# -*-perl-*- use strict; use Test::More 'no_plan'; use lib "$ENV{LJHOME}/cgi-bin"; require 'ljlib.pl'; require 'cleanhtml.pl'; use HTMLCleaner; my $lju_sys = LJ::ljuser("system"); my $clean = sub { my $raw = shift; my %opts = @_; LJ::CleanHTML::clean_event(\$raw, { }); return $raw; }; my $html; $html = $clean->(qq{ My video: [ http://vidmg.photobucket.com/albums/0603/awelch/videos/MVI_2967.flv ] }); like($html, qr/(qq{ http://mischa.com }); like($html, qr/invalid/i, "invalid whitelisted video"); $html = $clean->(qq{ http://www.youtube.com/blah }); like($html, qr/(qq{ http://youtube.com/blah }); like($html, qr/(qq{ http://youtube.com/watch?v=weTDD1wTHDw }); like($html, qr/(qq{ My attack: [ http://attacker.com/naive/ ] }); unlike($html, qr/(qq{ My attack: [ http://attacker.com/idmg.photobucket.com/albums/0603/awelch/videos/MVI_2967.flv ] }); like($html, qr/Invalid video url/i, "attacker tricking regexp with slashes in subdomain"); # attack by embedding other site's url $html = $clean->(qq{ My attack: [ http://youtube.com/p.swf?video_id=1&iurl=http://homestarrunner.com/firsttime.swf ] }); like($html, qr/Invalid video url/i, "attacker tricking regexp by forwarding to other site's flash"); # autoplay $html = $clean->(qq{ http://www.youtube.com/blah?autoplay=1 }); like($html, qr/Invalid/, "no autoplay"); # embedding arbitrary photobucket video w/ exploit $html = $clean->(qq{ http://i106.photobucket.com/albums/m271/revmischa/untitled-1.swf }); like($html, qr/Invalid/, "no arbitrary swf embedding with photobucket");