Merge pull request #694 from aik099/xss-in-testsuite-fix

Fixes XSS in the driver test suite
minkphp · Mar 5, 2016 · 461f115 · 461f115
2 parents fa2216d + 7b3315a
commit 461f115
Show file tree

Hide file tree

Showing 9 changed files with 46 additions and 12 deletions.
diff --git a/driver-testsuite/tests/Form/GeneralTest.php b/driver-testsuite/tests/Form/GeneralTest.php
@@ -207,7 +207,7 @@ public function testAdvancedForm()
 array (
   'agreement' = 'on',
   'email' = '[email protected]',
-  'first_name' = 'Foo "item"',
+  'first_name' = 'Foo &quot;item&quot;',
   'last_name' = 'Bar',
   'notes' = 'new notes',
   'select_number' = '30',

diff --git a/driver-testsuite/web-fixtures/advanced_form_post.php b/driver-testsuite/web-fixtures/advanced_form_post.php
@@ -8,16 +8,18 @@
 <?php
 error_reporting(0);
 
+require_once 'utils.php';
+
 if (isset($_POST['select_multiple_numbers']) && false !== strpos($_POST['select_multiple_numbers'][0], ',')) {
     $_POST['select_multiple_numbers'] = explode(',', $_POST['select_multiple_numbers'][0]);
 }
 
 $_POST['agreement'] = isset($_POST['agreement']) ? 'on' : 'off';
 ksort($_POST);
-echo str_replace('>', '', var_export($_POST, true)) . "\n";
+echo str_replace('>', '', var_export(html_escape_value($_POST), true)) . "\n";
 if (isset($_FILES['about']) && file_exists($_FILES['about']['tmp_name'])) {
-    echo $_FILES['about']['name'] . "\n";
-    echo file_get_contents($_FILES['about']['tmp_name']);
+    echo html_escape_value($_FILES['about']['name']) . "\n";
+    echo html_escape_value(file_get_contents($_FILES['about']['tmp_name']));
 } else {
     echo "no file";
 }

diff --git a/driver-testsuite/web-fixtures/basic_form_post.php b/driver-testsuite/web-fixtures/basic_form_post.php
@@ -5,9 +5,12 @@
     <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"/>
 </head>
 <body>
-    <h1>Anket for <?php echo $_POST['first_name'] ?></h1>
+    <?php
+        require_once 'utils.php';
+    ?>
+    <h1>Anket for <?php echo html_escape_value($_POST['first_name']) ?></h1>
 
-    <span id="first">Firstname: <?php echo $_POST['first_name'] ?></span>
-    <span id="last">Lastname: <?php echo $_POST['last_name'] ?></span>
+    <span id="first">Firstname: <?php echo html_escape_value($_POST['first_name']) ?></span>
+    <span id="last">Lastname: <?php echo html_escape_value($_POST['last_name']) ?></span>
 </body>
 </html>
diff --git a/driver-testsuite/web-fixtures/basic_get_form.php b/driver-testsuite/web-fixtures/basic_get_form.php
@@ -8,7 +8,10 @@
     <h1>Basic Get Form Page</h1>
 
     <div id="serach">
-        <?php echo isset($_GET['q']) && $_GET['q'] ? $_GET['q'] : 'No search query' ?>
+        <?php
+            require_once 'utils.php';
+            echo isset($_GET['q']) && $_GET['q'] ? html_escape_value($_GET['q']) : 'No search query';
+        ?>
     </div>
 
     <form>

diff --git a/driver-testsuite/web-fixtures/cookie_page2.php b/driver-testsuite/web-fixtures/cookie_page2.php
@@ -5,6 +5,9 @@
     <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"/>
 </head>
 <body>
-    Previous cookie: <?php echo isset($_COOKIE['srvr_cookie']) ? $_COOKIE['srvr_cookie'] : 'NO'; ?>
+    Previous cookie: <?php
+        require_once 'utils.php';
+        echo isset($_COOKIE['srvr_cookie']) ? html_escape_value($_COOKIE['srvr_cookie']) : 'NO';
+    ?>
 </body>
 </html>
diff --git a/driver-testsuite/web-fixtures/issue130.php b/driver-testsuite/web-fixtures/issue130.php
@@ -2,10 +2,12 @@
 <html>
 <body>
     <?php
+    require_once 'utils.php';
+
     if ('1' === $_GET['p']) {
         echo '<a href="issue130.php?p=2">Go to 2</a>';
     } else {
-        echo '<strong>'.$_SERVER['HTTP_REFERER'].'</strong>';
+        echo '<strong>'.html_escape_value($_SERVER['HTTP_REFERER']).'</strong>';
     }
     ?>
 </body>
diff --git a/driver-testsuite/web-fixtures/issue140.php b/driver-testsuite/web-fixtures/issue140.php
@@ -1,8 +1,10 @@
 <?php
+require_once 'utils.php';
+
 if (!empty($_POST)) {
     setcookie("tc", $_POST['cookie_value'], null, '/');
 } elseif (isset($_GET["show_value"])) {
-    echo $_COOKIE["tc"];
+    echo html_escape_value($_COOKIE["tc"]);
     die();
 }
 ?>

diff --git a/driver-testsuite/web-fixtures/print_cookies.php b/driver-testsuite/web-fixtures/print_cookies.php
@@ -5,6 +5,9 @@
     <meta http-equiv="Content-Type" content="text/html;charset=UTF-8"/>
 </head>
 <body>
-    <?php echo str_replace('>', '', var_export($_COOKIE, true)); ?>
+    <?php
+        require_once 'utils.php';
+        echo str_replace('>', '', var_export(html_escape_value($_COOKIE), true));
+    ?>
 </body>
 </html>
diff --git a/driver-testsuite/web-fixtures/utils.php b/driver-testsuite/web-fixtures/utils.php
@@ -0,0 +1,16 @@
+<?php
+
+function html_escape_value($data)
+{
+    if (!is_array($data)) {
+        return htmlspecialchars($data, ENT_QUOTES, 'UTF-8', false);
+    }
+
+    $escapedData = array();
+
+    foreach ($data as $key => $value) {
+        $escapedData[html_escape_value($key)] = html_escape_value($value);
+    }
+
+    return $escapedData;
+}