From 1bb95b71410b0824addcc33bf498403381644703 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Sebastian=20L=C3=B6vdahl?= Date: Fri, 13 Sep 2024 17:21:10 +0300 Subject: [PATCH] Test for script tag inside style Reproducer for #83. --- .../github/bgalek/security/SvgSecurityValidatorTest.java | 1 + .../hacked/with-invalid-script-tag-in-styles.svg | 8 ++++++++ 2 files changed, 9 insertions(+) create mode 100644 src/test/resources/hacked/with-invalid-script-tag-in-styles.svg diff --git a/src/test/java/com/github/bgalek/security/SvgSecurityValidatorTest.java b/src/test/java/com/github/bgalek/security/SvgSecurityValidatorTest.java index 23806a1..419ba81 100644 --- a/src/test/java/com/github/bgalek/security/SvgSecurityValidatorTest.java +++ b/src/test/java/com/github/bgalek/security/SvgSecurityValidatorTest.java @@ -126,6 +126,7 @@ private static Stream evilUseCases() { Arguments.of("hacked/with-onclick-attribute.svg", "onclick"), Arguments.of("hacked/with-script-tag.svg", "script"), Arguments.of("hacked/with-script-tag-in-styles.svg", "script"), + Arguments.of("hacked/with-invalid-script-tag-in-styles.svg", "script"), Arguments.of("hacked/with-css-url-syntax.svg", "style"), Arguments.of("hacked/with-xlink-injection.svg", "script") ); diff --git a/src/test/resources/hacked/with-invalid-script-tag-in-styles.svg b/src/test/resources/hacked/with-invalid-script-tag-in-styles.svg new file mode 100644 index 0000000..52bc0ea --- /dev/null +++ b/src/test/resources/hacked/with-invalid-script-tag-in-styles.svg @@ -0,0 +1,8 @@ + + + + + +