Home | History | Annotate | Download | only in utils
      1 package com.android.mail.utils;
      2 
      3 import android.test.AndroidTestCase;
      4 import android.test.suitebuilder.annotation.SmallTest;
      5 
      6 /**
      7  * These test cases verify the handling of more advanced cross-site scripting attacks.
      8  */
      9 @SmallTest
     10 public class AdvancedHtmlSanitizerTest extends AndroidTestCase {
     11     public void testSampleEmail() {
     12         sanitize("<html>\n" +
     13                         "<head>\n" +
     14                         "<title>HTML E-mail</title>\n" +
     15                         "<script>\n" +
     16                         "alert(\"I am an alert box!\");\n" +
     17                         "</script>\n" +
     18                         "</head>\n" +
     19                         "<body>\n" +
     20                         "Body here\n" +
     21                         "<br />\n" +
     22                         "<a href=\"http://www.google.com\">Link to Google Search!</a>\n" +
     23                         "<br />\n" +
     24                         "<br />\n" +
     25                         "<a onclick=\"alert('surprise!')\" href=\"#\">I am a link!</a>\n" +
     26                         "<br />\n" +
     27                         "Moar body here\n" +
     28                         "</body>\n" +
     29                         "</html>"
     30                 ,
     31                 "\n" +
     32                         "\n" +
     33                         "\n" +
     34                         "\n" +
     35                         "\n" +
     36                         "<div>\n" +
     37                         "Body here\n" +
     38                         "<br />\n" +
     39                         "<a href=\"http://www.google.com\">Link to Google Search!</a>\n" +
     40                         "<br />\n" +
     41                         "<br />\n" +
     42                         "<a href=\"#\">I am a link!</a>\n" +
     43                         "<br />\n" +
     44                         "Moar body here\n" +
     45                         "</div>\n");
     46     }
     47 
     48     public void testXSS() {
     49         sanitize("'';!--\"<XSS>=&{()}", "&#39;&#39;;!--&#34;&#61;&amp;{()}");
     50         sanitize("<img src=javascript:alert(String.fromCharCode(88,83,83))>", "");
     51         sanitize("\\\";alert('XSS');//", "\\&#34;;alert(&#39;XSS&#39;);//");
     52         sanitize("<br size=\"&{alert('XSS')}\">", "<br />");
     53         sanitize("<xss style=\"xss:expression(alert('XSS'))\">", "");
     54         sanitize("<xss style=\"behavior: url(xss.htc);\">", "");
     55         sanitize("scriptalert(XSS)/script", "scriptalert(XSS)/script");
     56         sanitize("<xml><i><b><img src=\"javas<!-- -->cript:alert('XSS')\"></b></i></xml>",
     57                 "<i><b></b></i>");
     58         sanitize("<xml src=\"xsstest.xml\" id=I></xml>", "");
     59         sanitize("<!--[if gte IE 4]>\n" +
     60                 " <SCRIPT>alert('XSS');</SCRIPT>\n" +
     61                 " <![endif]-->", "");
     62         sanitize("<body>\n" +
     63                         "<?xml:namespace prefix=\"t\" ns=\"urn:schemas-microsoft-com:time\">\n" +
     64                         "<?import namespace=\"t\" implementation=\"#default#time2\">\n" +
     65                         "<t:set attributeName=\"innerHTML\" to=\"XSS<script defer>alert(\"XSS\")" +
     66                         "</script>\">\n" +
     67                         "</body></html>",
     68                 "<div>\n" +
     69                         "\n" +
     70                         "\n" +
     71                         "&#34;&gt;\n" +
     72                         "</div>");
     73     }
     74 
     75     /**
     76      * Technically, RFC 2392 doesn't limit where CID urls may appear. But, Webview is unhappy
     77      * handling them within link tags, so we only allow them in img src attributes until we see a
     78      * reason to expand their acceptance.
     79      */
     80     public void testCIDurls() {
     81         sanitize("<img src=\"http://www.here.com/awesome.png\"/>",
     82                 "<img src=\"http://www.here.com/awesome.png\" />");
     83         sanitize("<img src=\"https://www.here.com/awesome.png\"/>",
     84                 "<img src=\"https://www.here.com/awesome.png\" />");
     85         sanitize("<img src=\"cid:ii_145bda161daf6f9c\"/>",
     86                 "<img src=\"cid:ii_145bda161daf6f9c\" />");
     87 
     88         sanitize("<a href=\"http://www.here.com/awesome.png\"/>",
     89                 "<a href=\"http://www.here.com/awesome.png\"></a>");
     90         sanitize("<a href=\"https://www.here.com/awesome.png\"/>",
     91                 "<a href=\"https://www.here.com/awesome.png\"></a>");
     92         sanitize("<a href=\"cid:ii_145bda161daf6f9c\"/>", "");
     93     }
     94 
     95     // todo the stock CssSchema in OWASP does NOT allow the float property; I experiment with adding
     96     // todo it to see how much it beautifies HTML display (the risk seems to be that you can display
     97     // todo content outside the bounds of your div and mislead the user with this technique)
     98     public void testCSS_float() {
     99         sanitize("<div style=\"float:none\"></div>", "<div style=\"float:none\"></div>");
    100         sanitize("<div style=\"float:left\"></div>", "<div style=\"float:left\"></div>");
    101         sanitize("<div style=\"float:right\"></div>", "<div style=\"float:right\"></div>");
    102         sanitize("<div style=\"float:inherit\"></div>", "<div style=\"float:inherit\"></div>");
    103         sanitize("<div style=\"float:initial\"></div>", "<div></div>");
    104         sanitize("<div style=\"float:garbage\"></div>", "<div></div>");
    105     }
    106 
    107     // todo the stock CssSchema in OWASP does NOT allow the display property; I experiment with
    108     // todo adding it to see how much it beautifies HTML display (the risk seems to be that you can
    109     // todo display content outside the bounds of your div and mislead the user with this technique)
    110     public void testCSS_display() {
    111         sanitize("<div style=\"display:inline\"></div>", "<div style=\"display:inline\"></div>");
    112         sanitize("<div style=\"display:block\"></div>", "<div style=\"display:block\"></div>");
    113         sanitize("<div style=\"display:flex\"></div>", "<div></div>");
    114         sanitize("<div style=\"display:inline-block\"></div>",
    115                 "<div style=\"display:inline-block\"></div>");
    116         sanitize("<div style=\"display:inline-flex\"></div>", "<div></div>");
    117         sanitize("<div style=\"display:inline-table\"></div>",
    118                 "<div style=\"display:inline-table\"></div>");
    119         sanitize("<div style=\"display:list-item\"></div>",
    120                 "<div style=\"display:list-item\"></div>");
    121         sanitize("<div style=\"display:run-in\"></div>", "<div style=\"display:run-in\"></div>");
    122         sanitize("<div style=\"display:table\"></div>", "<div style=\"display:table\"></div>");
    123         sanitize("<div style=\"display:table-caption\"></div>",
    124                 "<div style=\"display:table-caption\"></div>");
    125         sanitize("<div style=\"display:table-column-group\"></div>",
    126                 "<div style=\"display:table-column-group\"></div>");
    127         sanitize("<div style=\"display:table-header-group\"></div>",
    128                 "<div style=\"display:table-header-group\"></div>");
    129         sanitize("<div style=\"display:table-footer-group\"></div>",
    130                 "<div style=\"display:table-footer-group\"></div>");
    131         sanitize("<div style=\"display:table-row-group\"></div>",
    132                 "<div style=\"display:table-row-group\"></div>");
    133         sanitize("<div style=\"display:table-cell\"></div>",
    134                 "<div style=\"display:table-cell\"></div>");
    135         sanitize("<div style=\"display:table-column\"></div>",
    136                 "<div style=\"display:table-column\"></div>");
    137         sanitize("<div style=\"display:table-row\"></div>",
    138                 "<div style=\"display:table-row\"></div>");
    139         sanitize("<div style=\"display:none\"></div>", "<div style=\"display:none\"></div>");
    140         sanitize("<div style=\"display:initial\"></div>", "<div></div>");
    141         sanitize("<div style=\"display:inherit\"></div>", "<div style=\"display:inherit\"></div>");
    142     }
    143 
    144     public void testTrimmingUrls() {
    145         // todo Gmail strips the leading space on this href
    146 //        sanitize("<a href=\"http://www.google.com \">Send mail</a>",
    147 //                "<a href=\"http://www.google.com\">Send mail</a>");
    148         sanitize("<a href=\" http://www.google.com\">Send mail</a>", "Send mail");
    149         // todo Gmail strips the trailing space on this href
    150 //        sanitize("<a href=\"http://www.google.com \">Send mail</a> ",
    151 //                "<a href=\"http://www.google.com\">Send mail</a>");
    152         sanitize("<a href=\"http://www.google.com \">Send mail</a>",
    153                 "<a href=\"http://www.google.com \">Send mail</a>");
    154         // todo Gmail strips the leading and trailing spaces on this href
    155 //        sanitize("<a href=\" http://www.google.com \">Send mail</a> ",
    156 //                "<a href=\"http://www.google.com\">Send mail</a>");
    157         sanitize("<a href=\" http://www.google.com \">Send mail</a>", "Send mail");
    158     }
    159 
    160     public void testDangerousHtml() {
    161         // body tag is translated to div tag
    162         sanitize("<body dir=\"rtl\" onMouseOVer=\"alert(document.cookie)\">arr</body>",
    163                 "<div dir=\"rtl\">arr</div>");
    164         sanitize("<DIV ONCLICK=alert(document.cookie) style=color:red>arr</DIV>",
    165                 "<div style=\"color:red\">arr</div>");
    166         sanitize("<b style=position:absolute;left:0;top:0>arr</b>", "<b>arr</b>");
    167 
    168         // mailto: URLs on images are too easy to turn into DOS attacks
    169         sanitize("<img src=\"mailto:\">", "");
    170         sanitize("<img src=\"mailto:hcnidumolu (at) google.com\">", "");
    171         sanitize("<img src=\"mailto:hcnidumolu (at) google.com\">", "");
    172         sanitize("<img src=\" mailto:hcnidumolu (at) google.com\">", "");
    173         sanitize("<img src=\"m&#x61;ilto:hcnidumolu (at) google.com\">", "");
    174         sanitize("<img src=\"m&#x0D;ailto:hcnidumolu (at) google.com\">", "");
    175         // todo Gmail doesn't escape the @ sign; OWASP does by default
    176 //        sanitize("<a href=\"mailto:hcnidumolu (at) google.com\">Send mail </a>",
    177 //                "<a href=\"mailto:hcnidumolu (at) google.com\">Send mail </a>");
    178         sanitize("<a href=\"mailto:hcnidumolu (at) google.com\">Send mail </a>",
    179                 "<a href=\"mailto:hcnidumolu&#64;google.com\">Send mail </a>");
    180     }
    181 
    182     public void testSanitizingImgsWithoutSchemes() {
    183         sanitize("<img src=\"//images1-gm-opensocial.googleusercontent.com/gadgets/proxy?" +
    184                         "url=http://foo.bar/baz.png&container=gm&gadget=a&rewriteMime=image/*\">",
    185 //                "<img src=\"//images1-gm-opensocial.googleusercontent.com/gadgets/proxy?" +
    186 //                        "url=http://foo.bar/baz.png&container=gm&gadget=" +
    187 //                        "a&amp;rewriteMime=image/*\">"); // todo Gmail doesn't escape the = signs
    188                 "<img src=\"//images1-gm-opensocial.googleusercontent.com/gadgets/proxy?" +
    189                         "url&#61;http://foo.bar/baz.png&container&#61;gm&amp;gadget&#61;" +
    190                         "a&amp;rewriteMime&#61;image/*\" />");
    191     }
    192 
    193     public void testAdditionalURISchemes() {
    194         // todo Gmail keeps a destinationless link; OWASP strips the a link completely
    195 //        sanitize("<a href=\"foo:bar\" target=\"_blank\">link1</a>", "<a>link1</a>");
    196         sanitize("<a href=\"foo:bar\" target=\"_blank\">link1</a>", "link1");
    197         // todo Gmail keeps a destinationless a link; OWASP strips the a link completely
    198 //        sanitize("<a href=\"baz:alanbs (at) google.com\">link2</a>", "<a>link2</a>");
    199         sanitize("<a href=\"baz:alanbs (at) google.com\">link2</a>", "link2");
    200     }
    201 
    202     public void testBackgroundAttribute() {
    203         sanitize("<div background=\"http://www.random.org/png\">stuff</div><div>more stuff</div>",
    204                 "<div background=\"http://www.random.org/png\">stuff</div><div>more stuff</div>");
    205     }
    206 
    207     public void testInputImage() {
    208         sanitize("<input type=\"image\" src=\"http://random.org/png\">",
    209                 "<input type=\"image\" src=\"http://random.org/png\" />");
    210     }
    211 
    212     public void testImplicitInputImage() {
    213         // In HTML 4.01, src attribute has meaning only when type="image" (which
    214         // is not the default), but this happens in real life.
    215         sanitize("<input src=\"http://random.org/png\">",
    216                 "<input src=\"http://random.org/png\" />");
    217     }
    218 
    219     public void testSerialization() {
    220         // N.B. (literal) newlines must not occur in CSS strings.
    221         // todo Gmail leaves this CSS style in place and escapes it; OWASP removes it all
    222 //        sanitize("<a href=\"http://www.google.com\" style=\"font-family: 'expression; " +
    223 //                        "\\a color:red;\\a font-family: completely unsanitized =(;' ;\">asdf</a>",
    224 //                "<a href=\"http://www.google.com\" style=\"font-family:&#39;expression; " +
    225 //                        "\\00000acolor:red;\\00000afont-family: completely unsanitized " +
    226 //                        "=(;&#39;\">asdf</a>");
    227         sanitize("<a href=\"http://www.google.com\" style=\"font-family: 'expression; " +
    228                         "\\a color:red;\\a font-family: completely unsanitized =(;' ;\">asdf</a>",
    229                 "<a href=\"http://www.google.com\">asdf</a>");
    230     }
    231 
    232     public void testNoJS() {
    233         // todo Gmail leaves this CSS in place and escapes it; OWASP removes it all
    234 //        sanitize("<a href=\"http://www.google.com\" style=\"background-image: " +
    235 //                "url('javascript:alert(1)')\"></a>",
    236 //                "<a href=\"http://www.google.com\" style=\"background-image:" +
    237 //                        "url(&#39;&#39;)\"></a>");
    238         sanitize("<a href=\"http://www.google.com\" style=\"background-image: " +
    239                 "url('javascript:alert(1)')\"></a>",
    240                 "<a href=\"http://www.google.com\"></a>");
    241     }
    242 
    243     public void testNoStyleElementByDefault() {
    244         sanitize("<head><style type='text/css'>verboten { color: red; }</style></head>" +
    245                         "<body><p>test</p>",
    246                 "<div><p>test</p></div>");
    247     }
    248 
    249     public void testMessageFormation() {
    250         sanitize("<table><tr><td><b>This is a simple message</b></td></tr></table>",
    251                 "<table><tr><td><b>This is a simple message</b></td></tr></table>");
    252         sanitize("<table><tr><td><b>This is a simple message",
    253                 "<table><tr><td><b>This is a simple message</b></td></tr></table>");
    254         sanitize("<table><tr>This is a simple message</b></td></tr></table>",
    255                 "<table><tr><td>This is a simple message</td></tr></table>");
    256         sanitize("This is a simple message</b></td></tr></table>", "This is a simple message");
    257     }
    258 
    259     public void testViolatingTags() {
    260         sanitize("<html><head><title>html to ruin your site</title>"
    261                         + "<meta http-equiv=\"refresh\" content=\"5\" />"
    262                         + "<link rel=\"stylesheet\" type=\"text/css\"  href=\"some site\"/>"
    263                         + "<style type=\"text/css\"> h1 {color: red}</style>"
    264                         + "</head><body><script>some script to run</script>"
    265                         + "<noscript>Please enable Javascript and reload this page."
    266                         + "Good things abound!</noscript>"
    267                         + "<noframes>This page requires frames!</noframes>"
    268                         + "<frameset cols = \"25%, 25%,*\">"
    269                         + "<frame src=\"site1.htm\" />"
    270                         + "<frame src=\"site2.htm\" />"
    271                         + "<frame src=\"site3.htm\" /> "
    272                         + "</frameset>"
    273                         + "<table><tr><td>"
    274                         + "Execute this <applet code=\"some evil site\"></td>"
    275                         + "</tr></table></body></html>"
    276                 ,
    277                 "<div>"
    278                         + "<table><tr><td>"
    279                         + "Execute this </td>"
    280                         + "</tr></table></div>"
    281         );
    282 
    283         sanitize("Include this:<br/>"
    284                         + "<object classid=\"clsid:FOOBAR\" id=\"Slider1\""
    285                         + "declare=\"declare\">"
    286                         + "<param name=\"some param\" value=\"1\" />"
    287                         + "</object><br/>"
    288                         + "<form method=\"POST\" action=\"http://www.somesite.com\""
    289                         + "onsubmit=\"run some script\">"
    290                         + "<input type=\"text\" onclick=\"run some script\" id=\"input\"/>"
    291                         + "<input type=\"submit\" onfocus=\"run some script\" value=\"submit\"/>"
    292                         + "</form>"
    293                 ,
    294                 "Include this:<br />"
    295                         + "<br />"
    296                         + "<form method=\"POST\" action=\"http://www.somesite.com\">"
    297                         + "<input type=\"text\" />"
    298                         + "<input type=\"submit\" value=\"submit\" />"
    299                         + "</form>"
    300         );
    301     }
    302 
    303     public void testLinks() {
    304         sanitize("<a href=\"http://www.somesite.com\" target=\"_self\" "
    305                         + "onclick=\"run some script\" onmouseover=\"run some script\">"
    306                         + "click here</a>"
    307                         + "<a href=\"javascript:run some script\">here</a>"
    308                         + "<a href=\"someinternalpage.htm\">or here</a>"
    309                 ,
    310                 "<a href=\"http://www.somesite.com\">"
    311                         + "click here</a>"
    312                         + "here"
    313                         + "<a href=\"someinternalpage.htm\">or here</a>"
    314         );
    315     }
    316 
    317     public void testExternalLinks() {
    318         sanitize("This is a test <a href=http://google.com>here</a> "
    319                         + "<img src=\"http://google.com/bogus.jpg\">"
    320                         + "<img src=\"//google.com/bogus2.jpg\">"
    321                         + "<img src=\"google.com/bogus3.jpg\">"
    322                         + "<script>Hello</script> "
    323                         + "<frameset><frame src=foo name=onlyFrame>hey</frame></frameset>"
    324                 ,
    325                 "This is a test <a href=\"http://google.com\">here</a> "
    326                         + "<img src=\"http://google.com/bogus.jpg\" />"
    327                         + "<img src=\"//google.com/bogus2.jpg\" />"
    328                         + "<img src=\"google.com/bogus3.jpg\" /> "
    329         );
    330     }
    331 
    332     public void testNewHtmlWhitelist() {
    333         sanitize("<a href=http://google.com/boguslink>link</a>"
    334                         + "<b>BOLD</b>"
    335                         + "<i>italics</i>"
    336                         + "<u>underlined</u>"
    337                         + "<br/>break<br>break"
    338                         + "<font size=+1>Big_font_gone</font>"
    339                 ,
    340                 "<a href=\"http://google.com/boguslink\">link</a>"
    341                         + "<b>BOLD</b>"
    342                         + "<i>italics</i>"
    343                         + "<u>underlined</u>"
    344                         + "<br />break<br />break"
    345                         + "<font size=\"&#43;1\">Big_font_gone</font>"
    346         );
    347     }
    348 
    349     public void testRemoveBackticksInAttributes() {
    350         // IE treats backticks as quotes when re-serializing, but not when parsing
    351         sanitize("<img alt=\"``onload=alert(1)\">",
    352                 "<img alt=\"&#96;&#96;onload&#61;alert(1) \" />");
    353         sanitize("<img alt=\"'``onload=alert(1)'\">",
    354                 "<img alt=\"&#39;&#96;&#96;onload&#61;alert(1)&#39; \" />");
    355         sanitize("<img alt=``onload=alert(1)\">", "<img alt=\"&#96;&#96;onload&#61;alert(1) \" />");
    356 
    357         // Make sure we're not fooled by escaped backticks
    358         sanitize("<img alt=\"&#96;&#x0060;onload=alert(1)\">",
    359                 "<img alt=\"&#96;&#96;onload&#61;alert(1) \" />");
    360         sanitize("<img alt=\"&#x000060;&#x000060;onload=alert(1)\">",
    361                 "<img alt=\"&#96;&#96;onload&#61;alert(1) \" />");
    362 
    363         // Misc. dangerous cases:
    364         sanitize("<img alt=`x`onload=alert(1)>", "<img alt=\"&#96;x&#96;onload&#61;alert(1) \" />");
    365         sanitize("<img alt=foo`x`onload=alert(1)>",
    366                 "<img alt=\"foo&#96;x&#96;onload&#61;alert(1) \" />");
    367         sanitize("<img alt=\"`whatever\">Hello world ` onload=alert(1) <br>",
    368                 "<img alt=\"&#96;whatever \" />Hello world &#96; onload&#61;alert(1) <br />");
    369 
    370         // The tokenizer doesn't see these as entities because they lack a trailing semicolon, so it
    371         // escapes the leading ampersands.
    372         sanitize("<img alt=\"&#x000060&#x000060onload=alert(1)\">",
    373                 "<img alt=\"&#96;&amp;#x000060onload&#61;alert(1) \" />");
    374 
    375         // Here there are no actual backticks, though there would be if we (or IE) did repeated
    376         // unescaping.
    377         sanitize("<img alt=\"&amp;#x000060&amp;#x000060onload=alert(2)\">",
    378                 "<img alt=\"&amp;#x000060&amp;#x000060onload&#61;alert(2)\" />");
    379         sanitize("<img alt=\"&amp;amp;#x000060&amp;amp;#x000060onload=alert(2)\">",
    380                 "<img alt=\"&amp;amp;#x000060&amp;amp;#x000060onload&#61;alert(2)\" />");
    381     }
    382 
    383     public void testMakeSafeStyle() {
    384         sanitize("<div style=\"color:red\"></div>", "<div style=\"color:red\"></div>");
    385         sanitize("<div style=\"color:r\\ne\\t d  d\\r\\n\"></div>", "<div></div>");
    386         sanitize("<div style=\"font-size:13.5pt; color:#804000 \"></div>",
    387                 "<div style=\"font-size:13.5pt;color:#804000\"></div>");
    388         sanitize("<div style=\"color:red;color\"></div>", "<div style=\"color:red\"></div>");
    389         sanitize("<div style=\"color:red;color:a:b\"></div>", "<div style=\"color:red\"></div>");
    390         sanitize("<div style=\"color:url(foo)\"></div>", "<div></div>");
    391         sanitize("<div style=\"color:white; list-style:url(foo.gif);\"></div>",
    392                 "<div style=\"color:white\"></div>");
    393         sanitize("<div style=\"color:rgb(255, 0, 0)\"></div>",
    394                 "<div style=\"color:rgb( 255 , 0 , 0 )\"></div>");
    395         sanitize("<div style=\"background-color:rgb(80%,92%,18%)\"></div>",
    396                 "<div style=\"background-color:rgb( 80% , 92% , 18% )\"></div>");
    397         sanitize("<div style=\"border-left:1px rgb(0,255,0) solid\"></div>",
    398                 "<div style=\"border-left:1px rgb( 0 , 255 , 0 ) solid\"></div>");
    399         sanitize("<div style=\"background:rgb(0,255,0) url(foo) no-repeat top\"></div>",
    400                 "<div style=\"background:rgb( 0 , 255 , 0 ) no-repeat top\"></div>");
    401         sanitize("<div style=\"display:none; border-color: #ffeeff \"></div>",
    402                 "<div style=\"display:none;border-color:#ffeeff\"></div>");
    403 
    404         // check for CSS3 border-radius
    405         sanitize("<div style=\"border-radius:10px\"></div>",
    406                 "<div style=\"border-radius:10px\"></div>");
    407         sanitize("<div style=\"border-bottom-left-radius:10px\"></div>",
    408                 "<div style=\"border-bottom-left-radius:10px\"></div>");
    409         sanitize("<div style=\"border-bottom-right-radius:10px\"></div>",
    410                 "<div style=\"border-bottom-right-radius:10px\"></div>");
    411         sanitize("<div style=\"border-top-left-radius:10px\"></div>",
    412                 "<div style=\"border-top-left-radius:10px\"></div>");
    413         sanitize("<div style=\"border-top-right-radius:10px\"></div>",
    414                 "<div style=\"border-top-right-radius:10px\"></div>");
    415 
    416         // allow positive margins
    417         sanitize("<div style=\"margin:10 0 10 0\"></div>",
    418                 "<div style=\"margin:10 0 10 0\"></div>");
    419         sanitize("<div style=\"margin-left:40px\"></div>",
    420                 "<div style=\"margin-left:40px\"></div>");
    421 
    422         // negative margin would allow it to slip out of the box
    423         sanitize("<div style=\"margin-left:-10\"></div>", "<div></div>");
    424 
    425         // allow positive text-ident
    426         sanitize("<div style=\"text-indent:10\"></div>", "<div style=\"text-indent:10\"></div>");
    427         sanitize("<div style=\"text-indent:0\"></div>", "<div style=\"text-indent:0\"></div>");
    428 
    429         // todo Gmail disallows negative text-indents; OWASP is fine with them
    430         // negative text-indent would allow it to slip out of the box
    431 //        sanitize("<div style=\"text-indent:-10\"></div>", "<div></div>");
    432         sanitize("<div style=\"text-indent:-10\"></div>", "<div style=\"text-indent:-10\"></div>");
    433     }
    434 
    435     public void testMakeSafeStyleWithQuotedStrings() {
    436         sanitize("<div style=\"font-family:'courier new',monospace;font-size:x-small\"></div>",
    437                 "<div style=\"font-family:&#39;courier new&#39; , monospace;font-size:x-small\">" +
    438                         "</div>");
    439         sanitize("<div style=\"font-family:\"courier new\",monospace\"></div>", "<div></div>");
    440         sanitize("<div style=\"font-family:''\"></div>", "<div></div>");
    441         sanitize("<div style=\"font-family:a,''\"></div>",
    442                 "<div style=\"font-family:&#39;a&#39; ,\"></div>");
    443         sanitize("<div style=\"font-family:'',a,\"\",b\"></div>",
    444                 "<div style=\"font-family:, &#39;a&#39; ,\"></div>");
    445 
    446         sanitize("<div style=\"font-family:'\"></div>", "<div></div>");
    447         sanitize("<div style=\"font-family: 'courier new\",monospace;'\"></div>", "<div></div>");
    448         sanitize("<div style=\"font-family: \"courier new',monospace;\"></div>", "<div></div>");
    449     }
    450 
    451     public void testSeriouslyNoBackgroundImages() {
    452         sanitize("<div style=\"background:url('http://www.here.com/awesome.png')\"></div>",
    453                 "<div></div>");
    454         sanitize("<div style=\"background-image:url('http://www.here.com/awesome.png')\"></div>",
    455                 "<div></div>");
    456 
    457         sanitize("<div style=\"background:url('javascript:evil()')\"></div>", "<div></div>");
    458         sanitize("<div style=\"background-image:url('javascript:evil()')\"></div>", "<div></div>");
    459     }
    460 
    461     public void testExpression() {
    462         sanitize("<div style=\"width: expression(alert(1))\"></div>", "<div></div>");
    463     }
    464 
    465     public void testStrayUrlConsideredHarmful() {
    466         sanitize("<div style=\"float:url(\"></div>", "<div></div>");
    467         sanitize("<div style=\"float:\\075\\0072\\006C\\0028\"></div>", "<div></div>");
    468     }
    469 
    470     public void testObjectionableFunctions() {
    471         sanitize("<div style=\"ex\\pression(123)\"></div>", "<div></div>");
    472         sanitize("<div style=\"_expression(123)\"></div>", "<div></div>");
    473         sanitize("<div style=\"(123)\"></div>", "<div></div>");
    474         sanitize("<div style=\"funkyFunction(123)\"></div>", "<div></div>");
    475 
    476         sanitize("<div style=\"color:expression(alert('xss'))\"></div>", "<div></div>");
    477         sanitize("<div style=\"color:expression(alert\\000028\\000027xss\\000027\\000029)\"></div>",
    478                 "<div></div>");
    479         sanitize("<div style=\"color:expression\\000028alert\\000028\\000027xss\\000027" +
    480                 "\\000029\\000029\"></div>", "<div></div>");
    481         sanitize("<div style=\"color:expressio\\00006E\\000028alert\\000028\\000027xss\\000027" +
    482                 "\\000029\\000029\"\"></div>", "<div></div>");
    483         sanitize("<div style=\"color:expression\\(alert\\)\"></div>", "<div></div>");
    484     }
    485 
    486     public void testAbsolutePositionBanned() {
    487         sanitize("<div style=\"position: absolute\"></div>", "<div></div>");
    488     }
    489 
    490     public void testNoTextShadow() {
    491         // todo Gmail disallows this text-shadow; OWASP is fine with it
    492 //        sanitize("<div style=\"text-shadow: red -50px -100px 0px\"></div>", "<div></div>");
    493         sanitize("<div style=\"text-shadow: red -50px -100px 0px\"></div>",
    494                 "<div style=\"text-shadow:red -50px -100px 0px\"></div>");
    495     }
    496 
    497     public void testToStyle() {
    498         sanitize("<div style=\"color:red\"></div>", "<div style=\"color:red\"></div>");
    499         sanitize("<div style=\"color: red\"></div>", "<div style=\"color:red\"></div>");
    500         sanitize("<div style=\"color :red\"></div>", "<div style=\"color:red\"></div>");
    501         sanitize("<div style=\"color :red; font-size:13.5pt;\"></div>",
    502                 "<div style=\"color:red;font-size:13.5pt\"></div>");
    503         sanitize("<div style=\"content:'\"'\"></div>", "<div></div>");
    504     }
    505 
    506     public void testNoColorStrings() {
    507         sanitize("<div style=\"color: 'red';\"></div>", "<div></div>");
    508     }
    509 
    510     public void testTolerateMalformedBorder() {
    511         sanitize("<div style=\"border-left-: solid thin red\"></div>", "<div></div>");
    512     }
    513 
    514     public void testRgba() {
    515         sanitize("<div style=\"color:rgba(255, 0, 0, 0.5)\"></div>",
    516                 "<div style=\"color:rgba( 255 , 0 , 0 , 0.5 )\"></div>");
    517     }
    518 
    519     public void testFontStyle() {
    520         // todo Gmail accepts !important while OWASP discards it; this is only beauty, not security
    521 //        sanitize("<div style=\"font-style:normal!important\"></div>",
    522 //                "<div style=\"font-style:normal!important\"></div>");
    523         sanitize("<div style=\"font-style:normal!important\"></div>",
    524                 "<div style=\"font-style:normal\"></div>");
    525         // todo Gmail accepts !important while OWASP discards it; this is only beauty, not security
    526 //        sanitize("<div style=\"font-style:oblique !important\"></div>",
    527 //                "<div style=\"font-style:oblique!important\"></div>");
    528         sanitize("<div style=\"font-style:oblique !important\"></div>",
    529                 "<div style=\"font-style:oblique\"></div>");
    530         sanitize("<div style=\"font-style:italic\"></div>",
    531                 "<div style=\"font-style:italic\"></div>");
    532     }
    533 
    534     private void sanitize(String dirtyHTML, String expectedHTML) {
    535         final String cleansedHTML = HtmlSanitizer.sanitizeHtml(dirtyHTML);
    536         assertEquals(expectedHTML, cleansedHTML);
    537     }
    538 }
    539