Skip to content

Commit

Permalink
Merge pull request #779 from ossf/add_xss_tests
Browse files Browse the repository at this point in the history
Add internal tests to xss lab
  • Loading branch information
david-a-wheeler authored Feb 5, 2025
2 parents 970d331 + 9b5be79 commit 053a226
Showing 1 changed file with 39 additions and 12 deletions.
51 changes: 39 additions & 12 deletions docs/labs/xss.js
Original file line number Diff line number Diff line change
Expand Up @@ -2,40 +2,65 @@ info =
{
hints: [
{
absent: "autoescape",
text: "Add an `autoescape=` parameter."
present: "(Autoescape|AUTOESCAPE)",
text: "The name `autoescape` must be in all lowercase.",
examples: [
[ "Autoescape" ],
],
},
{
present: String.raw`autoescape [^:\x20]`,
text: "The name `autoescape` needs to be followed by `=`."
present: "([Aa]uto_[Ee]scape|AUTO_ESCAPE)",
text: "Use `autoescape` in all lowercase with no underscores.",
examples: [
[ "auto_escape" ],
],
},
{
present: "(Autoescape|AUTOESCAPE)",
text: "The name `autoescape` must be in all lowercase."
absent: "autoescape",
text: "Add an `autoescape=` parameter.",
examples: [
[ "" ],
],
},
{
present: "([Aa]uto_[Ee]scape|AUTO_ESCAPE)",
text: "Use `autoescape` in all lowercase with no underscores."
present: 'autoescape',
absent: String.raw`autoescape\x20*=`,
text: "The name `autoescape` needs to be followed by `=`.",
examples: [
[ "autoescape" ],
],
},
{
present: String.raw`\| safe`,
index: 1,
text: "The text `| safe` indicates that this text is trusted and should not be escaped further. However, in context this data could be provided from an attacker and is NOT safe. Remove the marking."
text: "The text `| safe` indicates that this text is trusted and should not be escaped further. However, in context this data could be provided from an attacker and is NOT safe. Remove the marking.",
examples: [
[ null, " <h1>Hello {{ person | safe }}!</h1>" ],
],
},
{
present: String.raw`\|`,
index: 1,
text: "The `|` is used to separate the computed value from the safe marking, but we will not use that marking. Remove the vertical bar."
text: "The `|` is used to separate the computed value from the safe marking, but we will not use that marking. Remove the vertical bar.",
examples: [
[ null, " <h1>Hello {{ person | }}!</h1>" ],
],
},
{
present: String.raw`Markup \(.*\+.*\)`,
index: 2,
text: "Having a concatenation (+) *inside* the call to Markup is a vulnerability. The call to Markup presumes we are passing text that is *not* supposed be escaped. If it is supposed to be escaped, it should be concatenated outside the initial construction of the Markup object."
text: "Having a concatenation (+) *inside* the call to Markup is a vulnerability. The call to Markup presumes we are passing text that is *not* supposed be escaped. If it is supposed to be escaped, it should be concatenated outside the initial construction of the Markup object.",
examples: [
[ null, null, " result = Markup('Original name=' + name)" ],
],
},
{
absent: String.raw`\+`,
index: 2,
text: "Our expected answer includes concatentation using `+`. We expect something like `Markup('Original name='` followed by `+` followed by the variable containing the data that needs to be escaped."
text: "Our expected answer includes concatentation using `+`. We expect something like `Markup('Original name='` followed by `+` followed by the variable containing the data that needs to be escaped.",
examples: [
[ null, null, ' result = Markup(f"Original name={name}' ],
],
},
],
expected: [
Expand All @@ -44,6 +69,8 @@ info =
`result = Markup('Original name=') + name`
],
correct: [
// Python PEP 8 recommends no space '=' around keyword use, but
// Python allows it, so we will too.
String.raw`\s* autoescape = select_autoescape \( \) \s*`,
String.raw`\s* < h1 >Hello\x20{{ person }}!< /h1 > \s*`,
String.raw`\s* result = Markup \( ('Original name='|"Original name=") \) \+ name \s*`
Expand Down

0 comments on commit 053a226

Please sign in to comment.