remaining tasks

TBD.

User interface changes

None.

API changes

None.

Comments

dawehner’s picture

dawehner
Primary language German
commented
Status: Active » Closed (duplicate)

#2193023: EditorXssFilter/StandardTest::dataset #25 fails on php 5.4 has a "proper" workaround for now.