LayoutTests/fast/encoding/idn-security.html

   1 <html>
   2 <head>
   3 <link rel="stylesheet" href="../js/resources/js-test-style.css">
   4 <script src="../js/resources/js-test-pre.js"></script>
   5 </head>
   6 <body>
   7 <script>
   8
   9 function testIDNEncode(charCode)
  10 {
  11     var str = String.fromCharCode(charCode);
  12     str = layoutTestController.encodeHostName(str);
  13     if (str.substr(0, 4) == "xn--")
  14         return "punycode";
  15     return escape(str);
  16 }
  17
  18 function testIDNEncodeNotFirstCharacter(charCode)
  19 {
  20     var str = String.fromCharCode(charCode);
  21     str = "a" + str;
  22     str = layoutTestController.encodeHostName(str);
  23     if (str.substr(0, 4) == "xn--")
  24         return "punycode";
  25     if (str.substr(0, 1) == "a")
  26         str = str.substr(1, str.length - 1);
  27     return escape(str);
  28 }
  29
  30 function testIDNRoundTrip(charCode)
  31 {
  32     var str = String.fromCharCode(charCode);
  33     str = layoutTestController.encodeHostName(str);
  34     str = layoutTestController.decodeHostName(str);
  35     if (str.substr(0, 4) == "xn--")
  36         return "punycode";
  37     return escape(str);
  38 }
  39
  40 function testIDNRoundTripNotFirstCharacter(charCode)
  41 {
  42     var str = String.fromCharCode(charCode);
  43     str = "a" + str;
  44     str = layoutTestController.encodeHostName(str);
  45     str = layoutTestController.decodeHostName(str);
  46     if (str.substr(0, 4) == "xn--")
  47         return "punycode";
  48     if (str.substr(0, 1) == "a")
  49         str = str.substr(1, str.length - 1);
  50     return escape(str);
  51 }
  52
  53 function testFunctionName(expected)
  54 {
  55     if (expected == "does not encode")
  56         return "testIDNEncode";
  57     return "testIDNRoundTrip";
  58 }
  59
  60 function expectedTestResult(charCode, expected)
  61 {
  62     if (expected == "disallowed")
  63         return "'punycode'";
  64     if (expected == "allowed" || expected == "does not encode")
  65         return "'" + escape(String.fromCharCode(charCode)) + "'";
  66     return "'" + expected + "'";
  67 }
  68
  69 function testIDNCharacter(charCode, expected, expectedNotFirstCharacter)
  70 {
  71     if (expectedNotFirstCharacter == null)
  72         expectedNotFirstCharacter = expected;
  73
  74     shouldBe(testFunctionName(expected) + "(0x" + charCode.toString(16) + ")",
  75         expectedTestResult(charCode, expected));
  76
  77     shouldBe(testFunctionName(expectedNotFirstCharacter) + "NotFirstCharacter(0x" + charCode.toString(16) + ")",
  78         expectedTestResult(charCode, expectedNotFirstCharacter));
  79 }
  80
  81 function testBecomesSpaceIDNCharacter(charCode)
  82 {
  83     shouldBe("testIDNRoundTrip(0x" + charCode.toString(16) + ")", "'%20'");
  84     shouldBe("testIDNRoundTripFirstCharacter(0x" + charCode.toString(16) + ")", "'%20'");
  85 }
  86
  87 function testBecomesASCIIIDNCharacter(charCode, expected)
  88 {
  89     shouldBe("testIDNRoundTrip(0x" + charCode.toString(16) + ")", "'" + expected + "'");
  90     shouldBe("testIDNRoundTripFirstCharacter(0x" + charCode.toString(16) + ")", "'" + expected + "'");
  91 }
  92
  93 function testDisallowedIDNCharacter(charCode)
  94 {
  95     shouldBe("testIDNRoundTrip(0x" + charCode.toString(16) + ")", "'punycode'");
  96     shouldBe("testIDNRoundTripFirstCharacter(0x" + charCode.toString(16) + ")", "'punycode'");
  97 }
  98
  99 function testAllowedIDNCharacter(charCode)
 100 {
 101     var expected = escape(String.fromCharCode(charCode));
 102     shouldBe("testIDNRoundTrip(0x" + charCode.toString(16) + ")", "'" + expected + "'");
 103     shouldBe("testIDNRoundTripFirstCharacter(0x" + charCode.toString(16) + ")", "'" + expected + "'");
 104 }
 105
 106 function testDoesNotEncodeIDNCharacter(charCode)
 107 {
 108     var expected = escape(String.fromCharCode(charCode));
 109     shouldBe("testIDNEncode(0x" + charCode.toString(16) + ")", "'" + expected + "'");
 110     shouldBe("testIDNEncodeTripFirstCharacter(0x" + charCode.toString(16) + ")", "'" + expected + "'");
 111 }
 112
 113 var isOlderICU = testIDNEncode(0x3002) == ".";
 114
 115 /* Allowed Characters - dot and slash */
 116 testIDNCharacter(".".charCodeAt(0), "allowed");
 117 testIDNCharacter("/".charCodeAt(0), "allowed");
 118
 119 /* Allowed Characters - one character for each script in the default IDN whitelist*/
 120 testIDNCharacter(0x0061, "allowed");
 121 testIDNCharacter(0x0633, "allowed");
 122 testIDNCharacter(0x0561, "allowed");
 123 testIDNCharacter(0x3105, "allowed");
 124 testIDNCharacter(0x1613, "allowed");
 125 testIDNCharacter(0x0905, "allowed");
 126 testIDNCharacter(0x0A85, "allowed");
 127 testIDNCharacter(0x0A05, "allowed");
 128 testIDNCharacter(0x1115, "allowed");
 129 testIDNCharacter(0x4E2D, "allowed");
 130 testIDNCharacter(0x05D0, "allowed");
 131 testIDNCharacter(0x3041, "allowed");
 132 testIDNCharacter(0x30A1, "allowed");
 133 testIDNCharacter(0x0B94, "allowed");
 134 testIDNCharacter(0x0E01, "allowed");
 135 testIDNCharacter(0xA000, "allowed");
 136
 137 /* ICU converts these to other allowed characters, so the original character can't be used to get to a phishy domain name */
 138 testIDNCharacter(0x2024, ".");
 139 testIDNCharacter(0xFE52, ".");
 140 testIDNCharacter(0xFF0F, "/");
 141
 142 /* ICU converts these characters to backslash, so the original character can't be used to get to a phishy domain name */
 143 testIDNCharacter(0xFE68, "%5C");
 144 testIDNCharacter(0xFF3C, "%5C");
 145
 146 /* ICU converts these characters to space, so the original character can't be used to get to a phishy domain name */
 147 testIDNCharacter(0x00A0, "%20");
 148 testIDNCharacter(0x2000, "%20");
 149 testIDNCharacter(0x2001, "%20");
 150 testIDNCharacter(0x2002, "%20");
 151 testIDNCharacter(0x2003, "%20");
 152 testIDNCharacter(0x2004, "%20");
 153 testIDNCharacter(0x2005, "%20");
 154 testIDNCharacter(0x2006, "%20");
 155 testIDNCharacter(0x2007, "%20");
 156 testIDNCharacter(0x2008, "%20");
 157 testIDNCharacter(0x2009, "%20");
 158 testIDNCharacter(0x200A, "%20");
 159 testIDNCharacter(0x202F, "%20");
 160 testIDNCharacter(0x205F, "%20");
 161 testIDNCharacter(0x3000, "%20");
 162
 163 /* Disallow these characters.  Some of these are known lookalike characters for dot and slash.
 164    A lot of these are from Mozilla's blacklist: http://kb.mozillazine.org/Network.IDN.blacklist_chars
 165 */
 166 testIDNCharacter(0x00BC, "disallowed");
 167 testIDNCharacter(0x00BD, "disallowed");
 168 testIDNCharacter(0x00ED, "disallowed");
 169 testIDNCharacter(0x01C3, "disallowed");
 170 testIDNCharacter(0x0251, "disallowed");
 171 testIDNCharacter(0x0261, "disallowed");
 172 testIDNCharacter(0x0337, "disallowed");
 173 testIDNCharacter(0x0337, "disallowed");
 174 testIDNCharacter(0x0338, "disallowed");
 175 testIDNCharacter(0x0338, "disallowed");
 176 testIDNCharacter(0x05B4, "disallowed");
 177 testIDNCharacter(0x05BC, "disallowed");
 178 testIDNCharacter(0x0660, "disallowed");
 179 testIDNCharacter(0x06F0, "disallowed");
 180 testIDNCharacter(0x115F, "disallowed");
 181 testIDNCharacter(0x1160, "disallowed");
 182 testIDNCharacter(0x2027, "disallowed");
 183 testIDNCharacter(0x2039, "disallowed");
 184 testIDNCharacter(0x203A, "disallowed");
 185 testIDNCharacter(0x2044, "disallowed");
 186 testIDNCharacter(0x2044, "disallowed");
 187 testIDNCharacter(0x2154, "disallowed");
 188 testIDNCharacter(0x2155, "disallowed");
 189 testIDNCharacter(0x2156, "disallowed");
 190 testIDNCharacter(0x2159, "disallowed");
 191 testIDNCharacter(0x215A, "disallowed");
 192 testIDNCharacter(0x215B, "disallowed");
 193 testIDNCharacter(0x215F, "disallowed");
 194 testIDNCharacter(0x2215, "disallowed");
 195 testIDNCharacter(0x2216, "disallowed");
 196 testIDNCharacter(0x233F, "disallowed");
 197 testIDNCharacter(0x23AE, "disallowed");
 198 testIDNCharacter(0x244A, "disallowed");
 199 testIDNCharacter(0x2571, "disallowed");
 200 testIDNCharacter(0x2572, "disallowed");
 201 testIDNCharacter(0x29F6, "disallowed");
 202 testIDNCharacter(0x29F8, "disallowed");
 203 testIDNCharacter(0x29F8, "disallowed");
 204 testIDNCharacter(0x2AFB, "disallowed");
 205 testIDNCharacter(0x2AFD, "disallowed");
 206 testIDNCharacter(0x3014, "disallowed");
 207 testIDNCharacter(0x3015, "disallowed");
 208 testIDNCharacter(0x3033, "disallowed");
 209 testIDNCharacter(0x3035, "disallowed");
 210 testIDNCharacter(0x3164, "disallowed");
 211 testIDNCharacter(0x321D, "disallowed");
 212 testIDNCharacter(0x321E, "disallowed");
 213 testIDNCharacter(0x33AE, "disallowed");
 214 testIDNCharacter(0x33AF, "disallowed");
 215 testIDNCharacter(0x33C6, "disallowed");
 216 testIDNCharacter(0x33DF, "disallowed");
 217 testIDNCharacter(0xFE14, "disallowed");
 218 testIDNCharacter(0xFE15, "disallowed");
 219 testIDNCharacter(0xFE3F, "disallowed");
 220 testIDNCharacter(0xFE5D, "disallowed");
 221 testIDNCharacter(0xFE5E, "disallowed");
 222 testIDNCharacter(0xFFA0, "disallowed");
 223
 224 /* ICU won't encode these characters in IDN, thus we should always get 'host not found'. */
 225 testIDNCharacter(0x2028, "does not encode");
 226 testIDNCharacter(0x2029, "does not encode");
 227 testIDNCharacter(0x2FF0, "does not encode");
 228 testIDNCharacter(0x2FF1, "does not encode");
 229 testIDNCharacter(0x2FF2, "does not encode");
 230 testIDNCharacter(0x2FF3, "does not encode");
 231 testIDNCharacter(0x2FF4, "does not encode");
 232 testIDNCharacter(0x2FF5, "does not encode");
 233 testIDNCharacter(0x2FF6, "does not encode");
 234 testIDNCharacter(0x2FF7, "does not encode");
 235 testIDNCharacter(0x2FF8, "does not encode");
 236 testIDNCharacter(0x2FF9, "does not encode");
 237 testIDNCharacter(0x2FFA, "does not encode");
 238 testIDNCharacter(0x2FFB, "does not encode");
 239 testIDNCharacter(0xFFF9, "does not encode");
 240 testIDNCharacter(0xFFFA, "does not encode");
 241 testIDNCharacter(0xFFFB, "does not encode");
 242 testIDNCharacter(0xFFFC, "does not encode");
 243 testIDNCharacter(0xFFFD, "does not encode");
 244
 245 /* ICU won't encode these characters if they're not the first character in the host name.
 246    If the character does get encoded as the first character, then we will disallow it */
 247
 248 testIDNCharacter(0x05C3, "disallowed", "does not encode");
 249 testIDNCharacter(0x05F4, "disallowed", "does not encode");
 250 testIDNCharacter(0x06D4, "disallowed", "does not encode");
 251 testIDNCharacter(0x0702, "disallowed", "does not encode");
 252
 253 /* ICU won't encode these characters if they're the first character in the host name.
 254    If the character does get encoded as the first character, then ICU converts it to another allowed character */
 255
 256 if (isOlderICU) {
 257     testIDNCharacter(0x200B, "");
 258     testIDNCharacter(0x3002, ".");
 259     testIDNCharacter(0xFF0E, ".");
 260     testIDNCharacter(0xFF61, ".");
 261     testIDNCharacter(0xFEFF, "");
 262 } else {
 263     testIDNCharacter(0x200B, "does not encode", "");
 264     testIDNCharacter(0x3002, "does not encode", ".");
 265     testIDNCharacter(0xFF0E, "does not encode", ".");
 266     testIDNCharacter(0xFF61, "does not encode", ".");
 267     testIDNCharacter(0xFEFF, "does not encode", "");
 268 }
 269
 270 successfullyParsed = true;
 271
 272 </script>
 273 </body>
 274 </html>