1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
|
use strict;
use warnings;
use RT::Test tests => undef;
my ($base, $m) = RT::Test->started_ok;
my $link = RT::Test->load_or_create_custom_field(
Name => 'link',
Type => 'Freeform',
MaxValues => 1,
Queue => 0,
LinkValueTo => '__CustomField__',
);
my $include = RT::Test->load_or_create_custom_field(
Name => 'include',
Type => 'Freeform',
MaxValues => 1,
Queue => 0,
IncludeContentForValue => '__CustomField__',
);
my $data_uri = 'data:text/html;base64,PHNjcmlwdD5hbGVydChkb2N1bWVudC5jb29raWUpPC9zY3JpcHQ+';
my $xss = q{')-eval(decodeURI('alert("xss")'))-('};
my $ticket = RT::Ticket->new(RT->SystemUser);
$ticket->Create(
Queue => 'General',
Subject => 'ticket A',
'CustomField-'.$link->id => $data_uri,
'CustomField-'.$include->id => $xss,
);
ok $ticket->Id, 'created ticket';
ok $m->login('root', 'password'), "logged in";
$m->get_ok($base . "/Ticket/Display.html?id=" . $ticket->id);
# look for lack of link to data:text/html;base64,...
ok !$m->find_link(text => $data_uri), "no data: link";
ok !$m->find_link(url => $data_uri), "no data: link";
# look for unescaped JS
$m->content_lacks($xss, 'escaped js');
$m->warning_like(qr/Potentially dangerous URL type/, "found warning about dangerous link");
undef $m;
done_testing;
|