diff --git a/pom.xml b/pom.xml index f2a4ae81c7f7d7413f430c687d75aa4c0db7b9f4..bffec1cc40717c3300d09fd8cec0ab361f1c0ee2 100644 --- a/pom.xml +++ b/pom.xml @@ -2209,6 +2209,12 @@ </exclusion> </exclusions> </dependency> + <dependency> + <groupId>org.apache.xmlrpc</groupId> + <artifactId>xmlrpc-server</artifactId> + <version>3.1.3</version> + <scope>test</scope> + </dependency> <!-- End test dependencies --> </dependencies> diff --git a/src/test/java/org/olat/util/FunctionalCourseUtil.java b/src/test/java/org/olat/util/FunctionalCourseUtil.java index b58433d578158638667b9192b2c99bcf8d45c7b5..25fba1fdf84219c6278a9150465ce5c19006e47a 100644 --- a/src/test/java/org/olat/util/FunctionalCourseUtil.java +++ b/src/test/java/org/olat/util/FunctionalCourseUtil.java @@ -36,10 +36,12 @@ import org.apache.velocity.exception.ParseErrorException; import org.apache.velocity.exception.ResourceNotFoundException; import org.olat.core.logging.OLog; import org.olat.core.logging.Tracing; +import org.olat.util.xss.NotImplemented; import org.olat.util.xss.XssInjection; import org.olat.util.xss.XssInjectionDependencies; import org.olat.util.xss.XssInjectionDependency; import org.olat.util.xss.XssInjectionElement; +import org.olat.util.xss.XssInjectionIndex; import org.olat.util.xss.XssInjectionPositional; import org.olat.util.xss.XssInjectionProvider; import org.olat.util.xss.XssInjectionRandom; @@ -1220,7 +1222,14 @@ public class FunctionalCourseUtil { * @param message * @return true on success, otherwise false */ - public boolean postForumMessage(Selenium browser, long courseId, int nthForum, String title, String message){ + @XssInjection + @XssInjectionDependencies({ + @XssInjectionDependency(className = "org.olat.util.FunctionalRepositorySiteUtil", methodName = "createCourse", parameterName = {}), + @XssInjectionDependency(className = "org.olat.util.FunctionalCourseUtil", methodName = "extractRepositoryEntryKey", parameterName = {"courseId"}, useReturnValue = true), + @XssInjectionDependency(className = "org.olat.util.FunctionalCourseUtil", methodName = "createForum", parameterName = {}) + }) + public boolean postForumMessage(Selenium browser, long courseId, @XssInjectionIndex int nthForum, + @XssInjectionElement String title, @XssInjectionElement String message){ if(!openForum(browser, courseId, nthForum)) return(false); @@ -1290,7 +1299,17 @@ public class FunctionalCourseUtil { * @param content * @return true on success, otherwise false */ - public boolean createWikiArticle(Selenium browser, long wikiId, String pagename, String content){ + @XssInjection + @XssInjectionDependencies({ + @XssInjectionDependency(className = "org.olat.util.FunctionalRepositorySiteUtil", methodName = "createCourse", parameterName = {}), + @XssInjectionDependency(className = "org.olat.util.FunctionalRepositorySiteUtil", methodName = "createWiki", parameterName = {}), + @XssInjectionDependency(className = "org.olat.util.FunctionalRepositorySiteUtil", methodName = "readIdFromDetailedView", parameterName = {"wikiId"}, useReturnValue = true), + @XssInjectionDependency(className = "org.olat.util.FunctionalCourseUtil", methodName = "createCourseNode", parameterName = {}), + @XssInjectionDependency(className = "org.olat.util.FunctionalCourseUtil", methodName = "chooseWiki", parameterName = {}) + }) + @NotImplemented(reason = "missing dependencies: read repository entry key") + public boolean createWikiArticle(Selenium browser, long wikiId, + @XssInjectionElement String pagename, @XssInjectionElement String content){ if(!openWiki(browser, wikiId)) return(false); @@ -1406,6 +1425,9 @@ public class FunctionalCourseUtil { * @param url * @return true on success */ + @XssInjection + @XssTutorOnly + @NotImplemented(reason = "test case won't understand url string as url") public boolean importBlogFeed(Selenium browser, String url){ functionalUtil.idle(browser); @@ -1515,14 +1537,33 @@ public class FunctionalCourseUtil { * @param content * @return true on success, otherwise false */ - public boolean editBlogEntry(Selenium browser, long courseId, int nth, - String title, String description, String content, int entry, BlogEdit[] edit){ + @XssInjection + @XssInjectionDependencies({ + @XssInjectionDependency(className = "org.olat.util.FunctionalRepositorySiteUtil", methodName = "createCourse", parameterName = {}), + @XssInjectionDependency(className = "org.olat.util.FunctionalRepositorySiteUtil", methodName = "readIdFromDetailedView", parameterName = {"courseId"}, useReturnValue = true) + }) + @NotImplemented(reason = "missing dependencies: read repository entry key") + public boolean editBlogEntry(Selenium browser, long courseId, @XssInjectionIndex int nth, + @XssInjectionElement String title, @XssInjectionElement String description, + @XssInjectionElement String content, + @XssInjectionPositional int entry, @XssInjectionElement BlogEdit[] edit){ if(!openBlogWithoutBusinessPath(browser, courseId, nth)) return(false); return(editBlogEntry(browser, title, description, content, entry, edit)); } + /** + * Edit a blog entry. + * + * @param browser + * @param title + * @param description + * @param content + * @param entry + * @param edit + * @return + */ public boolean editBlogEntry(Selenium browser, String title, String description, String content, int entry, BlogEdit[] edit){ StringBuffer selectorBuffer = new StringBuffer(); @@ -1989,6 +2030,20 @@ public class FunctionalCourseUtil { return(true); } + /** + * Creates a new forum. + * + * @param browser + * @param title + * @param description + * @return + */ + public boolean createForum(Selenium browser, String title, String description){ + //TODO:JK: implement me + + return(false); + } + /** * Opens the portfolio template editor in conjunction with this method the appropriate node and * the appopriate tab should already be opened. diff --git a/src/test/java/org/olat/util/xss/NotImplemented.java b/src/test/java/org/olat/util/xss/NotImplemented.java new file mode 100644 index 0000000000000000000000000000000000000000..4db6ab85f820591bdd138cd2463a690efb250e16 --- /dev/null +++ b/src/test/java/org/olat/util/xss/NotImplemented.java @@ -0,0 +1,29 @@ +/** + * <a href="http://www.openolat.org"> + * OpenOLAT - Online Learning and Training</a><br> + * <p> + * Licensed under the Apache License, Version 2.0 (the "License"); <br> + * you may not use this file except in compliance with the License.<br> + * You may obtain a copy of the License at the + * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a> + * <p> + * Unless required by applicable law or agreed to in writing,<br> + * software distributed under the License is distributed on an "AS IS" BASIS, <br> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br> + * See the License for the specific language governing permissions and <br> + * limitations under the License. + * <p> + * Initial code contributed and copyrighted by<br> + * frentix GmbH, http://www.frentix.com + * <p> + */ + +package org.olat.util.xss; + +/** + * + * @author jkraehemann, joel.kraehemann@frentix.com, frentix.com + */ +public @interface NotImplemented { + String reason(); +} diff --git a/src/test/java/org/olat/util/xss/XssInjectionDependency.java b/src/test/java/org/olat/util/xss/XssInjectionDependency.java index ac9bd56a705e758ddd528856aa320171fef17faa..d2bd532c81ece729bee13410eb74169fc7562973 100644 --- a/src/test/java/org/olat/util/xss/XssInjectionDependency.java +++ b/src/test/java/org/olat/util/xss/XssInjectionDependency.java @@ -28,4 +28,5 @@ public @interface XssInjectionDependency { String className(); String methodName(); String[] parameterName(); + boolean useReturnValue() default false; } diff --git a/src/test/java/org/olat/util/xss/XssInjectionIndex.java b/src/test/java/org/olat/util/xss/XssInjectionIndex.java new file mode 100644 index 0000000000000000000000000000000000000000..612100f174e27c7b2d5f44619d7aa1570cbe62e8 --- /dev/null +++ b/src/test/java/org/olat/util/xss/XssInjectionIndex.java @@ -0,0 +1,5 @@ +package org.olat.util.xss; + +public @interface XssInjectionIndex { + int index() default 0; +} diff --git a/src/test/java/org/olat/util/xss/client/CharsetUtil.java b/src/test/java/org/olat/util/xss/client/CharsetUtil.java new file mode 100644 index 0000000000000000000000000000000000000000..70120a36efce7efa62205d0225049c4e418e11dd --- /dev/null +++ b/src/test/java/org/olat/util/xss/client/CharsetUtil.java @@ -0,0 +1,29 @@ +/** + * <a href="http://www.openolat.org"> + * OpenOLAT - Online Learning and Training</a><br> + * <p> + * Licensed under the Apache License, Version 2.0 (the "License"); <br> + * you may not use this file except in compliance with the License.<br> + * You may obtain a copy of the License at the + * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a> + * <p> + * Unless required by applicable law or agreed to in writing,<br> + * software distributed under the License is distributed on an "AS IS" BASIS, <br> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br> + * See the License for the specific language governing permissions and <br> + * limitations under the License. + * <p> + * Initial code contributed and copyrighted by<br> + * frentix GmbH, http://www.frentix.com + * <p> + */ + +package org.olat.util.xss.client; + +/** + * + * @author jkraehemann, joel.kraehemann@frentix.com, frentix.com + */ +public class CharsetUtil { + +} diff --git a/src/test/java/org/olat/util/xss/client/HttpClient.java b/src/test/java/org/olat/util/xss/client/HttpClient.java new file mode 100644 index 0000000000000000000000000000000000000000..82b14ce0501f865bb7449a8f60a9d566fd97f38e --- /dev/null +++ b/src/test/java/org/olat/util/xss/client/HttpClient.java @@ -0,0 +1,38 @@ +/** + * <a href="http://www.openolat.org"> + * OpenOLAT - Online Learning and Training</a><br> + * <p> + * Licensed under the Apache License, Version 2.0 (the "License"); <br> + * you may not use this file except in compliance with the License.<br> + * You may obtain a copy of the License at the + * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a> + * <p> + * Unless required by applicable law or agreed to in writing,<br> + * software distributed under the License is distributed on an "AS IS" BASIS, <br> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br> + * See the License for the specific language governing permissions and <br> + * limitations under the License. + * <p> + * Initial code contributed and copyrighted by<br> + * frentix GmbH, http://www.frentix.com + * <p> + */ + +package org.olat.util.xss.client; + +import java.io.IOException; + +/** + * + * @author jkraehemann, joel.kraehemann@frentix.com, frentix.com + */ +public interface HttpClient { + public void connect(String host, int port); + + public void setHttpHeader(byte[] buffer); + + public void httpGet(byte[] data); + public void httpPut(byte[] data); + public void httpDelete(byte[] data); + public void httpPost(byte[] data); +} diff --git a/src/test/java/org/olat/util/xss/client/HttpUtil.java b/src/test/java/org/olat/util/xss/client/HttpUtil.java new file mode 100644 index 0000000000000000000000000000000000000000..987faf21d6a05a98b297d007df3916efae5f4797 --- /dev/null +++ b/src/test/java/org/olat/util/xss/client/HttpUtil.java @@ -0,0 +1,44 @@ +/** + * <a href="http://www.openolat.org"> + * OpenOLAT - Online Learning and Training</a><br> + * <p> + * Licensed under the Apache License, Version 2.0 (the "License"); <br> + * you may not use this file except in compliance with the License.<br> + * You may obtain a copy of the License at the + * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a> + * <p> + * Unless required by applicable law or agreed to in writing,<br> + * software distributed under the License is distributed on an "AS IS" BASIS, <br> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br> + * See the License for the specific language governing permissions and <br> + * limitations under the License. + * <p> + * Initial code contributed and copyrighted by<br> + * frentix GmbH, http://www.frentix.com + * <p> + */ + +package org.olat.util.xss.client; + +import java.util.HashSet; + +/** + * + * @author jkraehemann, joel.kraehemann@frentix.com, frentix.com + */ +public class HttpUtil { + enum HttpMethod { + HTTP_PUT, + HTTP_DELETE, + HTTP_GET, + HTTP_POST, + }; + + public static byte[] createHttpHeader(HttpMethod method, HashSet<String> parameter, String headerEncoding, String bodyEncoding){ + byte[] header = null; + + //TODO:JK: implement me + + return(header); + } +} diff --git a/src/test/java/org/olat/util/xss/client/XssClient.java b/src/test/java/org/olat/util/xss/client/XssClient.java new file mode 100644 index 0000000000000000000000000000000000000000..19c2bf6bf0bf9595fd4696c01fb004076dd53ec7 --- /dev/null +++ b/src/test/java/org/olat/util/xss/client/XssClient.java @@ -0,0 +1,315 @@ +/** + * <a href="http://www.openolat.org"> + * OpenOLAT - Online Learning and Training</a><br> + * <p> + * Licensed under the Apache License, Version 2.0 (the "License"); <br> + * you may not use this file except in compliance with the License.<br> + * You may obtain a copy of the License at the + * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a> + * <p> + * Unless required by applicable law or agreed to in writing,<br> + * software distributed under the License is distributed on an "AS IS" BASIS, <br> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br> + * See the License for the specific language governing permissions and <br> + * limitations under the License. + * <p> + * Initial code contributed and copyrighted by<br> + * frentix GmbH, http://www.frentix.com + * <p> + */ + +package org.olat.util.xss.client; + +import java.io.OutputStream; +import java.net.Socket; +import java.util.ArrayList; +import java.util.HashSet; +import java.util.List; + +import org.apache.xmlrpc.webserver.XmlRpcServlet; + +import org.olat.util.xss.client.HttpUtil; +import org.olat.util.xss.client.HttpUtil.HttpMethod; + +/** + * WARNING: this software may not be used on public networks especially over an internet + * connection nor within your ISPs WAN. It may potentially damage your infrastructure. + * XssClient should be used carefully and only for error detection. It uses its very own + * implementation of the HTTP protocol and may break international telecommunication contracts. + * + * @author jkraehemann, joel.kraehemann@frentix.com, frentix.com + */ +public class XssClient extends XmlRpcServlet implements HttpClient { + + final static String DEFAULT_ENCODING = "UTF-8"; + + final static String DEFAULT_REMOTE_ENCODING = "Unicode"; + final static String DEFAULT_CLIENT_ENCODING = "iso-8859-1"; + final static String DEFAULT_BODY_ENCODING = "UTF-16"; + final static String DEFAULT_SCRIPT_ENCODING = "UTF-7"; + + final static int DEFAULT_THREAD_COUNT = 100; + final static int DEFAULT_FAKE_USER_COUNT = 100; + final static int DEFAULT_CONCURRENT_USER_COUNT = 100; + + enum XssStrategy{ + TRICK_ESCAPING, + CLOSE_TAGS, + MASQUERADE_ENCODING, + FAKE_USERS, + CONCURRENT_USERS, + RANDOM_ENCODING, + PACKAGE_FRAGMENTS, + GENERATE_DATABASE_TIMEOUTS, + LOW_LATENCY_RESEND, + } + + private String defaultEncoding; + + private String remoteEncoding; + private String clientEncoding; + private String bodyEncoding; + private String scriptEncoding; + + private byte[] header; + private byte[] jsessionId; + + private Socket connection; + private OutputStream out; + + private int threadCount; + private int fakeUserCount; + private int concurrentUserCount; + + private List<Script> scripts; + + public XssClient(){ + this.defaultEncoding = DEFAULT_ENCODING; + + this.remoteEncoding = DEFAULT_REMOTE_ENCODING; + this.clientEncoding = DEFAULT_CLIENT_ENCODING; + this.bodyEncoding = DEFAULT_BODY_ENCODING; + this.scriptEncoding = DEFAULT_SCRIPT_ENCODING; + + this.connection = new Socket(); + this.out = null; + + this.threadCount = DEFAULT_THREAD_COUNT; + this.fakeUserCount = DEFAULT_FAKE_USER_COUNT; + this.concurrentUserCount = DEFAULT_CONCURRENT_USER_COUNT; + + this.scripts = new ArrayList<Script>(); + + reloadScripts(); + } + + public void reloadScripts(){ + Script script = new CommonScript(); + script.load(); + scripts.add(script); + + script = new InlineScript(); + script.load(); + scripts.add(script); + + script = new IFrameScript(); + script.load(); + scripts.add(script); + } + + @Override + public void connect(String host, int port) { + // TODO Auto-generated method stub + + } + + @Override + public void setHttpHeader(byte[] buffer) { + this.header = buffer; + } + + @Override + public void httpGet(byte[] data) { + // TODO Auto-generated method stub + + } + + @Override + public void httpPut(byte[] data) { + // TODO Auto-generated method stub + + } + + @Override + public void httpDelete(byte[] data) { + // TODO Auto-generated method stub + + } + + @Override + public void httpPost(byte[] data) { + // TODO Auto-generated method stub + + } + + public void attack(String path, HttpMethod method, HashSet<String> parameter, XssStrategy strategy, String snipped){ + this.attack("localhost", 8080, path, method, parameter, strategy, snipped); + } + + private void attack(String host, int port, String path, HttpMethod method, HashSet<String> parameter, XssStrategy strategy, String snipped){ + connect(host, port); + + byte[] header = HttpUtil.createHttpHeader(method, parameter, getClientEncoding(), getBodyEncoding()); + + + } + + public String getDefaultEncoding() { + return defaultEncoding; + } + + public void setDefaultEncoding(String defaultEncoding) { + this.defaultEncoding = defaultEncoding; + } + + public String getRemoteEncoding() { + return remoteEncoding; + } + + public void setRemoteEncoding(String remoteEncoding) { + this.remoteEncoding = remoteEncoding; + } + + public String getClientEncoding() { + return clientEncoding; + } + + public void setClientEncoding(String clientEncoding) { + this.clientEncoding = clientEncoding; + } + + public String getBodyEncoding() { + return bodyEncoding; + } + + public void setBodyEncoding(String bodyEncoding) { + this.bodyEncoding = bodyEncoding; + } + + public String getScriptEncoding() { + return scriptEncoding; + } + + public void setScriptEncoding(String scriptEncoding) { + this.scriptEncoding = scriptEncoding; + } + + public byte[] getHeader() { + return header; + } + + public void setHeader(byte[] header) { + this.header = header; + } + + public byte[] getJSessionId() { + return jsessionId; + } + + public void setJSessionId(byte[] jsessionId) { + this.jsessionId = jsessionId; + } + + public Socket getConnection() { + return connection; + } + + public void setConnection(Socket connection) { + this.connection = connection; + } + + public OutputStream getOut() { + return out; + } + + public void setOut(OutputStream out) { + this.out = out; + } + + public int getThreadCount() { + return threadCount; + } + + public void setThreadCount(int threadCount) { + this.threadCount = threadCount; + } + + public int getFakeUserCount() { + return fakeUserCount; + } + + public void setFakeUserCount(int fakeUserCount) { + this.fakeUserCount = fakeUserCount; + } + + public int getConcurrentUserCount() { + return concurrentUserCount; + } + + public void setConcurrentUserCount(int concurrentUserCount) { + this.concurrentUserCount = concurrentUserCount; + } + + public List<Script> getScripts() { + return scripts; + } + + public void setScripts(List<Script> scripts) { + this.scripts = scripts; + } + + public abstract class Script{ + private List<String> variants; + + public Script(){ + variants = new ArrayList<String>(); + } + + public abstract void load(); + + public List<String> getVariants() { + return variants; + } + + public void setVariants(List<String> variants) { + this.variants = variants; + } + } + + public class CommonScript extends Script { + + @Override + public void load() { + // TODO Auto-generated method stub + + } + } + + public class InlineScript extends Script { + + @Override + public void load() { + // TODO Auto-generated method stub + + } + } + + public class IFrameScript extends Script { + + @Override + public void load() { + // TODO Auto-generated method stub + + } + } +} diff --git a/src/test/java/org/olat/util/xss/client/XssClientDeployments.java b/src/test/java/org/olat/util/xss/client/XssClientDeployments.java new file mode 100644 index 0000000000000000000000000000000000000000..d0b1b0efe0f3923af3fd11d25b0046ea1c397e9f --- /dev/null +++ b/src/test/java/org/olat/util/xss/client/XssClientDeployments.java @@ -0,0 +1,37 @@ +/** + * <a href="http://www.openolat.org"> + * OpenOLAT - Online Learning and Training</a><br> + * <p> + * Licensed under the Apache License, Version 2.0 (the "License"); <br> + * you may not use this file except in compliance with the License.<br> + * You may obtain a copy of the License at the + * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a> + * <p> + * Unless required by applicable law or agreed to in writing,<br> + * software distributed under the License is distributed on an "AS IS" BASIS, <br> + * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br> + * See the License for the specific language governing permissions and <br> + * limitations under the License. + * <p> + * Initial code contributed and copyrighted by<br> + * frentix GmbH, http://www.frentix.com + * <p> + */ + +package org.olat.util.xss.client; + +import java.io.InputStream; + +/** + * + * @author jkraehemann, joel.kraehemann@frentix.com, frentix.com + */ +public class XssClientDeployments { + + public static void createDeployment(String webapp, String xmlRpcServletProperties, String webXml){ + + InputStream webArchive = XssClientDeployments.class.getResourceAsStream(webapp); + + //TODO:JK: implement me + } +} diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_XmlRpcServlet.properties b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_XmlRpcServlet.properties new file mode 100644 index 0000000000000000000000000000000000000000..360278c80888336d5b37636811bc7fcbf2357d53 --- /dev/null +++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_XmlRpcServlet.properties @@ -0,0 +1 @@ +XssClient=org.olat.util.xss.client.XssClient diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_abstract.vm b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_abstract.vm new file mode 100644 index 0000000000000000000000000000000000000000..98be3aa6718d0171fb046365671ca89f1fac2ae9 --- /dev/null +++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_abstract.vm @@ -0,0 +1 @@ +<${"tag"} ${"function"}="${script}"></${"tag"}> diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_functions.xml b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_functions.xml new file mode 100644 index 0000000000000000000000000000000000000000..fb8179a29532a995a9bbab629b2adc4b8fdefc00 --- /dev/null +++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_functions.xml @@ -0,0 +1,24 @@ +<?xml version="1.0" encoding="utf-8"?> +<browsers> + <browser name="Microsoft Internet Explorer" version="6"> + <specification version="5.0"> + <functions> + <function>onLoad</function> + <function>onMouse</function> + <function>onMouseOver</function> + <function>onMouseOut</function> + <function>onClick</function> + <function>onMotion</function> + <function>onKeyEvent</function> + <function>event</function> + </functions> + </specification> + </browser> + <browser name="Firefox" version="22"> + <specification version="5.0"> + <functions> + <function>event</function> + </functions> + </specification> + </browser> +</browsers> diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_iframe.vm b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_iframe.vm new file mode 100644 index 0000000000000000000000000000000000000000..fcb672a5926ecd3e810a9cee37280334fef0d2a1 --- /dev/null +++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_iframe.vm @@ -0,0 +1 @@ +<iframe></iframe> diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_jquery.js b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_jquery.js new file mode 100644 index 0000000000000000000000000000000000000000..1a334d0373d2e8f562448c84a3984d42c362e5d9 --- /dev/null +++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_jquery.js @@ -0,0 +1 @@ +${"*","XSS"} diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_script.js b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_script.js new file mode 100644 index 0000000000000000000000000000000000000000..888b3aa8181f1a483513f7196c41359bdfea248d --- /dev/null +++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_script.js @@ -0,0 +1 @@ +window.alert("XSS"); diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_scriptSnippet.vm b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_scriptSnippet.vm new file mode 100644 index 0000000000000000000000000000000000000000..61499e194a8a3f49e36116e677b814f66fd485ef --- /dev/null +++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_scriptSnippet.vm @@ -0,0 +1 @@ +<javascript>${"script"}</javascript> diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_tags.xml b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_tags.xml new file mode 100644 index 0000000000000000000000000000000000000000..3cb1be14ebb2eee2891e7b8c89b3644a6bf2d7e6 --- /dev/null +++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_tags.xml @@ -0,0 +1,38 @@ +<?xml version="1.0" encoding="utf-8"?> +<list> + <!-- document structure tags --> + <tab name="html"/> + <tag name="head"/> + <tag name="meta"/> + <tag name ="body"/> + + <!-- formating tags --> + <tag name ="h1"/> + <tag name ="h2"/> + <tag name ="h3"/> + <tag name ="h4"/> + <tag name ="h5"/> + <tag name ="h6"/> + <tag name ="p"/> + <tag name ="table"/> + <tag name ="thead"/> + <tag name ="tr"/> + <tag name ="th"/> + <tag name ="tbody"/> + <tag name ="td"/> + <tag name ="div"/> + + <!-- embedding external --> + <tag name ="img"/> + <tag name ="script"/> + <tag name ="object"/> + <tag name ="embed"/> + <tag name ="audio"/> + <tag name ="video"/> + + <!-- styling --> + <tag name ="i"/> + <tag name ="b"/> + <tag name ="u"/> + <tag name ="span"/> +</list> diff --git a/src/test/java/org/olat/util/xss/client/_ressources/xssClient_web.xml b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_web.xml new file mode 100644 index 0000000000000000000000000000000000000000..5f4b02444e18596471172d7fa5a99a3deac55264 --- /dev/null +++ b/src/test/java/org/olat/util/xss/client/_ressources/xssClient_web.xml @@ -0,0 +1,22 @@ +<?xml version="1.0" encoding="UTF-8"?> +<web-app version="3.0" xmlns="http://java.sun.com/xml/ns/javaee" + xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" + xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_3_0.xsd" + metadata-complete="true"> + + <servlet> + <servlet-name>XssClient</servlet-name> + <servlet-class>org.olat.util.xss.client.XssClient</servlet-class> + <init-param> + <param-name>enabledForExtensions</param-name> + <param-value>true</param-value> + <!-- <description>Sets, whether the servlet supports vendor extensions + for XML-RPC.</description> --> + </init-param> + </servlet> + <servlet-mapping> + <servlet-name>XssClient</servlet-name> + <url-pattern>/xssclient</url-pattern> + </servlet-mapping> + +</web-app>