9289ab11b2
* Replace voku/anti-xss with ezyang/htmlpurifier. Despite anti-xss being a smaller footprint dependency, an a better license fit with our MIT license, there are issues with it's automatic it sanitisation of global variables causing side effects * Additional unit tests for xss in html writer cell comments
93 lines
3.1 KiB
PHP
93 lines
3.1 KiB
PHP
<?php
|
|
|
|
namespace PhpOffice\PhpSpreadsheetTests\Writer\Html;
|
|
|
|
use PhpOffice\PhpSpreadsheet\IOFactory;
|
|
use PhpOffice\PhpSpreadsheet\RichText\RichText;
|
|
use PhpOffice\PhpSpreadsheet\Shared\File;
|
|
use PhpOffice\PhpSpreadsheet\Spreadsheet;
|
|
use PhpOffice\PhpSpreadsheetTests\Functional;
|
|
|
|
class XssVulnerabilityTest extends Functional\AbstractFunctional
|
|
{
|
|
public function providerAcceptableMarkupRichText()
|
|
{
|
|
return [
|
|
'basic text' => ['Hello, I am safely viewing your site', 'Hello, I am safely viewing your site'],
|
|
'link' => ["<a href='Visit Google'>Google is here</a>", '<a href="Visit%20Google">Google is here</a>'],
|
|
];
|
|
}
|
|
|
|
/**
|
|
* @dataProvider providerAcceptableMarkupRichText
|
|
*
|
|
* @param string $safeTextString
|
|
* @param string $adjustedTextString
|
|
*/
|
|
public function testMarkupInComment($safeTextString, $adjustedTextString): void
|
|
{
|
|
$spreadsheet = new Spreadsheet();
|
|
|
|
$richText = new RichText();
|
|
$richText->createText($safeTextString);
|
|
|
|
$spreadsheet->getActiveSheet()->getCell('A1')->setValue('XSS Test');
|
|
|
|
$spreadsheet->getActiveSheet()
|
|
->getComment('A1')
|
|
->setText($richText);
|
|
|
|
$filename = tempnam(File::sysGetTempDir(), 'phpspreadsheet-test');
|
|
|
|
$writer = IOFactory::createWriter($spreadsheet, 'Html');
|
|
$writer->save($filename);
|
|
|
|
$verify = file_get_contents($filename);
|
|
// Ensure that executable js has been stripped from the comments
|
|
self::assertStringContainsString($adjustedTextString, $verify);
|
|
}
|
|
|
|
public function providerXssRichText()
|
|
{
|
|
return [
|
|
'script tag' => ["Hello, I am trying to <script>alert('Hack');</script> your site"],
|
|
'javascript tag' => ["<a href=' javascript:alert(1)'>CLICK</a>"],
|
|
'with unicode' => ['<a href="\\u0001java\\u0003script:alert(1)">CLICK<a>'],
|
|
'inline css' => ['<li style="list-style-image: url(javascript:alert(0))">'],
|
|
'char value chevron' => ["\x3cscript src=http://www.example.com/malicious-code.js\x3e\x3c/script\x3e"],
|
|
];
|
|
}
|
|
|
|
private static $counter = 0;
|
|
|
|
/**
|
|
* @dataProvider providerXssRichText
|
|
*
|
|
* @param string $xssTextString
|
|
*/
|
|
public function testXssInComment($xssTextString): void
|
|
{
|
|
$spreadsheet = new Spreadsheet();
|
|
|
|
$richText = new RichText();
|
|
$richText->createText($xssTextString);
|
|
|
|
$spreadsheet->getActiveSheet()->getCell('A1')->setValue('XSS Test');
|
|
|
|
$spreadsheet->getActiveSheet()
|
|
->getComment('A1')
|
|
->setText($richText);
|
|
|
|
$filename = tempnam(File::sysGetTempDir(), 'phpspreadsheet-test');
|
|
|
|
$writer = IOFactory::createWriter($spreadsheet, 'Html');
|
|
$writer->save($filename);
|
|
|
|
$verify = file_get_contents($filename);
|
|
$counter = self::$counter++;
|
|
file_put_contents("verify{$counter}.html", $verify);
|
|
// Ensure that executable js has been stripped from the comments
|
|
self::assertStringNotContainsString($xssTextString, $verify);
|
|
}
|
|
}
|