diff --git a/pom.xml b/pom.xml
index f2a4ae81c7f7d7413f430c687d75aa4c0db7b9f4..bffec1cc40717c3300d09fd8cec0ab361f1c0ee2 100644
--- a/pom.xml
+++ b/pom.xml
@@ -2209,6 +2209,12 @@
</exclusion>
</exclusions>
</dependency>
+ <dependency>
+ <groupId>org.apache.xmlrpc</groupId>
+ <artifactId>xmlrpc-server</artifactId>
+ <version>3.1.3</version>
+ <scope>test</scope>
+ </dependency>
<!-- End test dependencies -->
</dependencies>
diff --git a/src/test/java/org/olat/util/FunctionalCourseUtil.java b/src/test/java/org/olat/util/FunctionalCourseUtil.java
index b58433d578158638667b9192b2c99bcf8d45c7b5..25fba1fdf84219c6278a9150465ce5c19006e47a 100644
--- a/src/test/java/org/olat/util/FunctionalCourseUtil.java
+++ b/src/test/java/org/olat/util/FunctionalCourseUtil.java
@@ -36,10 +36,12 @@ import org.apache.velocity.exception.ParseErrorException;
import org.apache.velocity.exception.ResourceNotFoundException;
import org.olat.core.logging.OLog;
import org.olat.core.logging.Tracing;
+import org.olat.util.xss.NotImplemented;
import org.olat.util.xss.XssInjection;
import org.olat.util.xss.XssInjectionDependencies;
import org.olat.util.xss.XssInjectionDependency;
import org.olat.util.xss.XssInjectionElement;
+import org.olat.util.xss.XssInjectionIndex;
import org.olat.util.xss.XssInjectionPositional;
import org.olat.util.xss.XssInjectionProvider;
import org.olat.util.xss.XssInjectionRandom;
@@ -1220,7 +1222,14 @@ public class FunctionalCourseUtil {
* @param message
* @return true on success, otherwise false
*/
- public boolean postForumMessage(Selenium browser, long courseId, int nthForum, String title, String message){
+ @XssInjection
+ @XssInjectionDependencies({
+ @XssInjectionDependency(className = "org.olat.util.FunctionalRepositorySiteUtil", methodName = "createCourse", parameterName = {}),
+ @XssInjectionDependency(className = "org.olat.util.FunctionalCourseUtil", methodName = "extractRepositoryEntryKey", parameterName = {"courseId"}, useReturnValue = true),
+ @XssInjectionDependency(className = "org.olat.util.FunctionalCourseUtil", methodName = "createForum", parameterName = {})
+ })
+ public boolean postForumMessage(Selenium browser, long courseId, @XssInjectionIndex int nthForum,
+ @XssInjectionElement String title, @XssInjectionElement String message){
if(!openForum(browser, courseId, nthForum))
return(false);
@@ -1290,7 +1299,17 @@ public class FunctionalCourseUtil {
* @param content
* @return true on success, otherwise false
*/
- public boolean createWikiArticle(Selenium browser, long wikiId, String pagename, String content){
+ @XssInjection
+ @XssInjectionDependencies({
+ @XssInjectionDependency(className = "org.olat.util.FunctionalRepositorySiteUtil", methodName = "createCourse", parameterName = {}),
+ @XssInjectionDependency(className = "org.olat.util.FunctionalRepositorySiteUtil", methodName = "createWiki", parameterName = {}),
+ @XssInjectionDependency(className = "org.olat.util.FunctionalRepositorySiteUtil", methodName = "readIdFromDetailedView", parameterName = {"wikiId"}, useReturnValue = true),
+ @XssInjectionDependency(className = "org.olat.util.FunctionalCourseUtil", methodName = "createCourseNode", parameterName = {}),
+ @XssInjectionDependency(className = "org.olat.util.FunctionalCourseUtil", methodName = "chooseWiki", parameterName = {})
+ })
+ @NotImplemented(reason = "missing dependencies: read repository entry key")
+ public boolean createWikiArticle(Selenium browser, long wikiId,
+ @XssInjectionElement String pagename, @XssInjectionElement String content){
if(!openWiki(browser, wikiId))
return(false);
@@ -1406,6 +1425,9 @@ public class FunctionalCourseUtil {
* @param url
* @return true on success
*/
+ @XssInjection
+ @XssTutorOnly
+ @NotImplemented(reason = "test case won't understand url string as url")
public boolean importBlogFeed(Selenium browser, String url){
functionalUtil.idle(browser);
@@ -1515,14 +1537,33 @@ public class FunctionalCourseUtil {
* @param content
* @return true on success, otherwise false
*/
- public boolean editBlogEntry(Selenium browser, long courseId, int nth,
- String title, String description, String content, int entry, BlogEdit[] edit){
+ @XssInjection
+ @XssInjectionDependencies({
+ @XssInjectionDependency(className = "org.olat.util.FunctionalRepositorySiteUtil", methodName = "createCourse", parameterName = {}),
+ @XssInjectionDependency(className = "org.olat.util.FunctionalRepositorySiteUtil", methodName = "readIdFromDetailedView", parameterName = {"courseId"}, useReturnValue = true)
+ })
+ @NotImplemented(reason = "missing dependencies: read repository entry key")
+ public boolean editBlogEntry(Selenium browser, long courseId, @XssInjectionIndex int nth,
+ @XssInjectionElement String title, @XssInjectionElement String description,
+ @XssInjectionElement String content,
+ @XssInjectionPositional int entry, @XssInjectionElement BlogEdit[] edit){
if(!openBlogWithoutBusinessPath(browser, courseId, nth))
return(false);
return(editBlogEntry(browser, title, description, content, entry, edit));
}
+ /**
+ * Edit a blog entry.
+ *
+ * @param browser
+ * @param title
+ * @param description
+ * @param content
+ * @param entry
+ * @param edit
+ * @return
+ */
public boolean editBlogEntry(Selenium browser,
String title, String description, String content, int entry, BlogEdit[] edit){
StringBuffer selectorBuffer = new StringBuffer();
@@ -1989,6 +2030,20 @@ public class FunctionalCourseUtil {
return(true);
}
+ /**
+ * Creates a new forum.
+ *
+ * @param browser
+ * @param title
+ * @param description
+ * @return
+ */
+ public boolean createForum(Selenium browser, String title, String description){
+ //TODO:JK: implement me
+
+ return(false);
+ }
+
/**
* Opens the portfolio template editor in conjunction with this method the appropriate node and
* the appopriate tab should already be opened.
diff --git a/src/test/java/org/olat/util/xss/NotImplemented.java b/src/test/java/org/olat/util/xss/NotImplemented.java
new file mode 100644
index 0000000000000000000000000000000000000000..4db6ab85f820591bdd138cd2463a690efb250e16
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/NotImplemented.java
@@ -0,0 +1,29 @@
+/**
+ * <a href="http://www.openolat.org">
+ * OpenOLAT - Online Learning and Training</a><br>
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License"); <br>
+ * you may not use this file except in compliance with the License.<br>
+ * You may obtain a copy of the License at the
+ * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a>
+ * <p>
+ * Unless required by applicable law or agreed to in writing,<br>
+ * software distributed under the License is distributed on an "AS IS" BASIS, <br>
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br>
+ * See the License for the specific language governing permissions and <br>
+ * limitations under the License.
+ * <p>
+ * Initial code contributed and copyrighted by<br>
+ * frentix GmbH, http://www.frentix.com
+ * <p>
+ */
+
+package org.olat.util.xss;
+
+/**
+ *
+ * @author jkraehemann, joel.kraehemann@frentix.com, frentix.com
+ */
+public @interface NotImplemented {
+ String reason();
+}
diff --git a/src/test/java/org/olat/util/xss/XssInjectionDependency.java b/src/test/java/org/olat/util/xss/XssInjectionDependency.java
index ac9bd56a705e758ddd528856aa320171fef17faa..d2bd532c81ece729bee13410eb74169fc7562973 100644
--- a/src/test/java/org/olat/util/xss/XssInjectionDependency.java
+++ b/src/test/java/org/olat/util/xss/XssInjectionDependency.java
@@ -28,4 +28,5 @@ public @interface XssInjectionDependency {
String className();
String methodName();
String[] parameterName();
+ boolean useReturnValue() default false;
}
diff --git a/src/test/java/org/olat/util/xss/XssInjectionIndex.java b/src/test/java/org/olat/util/xss/XssInjectionIndex.java
new file mode 100644
index 0000000000000000000000000000000000000000..612100f174e27c7b2d5f44619d7aa1570cbe62e8
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/XssInjectionIndex.java
@@ -0,0 +1,5 @@
+package org.olat.util.xss;
+
+public @interface XssInjectionIndex {
+ int index() default 0;
+}
diff --git a/src/test/java/org/olat/util/xss/client/CharsetUtil.java b/src/test/java/org/olat/util/xss/client/CharsetUtil.java
new file mode 100644
index 0000000000000000000000000000000000000000..70120a36efce7efa62205d0225049c4e418e11dd
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/client/CharsetUtil.java
@@ -0,0 +1,29 @@
+/**
+ * <a href="http://www.openolat.org">
+ * OpenOLAT - Online Learning and Training</a><br>
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License"); <br>
+ * you may not use this file except in compliance with the License.<br>
+ * You may obtain a copy of the License at the
+ * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a>
+ * <p>
+ * Unless required by applicable law or agreed to in writing,<br>
+ * software distributed under the License is distributed on an "AS IS" BASIS, <br>
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br>
+ * See the License for the specific language governing permissions and <br>
+ * limitations under the License.
+ * <p>
+ * Initial code contributed and copyrighted by<br>
+ * frentix GmbH, http://www.frentix.com
+ * <p>
+ */
+
+package org.olat.util.xss.client;
+
+/**
+ *
+ * @author jkraehemann, joel.kraehemann@frentix.com, frentix.com
+ */
+public class CharsetUtil {
+
+}
diff --git a/src/test/java/org/olat/util/xss/client/HttpClient.java b/src/test/java/org/olat/util/xss/client/HttpClient.java
new file mode 100644
index 0000000000000000000000000000000000000000..82b14ce0501f865bb7449a8f60a9d566fd97f38e
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/client/HttpClient.java
@@ -0,0 +1,38 @@
+/**
+ * <a href="http://www.openolat.org">
+ * OpenOLAT - Online Learning and Training</a><br>
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License"); <br>
+ * you may not use this file except in compliance with the License.<br>
+ * You may obtain a copy of the License at the
+ * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a>
+ * <p>
+ * Unless required by applicable law or agreed to in writing,<br>
+ * software distributed under the License is distributed on an "AS IS" BASIS, <br>
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br>
+ * See the License for the specific language governing permissions and <br>
+ * limitations under the License.
+ * <p>
+ * Initial code contributed and copyrighted by<br>
+ * frentix GmbH, http://www.frentix.com
+ * <p>
+ */
+
+package org.olat.util.xss.client;
+
+import java.io.IOException;
+
+/**
+ *
+ * @author jkraehemann, joel.kraehemann@frentix.com, frentix.com
+ */
+public interface HttpClient {
+ public void connect(String host, int port);
+
+ public void setHttpHeader(byte[] buffer);
+
+ public void httpGet(byte[] data);
+ public void httpPut(byte[] data);
+ public void httpDelete(byte[] data);
+ public void httpPost(byte[] data);
+}
diff --git a/src/test/java/org/olat/util/xss/client/HttpUtil.java b/src/test/java/org/olat/util/xss/client/HttpUtil.java
new file mode 100644
index 0000000000000000000000000000000000000000..987faf21d6a05a98b297d007df3916efae5f4797
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/client/HttpUtil.java
@@ -0,0 +1,44 @@
+/**
+ * <a href="http://www.openolat.org">
+ * OpenOLAT - Online Learning and Training</a><br>
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License"); <br>
+ * you may not use this file except in compliance with the License.<br>
+ * You may obtain a copy of the License at the
+ * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a>
+ * <p>
+ * Unless required by applicable law or agreed to in writing,<br>
+ * software distributed under the License is distributed on an "AS IS" BASIS, <br>
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br>
+ * See the License for the specific language governing permissions and <br>
+ * limitations under the License.
+ * <p>
+ * Initial code contributed and copyrighted by<br>
+ * frentix GmbH, http://www.frentix.com
+ * <p>
+ */
+
+package org.olat.util.xss.client;
+
+import java.util.HashSet;
+
+/**
+ *
+ * @author jkraehemann, joel.kraehemann@frentix.com, frentix.com
+ */
+public class HttpUtil {
+ enum HttpMethod {
+ HTTP_PUT,
+ HTTP_DELETE,
+ HTTP_GET,
+ HTTP_POST,
+ };
+
+ public static byte[] createHttpHeader(HttpMethod method, HashSet<String> parameter, String headerEncoding, String bodyEncoding){
+ byte[] header = null;
+
+ //TODO:JK: implement me
+
+ return(header);
+ }
+}
diff --git a/src/test/java/org/olat/util/xss/client/XssClient.java b/src/test/java/org/olat/util/xss/client/XssClient.java
new file mode 100644
index 0000000000000000000000000000000000000000..19c2bf6bf0bf9595fd4696c01fb004076dd53ec7
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/client/XssClient.java
@@ -0,0 +1,315 @@
+/**
+ * <a href="http://www.openolat.org">
+ * OpenOLAT - Online Learning and Training</a><br>
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License"); <br>
+ * you may not use this file except in compliance with the License.<br>
+ * You may obtain a copy of the License at the
+ * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a>
+ * <p>
+ * Unless required by applicable law or agreed to in writing,<br>
+ * software distributed under the License is distributed on an "AS IS" BASIS, <br>
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br>
+ * See the License for the specific language governing permissions and <br>
+ * limitations under the License.
+ * <p>
+ * Initial code contributed and copyrighted by<br>
+ * frentix GmbH, http://www.frentix.com
+ * <p>
+ */
+
+package org.olat.util.xss.client;
+
+import java.io.OutputStream;
+import java.net.Socket;
+import java.util.ArrayList;
+import java.util.HashSet;
+import java.util.List;
+
+import org.apache.xmlrpc.webserver.XmlRpcServlet;
+
+import org.olat.util.xss.client.HttpUtil;
+import org.olat.util.xss.client.HttpUtil.HttpMethod;
+
+/**
+ * WARNING: this software may not be used on public networks especially over an internet
+ * connection nor within your ISPs WAN. It may potentially damage your infrastructure.
+ * XssClient should be used carefully and only for error detection. It uses its very own
+ * implementation of the HTTP protocol and may break international telecommunication contracts.
+ *
+ * @author jkraehemann, joel.kraehemann@frentix.com, frentix.com
+ */
+public class XssClient extends XmlRpcServlet implements HttpClient {
+
+ final static String DEFAULT_ENCODING = "UTF-8";
+
+ final static String DEFAULT_REMOTE_ENCODING = "Unicode";
+ final static String DEFAULT_CLIENT_ENCODING = "iso-8859-1";
+ final static String DEFAULT_BODY_ENCODING = "UTF-16";
+ final static String DEFAULT_SCRIPT_ENCODING = "UTF-7";
+
+ final static int DEFAULT_THREAD_COUNT = 100;
+ final static int DEFAULT_FAKE_USER_COUNT = 100;
+ final static int DEFAULT_CONCURRENT_USER_COUNT = 100;
+
+ enum XssStrategy{
+ TRICK_ESCAPING,
+ CLOSE_TAGS,
+ MASQUERADE_ENCODING,
+ FAKE_USERS,
+ CONCURRENT_USERS,
+ RANDOM_ENCODING,
+ PACKAGE_FRAGMENTS,
+ GENERATE_DATABASE_TIMEOUTS,
+ LOW_LATENCY_RESEND,
+ }
+
+ private String defaultEncoding;
+
+ private String remoteEncoding;
+ private String clientEncoding;
+ private String bodyEncoding;
+ private String scriptEncoding;
+
+ private byte[] header;
+ private byte[] jsessionId;
+
+ private Socket connection;
+ private OutputStream out;
+
+ private int threadCount;
+ private int fakeUserCount;
+ private int concurrentUserCount;
+
+ private List<Script> scripts;
+
+ public XssClient(){
+ this.defaultEncoding = DEFAULT_ENCODING;
+
+ this.remoteEncoding = DEFAULT_REMOTE_ENCODING;
+ this.clientEncoding = DEFAULT_CLIENT_ENCODING;
+ this.bodyEncoding = DEFAULT_BODY_ENCODING;
+ this.scriptEncoding = DEFAULT_SCRIPT_ENCODING;
+
+ this.connection = new Socket();
+ this.out = null;
+
+ this.threadCount = DEFAULT_THREAD_COUNT;
+ this.fakeUserCount = DEFAULT_FAKE_USER_COUNT;
+ this.concurrentUserCount = DEFAULT_CONCURRENT_USER_COUNT;
+
+ this.scripts = new ArrayList<Script>();
+
+ reloadScripts();
+ }
+
+ public void reloadScripts(){
+ Script script = new CommonScript();
+ script.load();
+ scripts.add(script);
+
+ script = new InlineScript();
+ script.load();
+ scripts.add(script);
+
+ script = new IFrameScript();
+ script.load();
+ scripts.add(script);
+ }
+
+ @Override
+ public void connect(String host, int port) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void setHttpHeader(byte[] buffer) {
+ this.header = buffer;
+ }
+
+ @Override
+ public void httpGet(byte[] data) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void httpPut(byte[] data) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void httpDelete(byte[] data) {
+ // TODO Auto-generated method stub
+
+ }
+
+ @Override
+ public void httpPost(byte[] data) {
+ // TODO Auto-generated method stub
+
+ }
+
+ public void attack(String path, HttpMethod method, HashSet<String> parameter, XssStrategy strategy, String snipped){
+ this.attack("localhost", 8080, path, method, parameter, strategy, snipped);
+ }
+
+ private void attack(String host, int port, String path, HttpMethod method, HashSet<String> parameter, XssStrategy strategy, String snipped){
+ connect(host, port);
+
+ byte[] header = HttpUtil.createHttpHeader(method, parameter, getClientEncoding(), getBodyEncoding());
+
+
+ }
+
+ public String getDefaultEncoding() {
+ return defaultEncoding;
+ }
+
+ public void setDefaultEncoding(String defaultEncoding) {
+ this.defaultEncoding = defaultEncoding;
+ }
+
+ public String getRemoteEncoding() {
+ return remoteEncoding;
+ }
+
+ public void setRemoteEncoding(String remoteEncoding) {
+ this.remoteEncoding = remoteEncoding;
+ }
+
+ public String getClientEncoding() {
+ return clientEncoding;
+ }
+
+ public void setClientEncoding(String clientEncoding) {
+ this.clientEncoding = clientEncoding;
+ }
+
+ public String getBodyEncoding() {
+ return bodyEncoding;
+ }
+
+ public void setBodyEncoding(String bodyEncoding) {
+ this.bodyEncoding = bodyEncoding;
+ }
+
+ public String getScriptEncoding() {
+ return scriptEncoding;
+ }
+
+ public void setScriptEncoding(String scriptEncoding) {
+ this.scriptEncoding = scriptEncoding;
+ }
+
+ public byte[] getHeader() {
+ return header;
+ }
+
+ public void setHeader(byte[] header) {
+ this.header = header;
+ }
+
+ public byte[] getJSessionId() {
+ return jsessionId;
+ }
+
+ public void setJSessionId(byte[] jsessionId) {
+ this.jsessionId = jsessionId;
+ }
+
+ public Socket getConnection() {
+ return connection;
+ }
+
+ public void setConnection(Socket connection) {
+ this.connection = connection;
+ }
+
+ public OutputStream getOut() {
+ return out;
+ }
+
+ public void setOut(OutputStream out) {
+ this.out = out;
+ }
+
+ public int getThreadCount() {
+ return threadCount;
+ }
+
+ public void setThreadCount(int threadCount) {
+ this.threadCount = threadCount;
+ }
+
+ public int getFakeUserCount() {
+ return fakeUserCount;
+ }
+
+ public void setFakeUserCount(int fakeUserCount) {
+ this.fakeUserCount = fakeUserCount;
+ }
+
+ public int getConcurrentUserCount() {
+ return concurrentUserCount;
+ }
+
+ public void setConcurrentUserCount(int concurrentUserCount) {
+ this.concurrentUserCount = concurrentUserCount;
+ }
+
+ public List<Script> getScripts() {
+ return scripts;
+ }
+
+ public void setScripts(List<Script> scripts) {
+ this.scripts = scripts;
+ }
+
+ public abstract class Script{
+ private List<String> variants;
+
+ public Script(){
+ variants = new ArrayList<String>();
+ }
+
+ public abstract void load();
+
+ public List<String> getVariants() {
+ return variants;
+ }
+
+ public void setVariants(List<String> variants) {
+ this.variants = variants;
+ }
+ }
+
+ public class CommonScript extends Script {
+
+ @Override
+ public void load() {
+ // TODO Auto-generated method stub
+
+ }
+ }
+
+ public class InlineScript extends Script {
+
+ @Override
+ public void load() {
+ // TODO Auto-generated method stub
+
+ }
+ }
+
+ public class IFrameScript extends Script {
+
+ @Override
+ public void load() {
+ // TODO Auto-generated method stub
+
+ }
+ }
+}
diff --git a/src/test/java/org/olat/util/xss/client/XssClientDeployments.java b/src/test/java/org/olat/util/xss/client/XssClientDeployments.java
new file mode 100644
index 0000000000000000000000000000000000000000..d0b1b0efe0f3923af3fd11d25b0046ea1c397e9f
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/client/XssClientDeployments.java
@@ -0,0 +1,37 @@
+/**
+ * <a href="http://www.openolat.org">
+ * OpenOLAT - Online Learning and Training</a><br>
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License"); <br>
+ * you may not use this file except in compliance with the License.<br>
+ * You may obtain a copy of the License at the
+ * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a>
+ * <p>
+ * Unless required by applicable law or agreed to in writing,<br>
+ * software distributed under the License is distributed on an "AS IS" BASIS, <br>
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br>
+ * See the License for the specific language governing permissions and <br>
+ * limitations under the License.
+ * <p>
+ * Initial code contributed and copyrighted by<br>
+ * frentix GmbH, http://www.frentix.com
+ * <p>
+ */
+
+package org.olat.util.xss.client;
+
+import java.io.InputStream;
+
+/**
+ *
+ * @author jkraehemann, joel.kraehemann@frentix.com, frentix.com
+ */
+public class XssClientDeployments {
+
+ public static void createDeployment(String webapp, String xmlRpcServletProperties, String webXml){
+
+ InputStream webArchive = XssClientDeployments.class.getResourceAsStream(webapp);
+
+ //TODO:JK: implement me
+ }
+}
diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_XmlRpcServlet.properties b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_XmlRpcServlet.properties
new file mode 100644
index 0000000000000000000000000000000000000000..360278c80888336d5b37636811bc7fcbf2357d53
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_XmlRpcServlet.properties
@@ -0,0 +1 @@
+XssClient=org.olat.util.xss.client.XssClient
diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_abstract.vm b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_abstract.vm
new file mode 100644
index 0000000000000000000000000000000000000000..98be3aa6718d0171fb046365671ca89f1fac2ae9
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_abstract.vm
@@ -0,0 +1 @@
+<${"tag"} ${"function"}="${script}"></${"tag"}>
diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_functions.xml b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_functions.xml
new file mode 100644
index 0000000000000000000000000000000000000000..fb8179a29532a995a9bbab629b2adc4b8fdefc00
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_functions.xml
@@ -0,0 +1,24 @@
+<?xml version="1.0" encoding="utf-8"?>
+<browsers>
+ <browser name="Microsoft Internet Explorer" version="6">
+ <specification version="5.0">
+ <functions>
+ <function>onLoad</function>
+ <function>onMouse</function>
+ <function>onMouseOver</function>
+ <function>onMouseOut</function>
+ <function>onClick</function>
+ <function>onMotion</function>
+ <function>onKeyEvent</function>
+ <function>event</function>
+ </functions>
+ </specification>
+ </browser>
+ <browser name="Firefox" version="22">
+ <specification version="5.0">
+ <functions>
+ <function>event</function>
+ </functions>
+ </specification>
+ </browser>
+</browsers>
diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_iframe.vm b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_iframe.vm
new file mode 100644
index 0000000000000000000000000000000000000000..fcb672a5926ecd3e810a9cee37280334fef0d2a1
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_iframe.vm
@@ -0,0 +1 @@
+<iframe></iframe>
diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_jquery.js b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_jquery.js
new file mode 100644
index 0000000000000000000000000000000000000000..1a334d0373d2e8f562448c84a3984d42c362e5d9
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_jquery.js
@@ -0,0 +1 @@
+${"*","XSS"}
diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_script.js b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_script.js
new file mode 100644
index 0000000000000000000000000000000000000000..888b3aa8181f1a483513f7196c41359bdfea248d
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_script.js
@@ -0,0 +1 @@
+window.alert("XSS");
diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_scriptSnippet.vm b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_scriptSnippet.vm
new file mode 100644
index 0000000000000000000000000000000000000000..61499e194a8a3f49e36116e677b814f66fd485ef
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_scriptSnippet.vm
@@ -0,0 +1 @@
+<javascript>${"script"}</javascript>
diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_tags.xml b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_tags.xml
new file mode 100644
index 0000000000000000000000000000000000000000..3cb1be14ebb2eee2891e7b8c89b3644a6bf2d7e6
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_tags.xml
@@ -0,0 +1,38 @@
+<?xml version="1.0" encoding="utf-8"?>
+<list>
+ <!-- document structure tags -->
+ <tab name="html"/>
+ <tag name="head"/>
+ <tag name="meta"/>
+ <tag name ="body"/>
+
+ <!-- formating tags -->
+ <tag name ="h1"/>
+ <tag name ="h2"/>
+ <tag name ="h3"/>
+ <tag name ="h4"/>
+ <tag name ="h5"/>
+ <tag name ="h6"/>
+ <tag name ="p"/>
+ <tag name ="table"/>
+ <tag name ="thead"/>
+ <tag name ="tr"/>
+ <tag name ="th"/>
+ <tag name ="tbody"/>
+ <tag name ="td"/>
+ <tag name ="div"/>
+
+ <!-- embedding external -->
+ <tag name ="img"/>
+ <tag name ="script"/>
+ <tag name ="object"/>
+ <tag name ="embed"/>
+ <tag name ="audio"/>
+ <tag name ="video"/>
+
+ <!-- styling -->
+ <tag name ="i"/>
+ <tag name ="b"/>
+ <tag name ="u"/>
+ <tag name ="span"/>
+</list>
diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_web.xml b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_web.xml
new file mode 100644
index 0000000000000000000000000000000000000000..5f4b02444e18596471172d7fa5a99a3deac55264
--- /dev/null
+++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_web.xml
@@ -0,0 +1,22 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee"
+ xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+ xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd"
+ metadata-complete="true">
+
+ <servlet>
+ <servlet-name>XssClient</servlet-name>
+ <servlet-class>org.olat.util.xss.client.XssClient</servlet-class>
+ <init-param>
+ <param-name>enabledForExtensions</param-name>
+ <param-value>true</param-value>
+ <!-- <description>Sets, whether the servlet supports vendor extensions
+ for XML-RPC.</description> -->
+ </init-param>
+ </servlet>
+ <servlet-mapping>
+ <servlet-name>XssClient</servlet-name>
+ <url-pattern>/xssclient</url-pattern>
+ </servlet-mapping>
+
+</web-app>