svnpassword

Jacques Distler's code repository /instiki /svn » Revision 329

To download this project, use:

bzr branch
https://golem.ph.utexas.edu/~distler/code/instiki/svn/

Viewing all changes in revision 329.

Committer: Jacques Distler
Date: 2009年01月05日 22:25:27 UTC
Revision ID: distler@golem.ph.utexas.edu-20090105222527-1hl0k9t1199b060x

Add a couple of XSS tests.

Some more tests from Clint Ruoho. The main branch of Instiki (and, I guess,
the old sanitizer) are vulnerable.

Also: under Ruby 1.8.x, CGI.unescapeHTML screws up horribly decoding NCRs
which represent high-bit ASCII characters. UTF-8 agrees with 7-bit ASCII,
but CGI.unescapeHTML doesn't seem to know that they disagree for i>127.

files modified:
lib/sanitizer.rb

lib/stringsupport.rb

test/sanitizer.dat

vendor/plugins/HTML5lib/testdata/sanitizer/tests1.dat

expand all expand all

collapse all collapse all

Show diffs side-by-side

added added

removed removed

lib/sanitizer.rb

lib/stringsupport.rb

test/sanitizer.dat

vendor/plugins/HTML5lib/testdata/sanitizer/tests1.dat

Older »