Skip to content

Commit 659ab22

Browse files
committed
add test for XSS from twitter
1 parent e4eff4f commit 659ab22

File tree

1 file changed

+17
-0
lines changed

1 file changed

+17
-0
lines changed

src/test/java/org/owasp/html/HtmlPolicyBuilderTest.java

Lines changed: 17 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -941,6 +941,23 @@ public String apply(String elementName, List<String> attrs) {
941941
scriptSanitizer.sanitize(htmlMetaCharsEscaped));
942942
}
943943

944+
@Test
945+
public static final void testNoscriptInAttribute() {
946+
PolicyFactory pf = new HtmlPolicyBuilder()
947+
.allowElements("img", "p", "noscript")
948+
.allowAttributes("title").globally()
949+
.allowAttributes("img").onElements("img")
950+
.toFactory();
951+
952+
assertEquals(
953+
"<noscript>"
954+
+ "<p title=\"&lt;/noscript&gt;&lt;img src&#61;x onerror&#61;alert(1)&gt;\">"
955+
+ "</p>"
956+
+ "</noscript>",
957+
pf.sanitize(
958+
"<noscript><p title=\"</noscript><img src=x onerror=alert(1)>\">"));
959+
}
960+
944961
private static String apply(HtmlPolicyBuilder b) {
945962
return apply(b, EXAMPLE);
946963
}

0 commit comments

Comments
 (0)