Page 1 of 1

HTMLPurifier - Take your best shot

Posted: Sun Aug 13, 2006 10:50 pm
by Ambush Commander
As HTMLPurifier rolls along closer to Beta stage, I'd like to do some pre-beta security/usability testing. Essentially, I want you to take your best shot, and see if you can get past the filter. The live demo is here.

Test for security against XSS and standards compliance.

Here are some reference materials you may find useful:

* Progress report - this documents what has been implemented and what has not. Some valid CSS will be filtered out... but that's the nature of whitelist filtering! Those will be implemented soon. However, the lexer should be guaranteed to produce valid XHTML.
* XSS attacks smoketest - using their handy dandy XML format, I've banged out a smoketest for all of the XSS methods in that cheatsheet. So far, none of them seem to work. :-P
* Code Quality Issues - I get lazy, I've tried to figure out where that happened, so these may be weak spots.

Some input ideas:

* Copy-paste HTML from websites (intact) and see how it handles the onslaught of <meta> and <head> tags.
* Copy-paste HTML from this forum!
* Copy-paste HTML from your website.

Also, look out for funny behavior. It may be standards-compliant, but it may not do the best thing to the text when it hits it. Does a certain escaping behavior surprise you? Put it here.

Edit - Clarify what security means
Edit 2 - Update status