',
'
'
),
// no quotes and no semicolon - http://ha.ckers.org/xss.html
array(
'
)
',
''
),
// embedded encoded tab to break up XSS - http://ha.ckers.org/xss.html
array(
'
;)
',
''
),
// issue 178
array(
'
',
'
'
),
// issue 534
array(
'
![](\'as"df)
*/" onerror="console.log(\'Yet another XSS\')">',
'
*/" onerror="console.log(\'Yet another XSS\')">'
),
// issue 602
array(
'
',
''
),
// issue #1813 https://github.com/xpressengine/xe-core/issues/1813
array(
'
',
'
![dummy]()
'
),
array(
'
',
'
![dummy]()
'
),
array(
"
![\"dummy\"](\"?act\n=dispLayoutPreview\")
",
'
![dummy]()
'
),
array(
"
![\"dummy\"](\"?pam=act&a\nct)
",
'
![dummy]()
'
)
);
}
/**
* @dataProvider provider
*/
public function testXss($source, $expected)
{
$result = removeHackTag($source);
$this->assertEquals($result, $expected);
}
}