pictcode / lib / Cake / Test / Case / Utility / SanitizeTest.php @ 48ae03cf
履歴 | 表示 | アノテート | ダウンロード (15.852 KB)
| 1 |
<?php
|
|---|---|
| 2 |
/**
|
| 3 |
* SanitizeTest file
|
| 4 |
*
|
| 5 |
* CakePHP(tm) Tests <http://book.cakephp.org/2.0/en/development/testing.html>
|
| 6 |
* Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
| 7 |
*
|
| 8 |
* Licensed under The MIT License
|
| 9 |
* For full copyright and license information, please see the LICENSE.txt
|
| 10 |
* Redistributions of files must retain the above copyright notice
|
| 11 |
*
|
| 12 |
* @copyright Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
| 13 |
* @link http://book.cakephp.org/2.0/en/development/testing.html CakePHP(tm) Tests
|
| 14 |
* @package Cake.Test.Case.Utility
|
| 15 |
* @since CakePHP(tm) v 1.2.0.5428
|
| 16 |
* @license http://www.opensource.org/licenses/mit-license.php MIT License
|
| 17 |
*/
|
| 18 |
|
| 19 |
App::uses('Sanitize', 'Utility'); |
| 20 |
|
| 21 |
/**
|
| 22 |
* DataTest class
|
| 23 |
*
|
| 24 |
* @package Cake.Test.Case.Utility
|
| 25 |
*/
|
| 26 |
class SanitizeDataTest extends CakeTestModel { |
| 27 |
|
| 28 |
/**
|
| 29 |
* useTable property
|
| 30 |
*
|
| 31 |
* @var string
|
| 32 |
*/
|
| 33 |
public $useTable = 'data_tests'; |
| 34 |
} |
| 35 |
|
| 36 |
/**
|
| 37 |
* Article class
|
| 38 |
*
|
| 39 |
* @package Cake.Test.Case.Utility
|
| 40 |
*/
|
| 41 |
class SanitizeArticle extends CakeTestModel { |
| 42 |
|
| 43 |
/**
|
| 44 |
* useTable property
|
| 45 |
*
|
| 46 |
* @var string
|
| 47 |
*/
|
| 48 |
public $useTable = 'articles'; |
| 49 |
} |
| 50 |
|
| 51 |
/**
|
| 52 |
* SanitizeTest class
|
| 53 |
*
|
| 54 |
* @package Cake.Test.Case.Utility
|
| 55 |
*/
|
| 56 |
class SanitizeTest extends CakeTestCase { |
| 57 |
|
| 58 |
/**
|
| 59 |
* autoFixtures property
|
| 60 |
*
|
| 61 |
* @var bool
|
| 62 |
*/
|
| 63 |
public $autoFixtures = false; |
| 64 |
|
| 65 |
/**
|
| 66 |
* fixtures property
|
| 67 |
*
|
| 68 |
* @var array
|
| 69 |
*/
|
| 70 |
public $fixtures = array('core.data_test', 'core.article'); |
| 71 |
|
| 72 |
/**
|
| 73 |
* testEscapeAlphaNumeric method
|
| 74 |
*
|
| 75 |
* @return void
|
| 76 |
*/
|
| 77 |
public function testEscapeAlphaNumeric() { |
| 78 |
$resultAlpha = Sanitize::escape('abc', 'test'); |
| 79 |
$this->assertEquals('abc', $resultAlpha); |
| 80 |
|
| 81 |
$resultNumeric = Sanitize::escape('123', 'test'); |
| 82 |
$this->assertEquals('123', $resultNumeric); |
| 83 |
|
| 84 |
$resultNumeric = Sanitize::escape(1234, 'test'); |
| 85 |
$this->assertEquals(1234, $resultNumeric); |
| 86 |
|
| 87 |
$resultNumeric = Sanitize::escape(1234.23, 'test'); |
| 88 |
$this->assertEquals(1234.23, $resultNumeric); |
| 89 |
|
| 90 |
$resultNumeric = Sanitize::escape('#1234.23', 'test'); |
| 91 |
$this->assertEquals('#1234.23', $resultNumeric); |
| 92 |
|
| 93 |
$resultNull = Sanitize::escape(null, 'test'); |
| 94 |
$this->assertEquals(null, $resultNull); |
| 95 |
|
| 96 |
$resultNull = Sanitize::escape(false, 'test'); |
| 97 |
$this->assertEquals(false, $resultNull); |
| 98 |
|
| 99 |
$resultNull = Sanitize::escape(true, 'test'); |
| 100 |
$this->assertEquals(true, $resultNull); |
| 101 |
} |
| 102 |
|
| 103 |
/**
|
| 104 |
* testClean method
|
| 105 |
*
|
| 106 |
* @return void
|
| 107 |
*/
|
| 108 |
public function testClean() { |
| 109 |
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
| 110 |
$expected = 'test & "quote" 'other' ;.$ symbol.another line'; |
| 111 |
$result = Sanitize::clean($string, array('connection' => 'test')); |
| 112 |
$this->assertEquals($expected, $result); |
| 113 |
|
| 114 |
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
| 115 |
$expected = 'test & ' . Sanitize::escape('"quote"', 'test') . ' ' . Sanitize::escape('\'other\'', 'test') . ' ;.$ symbol.another line'; |
| 116 |
$result = Sanitize::clean($string, array('encode' => false, 'connection' => 'test')); |
| 117 |
$this->assertEquals($expected, $result); |
| 118 |
|
| 119 |
$string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line'; |
| 120 |
$expected = 'test & "quote" \'other\' ;.$ $ symbol.another line'; |
| 121 |
$result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'connection' => 'test')); |
| 122 |
$this->assertEquals($expected, $result); |
| 123 |
|
| 124 |
$string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line'; |
| 125 |
$expected = 'test & "quote" \'other\' ;.$ \\$ symbol.another line'; |
| 126 |
$result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'dollar' => false, 'connection' => 'test')); |
| 127 |
$this->assertEquals($expected, $result); |
| 128 |
|
| 129 |
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
| 130 |
$expected = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
| 131 |
$result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'carriage' => false, 'connection' => 'test')); |
| 132 |
$this->assertEquals($expected, $result); |
| 133 |
|
| 134 |
$array = array(array('test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line')); |
| 135 |
$expected = array(array('test & "quote" 'other' ;.$ symbol.another line')); |
| 136 |
$result = Sanitize::clean($array, array('connection' => 'test')); |
| 137 |
$this->assertEquals($expected, $result); |
| 138 |
|
| 139 |
$array = array(array('test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line')); |
| 140 |
$expected = array(array('test & "quote" \'other\' ;.$ $ symbol.another line')); |
| 141 |
$result = Sanitize::clean($array, array('encode' => false, 'escape' => false, 'connection' => 'test')); |
| 142 |
$this->assertEquals($expected, $result); |
| 143 |
|
| 144 |
$array = array(array('test odd Ä spacesé')); |
| 145 |
$expected = array(array('test odd Ä spacesé')); |
| 146 |
$result = Sanitize::clean($array, array('odd_spaces' => false, 'escape' => false, 'connection' => 'test')); |
| 147 |
$this->assertEquals($expected, $result); |
| 148 |
|
| 149 |
$array = array(array('\\$', array('key' => 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line'))); |
| 150 |
$expected = array(array('$', array('key' => 'test & "quote" \'other\' ;.$ $ symbol.another line'))); |
| 151 |
$result = Sanitize::clean($array, array('encode' => false, 'escape' => false, 'connection' => 'test')); |
| 152 |
$this->assertEquals($expected, $result); |
| 153 |
|
| 154 |
$string = ''; |
| 155 |
$expected = ''; |
| 156 |
$result = Sanitize::clean($string, array('connection' => 'test')); |
| 157 |
$this->assertEquals($expected, $result); |
| 158 |
|
| 159 |
$data = array( |
| 160 |
'Grant' => array( |
| 161 |
'title' => '2 o clock grant', |
| 162 |
'grant_peer_review_id' => 3, |
| 163 |
'institution_id' => 5, |
| 164 |
'created_by' => 1, |
| 165 |
'modified_by' => 1, |
| 166 |
'created' => '2010-07-15 14:11:00', |
| 167 |
'modified' => '2010-07-19 10:45:41' |
| 168 |
), |
| 169 |
'GrantsMember' => array( |
| 170 |
0 => array( |
| 171 |
'id' => 68, |
| 172 |
'grant_id' => 120, |
| 173 |
'member_id' => 16, |
| 174 |
'program_id' => 29, |
| 175 |
'pi_percent_commitment' => 1 |
| 176 |
) |
| 177 |
) |
| 178 |
); |
| 179 |
$result = Sanitize::clean($data, array('connection' => 'test')); |
| 180 |
$this->assertEquals($data, $result); |
| 181 |
} |
| 182 |
|
| 183 |
/**
|
| 184 |
* testHtml method
|
| 185 |
*
|
| 186 |
* @return void
|
| 187 |
*/
|
| 188 |
public function testHtml() { |
| 189 |
$string = '<p>This is a <em>test string</em> & so is this</p>'; |
| 190 |
$expected = 'This is a test string & so is this'; |
| 191 |
$result = Sanitize::html($string, array('remove' => true)); |
| 192 |
$this->assertEquals($expected, $result); |
| 193 |
|
| 194 |
$string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
| 195 |
$expected = 'The "lazy" dog 'jumped' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
| 196 |
$result = Sanitize::html($string); |
| 197 |
$this->assertEquals($expected, $result); |
| 198 |
|
| 199 |
$string = 'The "lazy" dog \'jumped\''; |
| 200 |
$expected = 'The "lazy" dog \'jumped\''; |
| 201 |
$result = Sanitize::html($string, array('quotes' => ENT_COMPAT)); |
| 202 |
$this->assertEquals($expected, $result); |
| 203 |
|
| 204 |
$string = 'The "lazy" dog \'jumped\''; |
| 205 |
$result = Sanitize::html($string, array('quotes' => ENT_NOQUOTES)); |
| 206 |
$this->assertEquals($string, $result); |
| 207 |
|
| 208 |
$string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
| 209 |
$expected = 'The "lazy" dog 'jumped' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
| 210 |
$result = Sanitize::html($string); |
| 211 |
$this->assertEquals($expected, $result); |
| 212 |
|
| 213 |
$string = 'The "lazy" dog & his friend Apple® conquered the world'; |
| 214 |
$expected = 'The "lazy" dog & his friend Apple&reg; conquered the world'; |
| 215 |
$result = Sanitize::html($string); |
| 216 |
$this->assertEquals($expected, $result); |
| 217 |
|
| 218 |
$string = 'The "lazy" dog & his friend Apple® conquered the world'; |
| 219 |
$expected = 'The "lazy" dog & his friend Apple® conquered the world'; |
| 220 |
$result = Sanitize::html($string, array('double' => false)); |
| 221 |
$this->assertEquals($expected, $result); |
| 222 |
} |
| 223 |
|
| 224 |
/**
|
| 225 |
* testStripWhitespace method
|
| 226 |
*
|
| 227 |
* @return void
|
| 228 |
*/
|
| 229 |
public function testStripWhitespace() { |
| 230 |
$string = "This sentence \t\t\t has lots of \n\n white\nspace \rthat \r\n needs to be \t \n trimmed."; |
| 231 |
$expected = "This sentence has lots of whitespace that needs to be trimmed."; |
| 232 |
$result = Sanitize::stripWhitespace($string); |
| 233 |
$this->assertEquals($expected, $result); |
| 234 |
|
| 235 |
$text = 'I love ßá†ö√ letters.'; |
| 236 |
$result = Sanitize::stripWhitespace($text); |
| 237 |
$expected = 'I love ßá†ö√ letters.'; |
| 238 |
$this->assertEquals($expected, $result); |
| 239 |
} |
| 240 |
|
| 241 |
/**
|
| 242 |
* testParanoid method
|
| 243 |
*
|
| 244 |
* @return void
|
| 245 |
*/
|
| 246 |
public function testParanoid() { |
| 247 |
$string = 'I would like to !%@#% & dance & sing ^$&*()-+'; |
| 248 |
$expected = 'Iwouldliketodancesing'; |
| 249 |
$result = Sanitize::paranoid($string); |
| 250 |
$this->assertEquals($expected, $result); |
| 251 |
|
| 252 |
$string = array('This |s th% s0ng that never ends it g*es', |
| 253 |
'on and on my friends, b^ca#use it is the',
|
| 254 |
'so&g th===t never ends.');
|
| 255 |
$expected = array('This s th% s0ng that never ends it g*es', |
| 256 |
'on and on my friends bcause it is the',
|
| 257 |
'sog tht never ends.');
|
| 258 |
$result = Sanitize::paranoid($string, array('%', '*', '.', ' ')); |
| 259 |
$this->assertEquals($expected, $result); |
| 260 |
|
| 261 |
$string = "anything' OR 1 = 1"; |
| 262 |
$expected = 'anythingOR11'; |
| 263 |
$result = Sanitize::paranoid($string); |
| 264 |
$this->assertEquals($expected, $result); |
| 265 |
|
| 266 |
$string = "x' AND email IS NULL; --"; |
| 267 |
$expected = 'xANDemailISNULL'; |
| 268 |
$result = Sanitize::paranoid($string); |
| 269 |
$this->assertEquals($expected, $result); |
| 270 |
|
| 271 |
$string = "x' AND 1=(SELECT COUNT(*) FROM users); --"; |
| 272 |
$expected = 'xAND1SELECTCOUNTFROMusers'; |
| 273 |
$result = Sanitize::paranoid($string); |
| 274 |
$this->assertEquals($expected, $result); |
| 275 |
|
| 276 |
$string = "x'; DROP TABLE members; --"; |
| 277 |
$expected = 'xDROPTABLEmembers'; |
| 278 |
$result = Sanitize::paranoid($string); |
| 279 |
$this->assertEquals($expected, $result); |
| 280 |
} |
| 281 |
|
| 282 |
/**
|
| 283 |
* testStripImages method
|
| 284 |
*
|
| 285 |
* @return void
|
| 286 |
*/
|
| 287 |
public function testStripImages() { |
| 288 |
$string = '<img src="/img/test.jpg" alt="my image" />'; |
| 289 |
$expected = 'my image<br />'; |
| 290 |
$result = Sanitize::stripImages($string); |
| 291 |
$this->assertEquals($expected, $result); |
| 292 |
|
| 293 |
$string = '<img src="javascript:alert(\'XSS\');" />'; |
| 294 |
$expected = ''; |
| 295 |
$result = Sanitize::stripImages($string); |
| 296 |
$this->assertEquals($expected, $result); |
| 297 |
|
| 298 |
$string = '<a href="http://www.badsite.com/phising"><img src="/img/test.jpg" alt="test image alt" title="test image title" id="myImage" class="image-left"/></a>'; |
| 299 |
$expected = '<a href="http://www.badsite.com/phising">test image alt</a><br />'; |
| 300 |
$result = Sanitize::stripImages($string); |
| 301 |
$this->assertEquals($expected, $result); |
| 302 |
|
| 303 |
$string = '<a onclick="medium()" href="http://example.com"><img src="foobar.png" onclick="evilFunction(); return false;"/></a>'; |
| 304 |
$expected = '<a onclick="medium()" href="http://example.com"></a>'; |
| 305 |
$result = Sanitize::stripImages($string); |
| 306 |
$this->assertEquals($expected, $result); |
| 307 |
} |
| 308 |
|
| 309 |
/**
|
| 310 |
* testStripScripts method
|
| 311 |
*
|
| 312 |
* @return void
|
| 313 |
*/
|
| 314 |
public function testStripScripts() { |
| 315 |
$string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />'; |
| 316 |
$expected = ''; |
| 317 |
$result = Sanitize::stripScripts($string); |
| 318 |
$this->assertEquals($expected, $result); |
| 319 |
|
| 320 |
$string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />' . "\n" . |
| 321 |
'<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
| 322 |
'<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
| 323 |
'<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />';
|
| 324 |
$expected = "\n" . '<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
| 325 |
'<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
| 326 |
'<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />';
|
| 327 |
$result = Sanitize::stripScripts($string); |
| 328 |
$this->assertEquals($expected, $result); |
| 329 |
|
| 330 |
$string = '<script type="text/javascript"> alert("hacked!");</script>'; |
| 331 |
$expected = ''; |
| 332 |
$result = Sanitize::stripScripts($string); |
| 333 |
$this->assertEquals($expected, $result); |
| 334 |
|
| 335 |
$string = '<script> alert("hacked!");</script>'; |
| 336 |
$expected = ''; |
| 337 |
$result = Sanitize::stripScripts($string); |
| 338 |
$this->assertEquals($expected, $result); |
| 339 |
|
| 340 |
$string = '<style>#content { display:none; }</style>'; |
| 341 |
$expected = ''; |
| 342 |
$result = Sanitize::stripScripts($string); |
| 343 |
$this->assertEquals($expected, $result); |
| 344 |
|
| 345 |
$string = '<style type="text/css"><!-- #content { display:none; } --></style>'; |
| 346 |
$expected = ''; |
| 347 |
$result = Sanitize::stripScripts($string); |
| 348 |
$this->assertEquals($expected, $result); |
| 349 |
|
| 350 |
$string = <<<HTML |
| 351 |
text
|
| 352 |
<style type="text/css">
|
| 353 |
<!--
|
| 354 |
#content { display:none; }
|
| 355 |
-->
|
| 356 |
</style>
|
| 357 |
text
|
| 358 |
HTML;
|
| 359 |
$expected = "text\n\ntext"; |
| 360 |
$result = Sanitize::stripScripts($string); |
| 361 |
$this->assertTextEquals($expected, $result); |
| 362 |
|
| 363 |
$string = <<<HTML |
| 364 |
text
|
| 365 |
<script type="text/javascript">
|
| 366 |
<!--
|
| 367 |
alert('wooo');
|
| 368 |
-->
|
| 369 |
</script>
|
| 370 |
text
|
| 371 |
HTML;
|
| 372 |
$expected = "text\n\ntext"; |
| 373 |
$result = Sanitize::stripScripts($string); |
| 374 |
$this->assertTextEquals($expected, $result); |
| 375 |
} |
| 376 |
|
| 377 |
/**
|
| 378 |
* testStripAll method
|
| 379 |
*
|
| 380 |
* @return void
|
| 381 |
*/
|
| 382 |
public function testStripAll() { |
| 383 |
$string = '<img """><script>alert("xss")</script>"/>'; |
| 384 |
$expected = '"/>'; |
| 385 |
$result = Sanitize::stripAll($string); |
| 386 |
$this->assertEquals($expected, $result); |
| 387 |
|
| 388 |
$string = '<IMG SRC=javascript:alert('XSS')>'; |
| 389 |
$expected = ''; |
| 390 |
$result = Sanitize::stripAll($string); |
| 391 |
$this->assertEquals($expected, $result); |
| 392 |
|
| 393 |
$string = '<<script>alert("XSS");//<</script>'; |
| 394 |
$expected = '<'; |
| 395 |
$result = Sanitize::stripAll($string); |
| 396 |
$this->assertEquals($expected, $result); |
| 397 |
|
| 398 |
$string = '<img src="http://google.com/images/logo.gif" onload="window.location=\'http://sam.com/\'" />' . "\n" . |
| 399 |
"<p>This is ok \t\n text</p>\n" .
|
| 400 |
'<link rel="stylesheet" href="/css/master.css" type="text/css" media="screen" title="my sheet" charset="utf-8">' . "\n" . |
| 401 |
'<script src="xss.js" type="text/javascript" charset="utf-8"></script>';
|
| 402 |
$expected = '<p>This is ok text</p>'; |
| 403 |
$result = Sanitize::stripAll($string); |
| 404 |
$this->assertEquals($expected, $result); |
| 405 |
} |
| 406 |
|
| 407 |
/**
|
| 408 |
* testStripTags method
|
| 409 |
*
|
| 410 |
* @return void
|
| 411 |
*/
|
| 412 |
public function testStripTags() { |
| 413 |
$string = '<h2>Headline</h2><p><a href="http://example.com">My Link</a> could go to a bad site</p>'; |
| 414 |
$expected = 'Headline<p>My Link could go to a bad site</p>'; |
| 415 |
$result = Sanitize::stripTags($string, 'h2', 'a'); |
| 416 |
$this->assertEquals($expected, $result); |
| 417 |
|
| 418 |
$string = '<script type="text/javascript" src="http://evildomain.com"> </script>'; |
| 419 |
$expected = ' '; |
| 420 |
$result = Sanitize::stripTags($string, 'script'); |
| 421 |
$this->assertEquals($expected, $result); |
| 422 |
|
| 423 |
$string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>'; |
| 424 |
$expected = 'Important<p>Additional information here <img src="/img/test.png" />. Read even more here</p>'; |
| 425 |
$result = Sanitize::stripTags($string, 'h2', 'a'); |
| 426 |
$this->assertEquals($expected, $result); |
| 427 |
|
| 428 |
$string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>'; |
| 429 |
$expected = 'Important<p>Additional information here . Read even more here</p>'; |
| 430 |
$result = Sanitize::stripTags($string, 'h2', 'a', 'img'); |
| 431 |
$this->assertEquals($expected, $result); |
| 432 |
|
| 433 |
$string = '<b>Important message!</b><br>This message will self destruct!'; |
| 434 |
$expected = 'Important message!<br>This message will self destruct!'; |
| 435 |
$result = Sanitize::stripTags($string, 'b'); |
| 436 |
$this->assertEquals($expected, $result); |
| 437 |
|
| 438 |
$string = '<b>Important message!</b><br />This message will self destruct!'; |
| 439 |
$expected = 'Important message!<br />This message will self destruct!'; |
| 440 |
$result = Sanitize::stripTags($string, 'b'); |
| 441 |
$this->assertEquals($expected, $result); |
| 442 |
|
| 443 |
$string = '<h2 onclick="alert(\'evil\'); onmouseover="badness()">Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>'; |
| 444 |
$expected = 'Important<p>Additional information here . Read even more here</p>'; |
| 445 |
$result = Sanitize::stripTags($string, 'h2', 'a', 'img'); |
| 446 |
$this->assertEquals($expected, $result); |
| 447 |
} |
| 448 |
} |