Wavyzz/dolibarr-fork
2
0
Fork 0
forked from Wavyzz/dolibarr
Code Pull Requests Activity

Merge commit '13aeb4542924b7112c56ca7e0fe30b5174eb9adb' into develop

Browse Source
This commit is contained in:
Laurent Destailleur
2023-04-25 15:43:18 +02:00
parent b08e3e63da 13aeb45429
commit e51d0beefa
2 changed files with 10 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
test/phpunit/SecurityTest.php
View File

@@ -390,6 +390,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_POST["param13b"]='&#110; &#x6E; &gt; &lt; &quot; <a href=\"j&#x61vascript:alert(document.domain)\">XSS</a>';
$_POST["param14"]="Text with ' encoded with the numeric html entity converted into text entity &#39; (like when submited by CKEditor)";
$_POST["param15"]="<img onerror<=alert(document.domain)> src=>0xbeefed";
//$_POST["param15b"]="<html><head><title>Example HTML</title></head><body><div><p>This is a paragraph.</div><ul><li>Item 1</li><li>Item 2</li></ol></body><html>";
$_POST["param16"]='<a style="z-index: 1000">abc</a>';
$_POST["param17"]='<span style="background-image: url(logout.php)">abc</span>';
$_POST["param18"]='<span style="background-image: url(...?...action=aaa)">abc</span>';
@@ -559,8 +560,8 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$result=GETPOST("param15", 'restricthtml'); // param15 = <img onerror<=alert(document.domain)> src=>0xbeefed that is a dangerous string
print __METHOD__." result=".$result."\n";
$this->assertEquals('InvalidHTMLString', $result, 'Test 15b');
//$this->assertEquals('<img onerror> src=&gt;0xbeefed', $result, 'Test 15b');
$this->assertEquals('InvalidHTMLString', $result, 'Test 15b'); // With some PHP and libxml version, we got this when parsong invalid HTML
//$this->assertEquals('<img onerror> src=&gt;0xbeefed', $result, 'Test 15b'); // On other we got a HTML that has been cleaned
unset($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML);
@@ -779,12 +780,12 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$url = 'https://www.dolibarr.fr'; // This is a redirect 301 page
$tmp = getURLContent($url, 'GET', '', 0); // We do NOT follow
print __METHOD__." url=".$url."\n";
$this->assertEquals(301, $tmp['http_code'], 'Should GET url 301 without following -> 301');
$this->assertEquals(301, $tmp['http_code'], 'Should GET url 301 without a follow -> 301');
$url = 'https://www.dolibarr.fr'; // This is a redirect 301 page
$tmp = getURLContent($url); // We DO follow a page with return 300 so result should be 200
print __METHOD__." url=".$url."\n";
$this->assertEquals(200, $tmp['http_code'], 'Should GET url 301 with following -> 200 but we get '.$tmp['http_code']);
$this->assertEquals(200, $tmp['http_code'], 'Should GET url 301 with a follow -> 200 but we get '.$tmp['http_code']);
$url = 'http://localhost';
$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL