統計
| ブランチ: | リビジョン:

pictcode / lib / Cake / Test / Case / Utility / SanitizeTest.php @ 635eef61

履歴 | 表示 | アノテート | ダウンロード (15.852 KB)

1 635eef61 spyder1211
<?php
2
/**
3
 * SanitizeTest file
4
 *
5
 * CakePHP(tm) Tests <http://book.cakephp.org/2.0/en/development/testing.html>
6
 * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
7
 *
8
 * Licensed under The MIT License
9
 * For full copyright and license information, please see the LICENSE.txt
10
 * Redistributions of files must retain the above copyright notice
11
 *
12
 * @copyright     Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
13
 * @link          http://book.cakephp.org/2.0/en/development/testing.html CakePHP(tm) Tests
14
 * @package       Cake.Test.Case.Utility
15
 * @since         CakePHP(tm) v 1.2.0.5428
16
 * @license       http://www.opensource.org/licenses/mit-license.php MIT License
17
 */
18
19
App::uses('Sanitize', 'Utility');
20
21
/**
22
 * DataTest class
23
 *
24
 * @package       Cake.Test.Case.Utility
25
 */
26
class SanitizeDataTest extends CakeTestModel {
27
28
/**
29
 * useTable property
30
 *
31
 * @var string
32
 */
33
        public $useTable = 'data_tests';
34
}
35
36
/**
37
 * Article class
38
 *
39
 * @package       Cake.Test.Case.Utility
40
 */
41
class SanitizeArticle extends CakeTestModel {
42
43
/**
44
 * useTable property
45
 *
46
 * @var string
47
 */
48
        public $useTable = 'articles';
49
}
50
51
/**
52
 * SanitizeTest class
53
 *
54
 * @package       Cake.Test.Case.Utility
55
 */
56
class SanitizeTest extends CakeTestCase {
57
58
/**
59
 * autoFixtures property
60
 *
61
 * @var bool
62
 */
63
        public $autoFixtures = false;
64
65
/**
66
 * fixtures property
67
 *
68
 * @var array
69
 */
70
        public $fixtures = array('core.data_test', 'core.article');
71
72
/**
73
 * testEscapeAlphaNumeric method
74
 *
75
 * @return void
76
 */
77
        public function testEscapeAlphaNumeric() {
78
                $resultAlpha = Sanitize::escape('abc', 'test');
79
                $this->assertEquals('abc', $resultAlpha);
80
81
                $resultNumeric = Sanitize::escape('123', 'test');
82
                $this->assertEquals('123', $resultNumeric);
83
84
                $resultNumeric = Sanitize::escape(1234, 'test');
85
                $this->assertEquals(1234, $resultNumeric);
86
87
                $resultNumeric = Sanitize::escape(1234.23, 'test');
88
                $this->assertEquals(1234.23, $resultNumeric);
89
90
                $resultNumeric = Sanitize::escape('#1234.23', 'test');
91
                $this->assertEquals('#1234.23', $resultNumeric);
92
93
                $resultNull = Sanitize::escape(null, 'test');
94
                $this->assertEquals(null, $resultNull);
95
96
                $resultNull = Sanitize::escape(false, 'test');
97
                $this->assertEquals(false, $resultNull);
98
99
                $resultNull = Sanitize::escape(true, 'test');
100
                $this->assertEquals(true, $resultNull);
101
        }
102
103
/**
104
 * testClean method
105
 *
106
 * @return void
107
 */
108
        public function testClean() {
109
                $string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
110
                $expected = 'test &amp; &quot;quote&quot; &#039;other&#039; ;.$ symbol.another line';
111
                $result = Sanitize::clean($string, array('connection' => 'test'));
112
                $this->assertEquals($expected, $result);
113
114
                $string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
115
                $expected = 'test & ' . Sanitize::escape('"quote"', 'test') . ' ' . Sanitize::escape('\'other\'', 'test') . ' ;.$ symbol.another line';
116
                $result = Sanitize::clean($string, array('encode' => false, 'connection' => 'test'));
117
                $this->assertEquals($expected, $result);
118
119
                $string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line';
120
                $expected = 'test & "quote" \'other\' ;.$ $ symbol.another line';
121
                $result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'connection' => 'test'));
122
                $this->assertEquals($expected, $result);
123
124
                $string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line';
125
                $expected = 'test & "quote" \'other\' ;.$ \\$ symbol.another line';
126
                $result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'dollar' => false, 'connection' => 'test'));
127
                $this->assertEquals($expected, $result);
128
129
                $string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
130
                $expected = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
131
                $result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'carriage' => false, 'connection' => 'test'));
132
                $this->assertEquals($expected, $result);
133
134
                $array = array(array('test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'));
135
                $expected = array(array('test &amp; &quot;quote&quot; &#039;other&#039; ;.$ symbol.another line'));
136
                $result = Sanitize::clean($array, array('connection' => 'test'));
137
                $this->assertEquals($expected, $result);
138
139
                $array = array(array('test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line'));
140
                $expected = array(array('test & "quote" \'other\' ;.$ $ symbol.another line'));
141
                $result = Sanitize::clean($array, array('encode' => false, 'escape' => false, 'connection' => 'test'));
142
                $this->assertEquals($expected, $result);
143
144
                $array = array(array('test odd Ä spacesé'));
145
                $expected = array(array('test odd &Auml; spaces&eacute;'));
146
                $result = Sanitize::clean($array, array('odd_spaces' => false, 'escape' => false, 'connection' => 'test'));
147
                $this->assertEquals($expected, $result);
148
149
                $array = array(array('\\$', array('key' => 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line')));
150
                $expected = array(array('$', array('key' => 'test & "quote" \'other\' ;.$ $ symbol.another line')));
151
                $result = Sanitize::clean($array, array('encode' => false, 'escape' => false, 'connection' => 'test'));
152
                $this->assertEquals($expected, $result);
153
154
                $string = '';
155
                $expected = '';
156
                $result = Sanitize::clean($string, array('connection' => 'test'));
157
                $this->assertEquals($expected, $result);
158
159
                $data = array(
160
                        'Grant' => array(
161
                                'title' => '2 o clock grant',
162
                                'grant_peer_review_id' => 3,
163
                                'institution_id' => 5,
164
                                'created_by' => 1,
165
                                'modified_by' => 1,
166
                                'created' => '2010-07-15 14:11:00',
167
                                'modified' => '2010-07-19 10:45:41'
168
                        ),
169
                        'GrantsMember' => array(
170
                                0 => array(
171
                                        'id' => 68,
172
                                        'grant_id' => 120,
173
                                        'member_id' => 16,
174
                                        'program_id' => 29,
175
                                        'pi_percent_commitment' => 1
176
                                )
177
                        )
178
                );
179
                $result = Sanitize::clean($data, array('connection' => 'test'));
180
                $this->assertEquals($data, $result);
181
        }
182
183
/**
184
 * testHtml method
185
 *
186
 * @return void
187
 */
188
        public function testHtml() {
189
                $string = '<p>This is a <em>test string</em> & so is this</p>';
190
                $expected = 'This is a test string &amp; so is this';
191
                $result = Sanitize::html($string, array('remove' => true));
192
                $this->assertEquals($expected, $result);
193
194
                $string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true';
195
                $expected = 'The &quot;lazy&quot; dog &#039;jumped&#039; &amp; flew over the moon. If (1+1) = 2 &lt;em&gt;is&lt;/em&gt; true, (2-1) = 1 is also true';
196
                $result = Sanitize::html($string);
197
                $this->assertEquals($expected, $result);
198
199
                $string = 'The "lazy" dog \'jumped\'';
200
                $expected = 'The &quot;lazy&quot; dog \'jumped\'';
201
                $result = Sanitize::html($string, array('quotes' => ENT_COMPAT));
202
                $this->assertEquals($expected, $result);
203
204
                $string = 'The "lazy" dog \'jumped\'';
205
                $result = Sanitize::html($string, array('quotes' => ENT_NOQUOTES));
206
                $this->assertEquals($string, $result);
207
208
                $string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true';
209
                $expected = 'The &quot;lazy&quot; dog &#039;jumped&#039; &amp; flew over the moon. If (1+1) = 2 &lt;em&gt;is&lt;/em&gt; true, (2-1) = 1 is also true';
210
                $result = Sanitize::html($string);
211
                $this->assertEquals($expected, $result);
212
213
                $string = 'The "lazy" dog & his friend Apple&reg; conquered the world';
214
                $expected = 'The &quot;lazy&quot; dog &amp; his friend Apple&amp;reg; conquered the world';
215
                $result = Sanitize::html($string);
216
                $this->assertEquals($expected, $result);
217
218
                $string = 'The "lazy" dog & his friend Apple&reg; conquered the world';
219
                $expected = 'The &quot;lazy&quot; dog &amp; his friend Apple&reg; conquered the world';
220
                $result = Sanitize::html($string, array('double' => false));
221
                $this->assertEquals($expected, $result);
222
        }
223
224
/**
225
 * testStripWhitespace method
226
 *
227
 * @return void
228
 */
229
        public function testStripWhitespace() {
230
                $string = "This     sentence \t\t\t has lots of \n\n white\nspace \rthat \r\n needs to be    \t    \n trimmed.";
231
                $expected = "This sentence has lots of whitespace that needs to be trimmed.";
232
                $result = Sanitize::stripWhitespace($string);
233
                $this->assertEquals($expected, $result);
234
235
                $text = 'I    love  ßá†ö√    letters.';
236
                $result = Sanitize::stripWhitespace($text);
237
                $expected = 'I love ßá†ö√ letters.';
238
                $this->assertEquals($expected, $result);
239
        }
240
241
/**
242
 * testParanoid method
243
 *
244
 * @return void
245
 */
246
        public function testParanoid() {
247
                $string = 'I would like to !%@#% & dance & sing ^$&*()-+';
248
                $expected = 'Iwouldliketodancesing';
249
                $result = Sanitize::paranoid($string);
250
                $this->assertEquals($expected, $result);
251
252
                $string = array('This |s th% s0ng that never ends it g*es',
253
                                                'on and on my friends, b^ca#use it is the',
254
                                                'so&g th===t never ends.');
255
                $expected = array('This s th% s0ng that never ends it g*es',
256
                                                'on and on my friends bcause it is the',
257
                                                'sog tht never ends.');
258
                $result = Sanitize::paranoid($string, array('%', '*', '.', ' '));
259
                $this->assertEquals($expected, $result);
260
261
                $string = "anything' OR 1 = 1";
262
                $expected = 'anythingOR11';
263
                $result = Sanitize::paranoid($string);
264
                $this->assertEquals($expected, $result);
265
266
                $string = "x' AND email IS NULL; --";
267
                $expected = 'xANDemailISNULL';
268
                $result = Sanitize::paranoid($string);
269
                $this->assertEquals($expected, $result);
270
271
                $string = "x' AND 1=(SELECT COUNT(*) FROM users); --";
272
                $expected = 'xAND1SELECTCOUNTFROMusers';
273
                $result = Sanitize::paranoid($string);
274
                $this->assertEquals($expected, $result);
275
276
                $string = "x'; DROP TABLE members; --";
277
                $expected = 'xDROPTABLEmembers';
278
                $result = Sanitize::paranoid($string);
279
                $this->assertEquals($expected, $result);
280
        }
281
282
/**
283
 * testStripImages method
284
 *
285
 * @return void
286
 */
287
        public function testStripImages() {
288
                $string = '<img src="/img/test.jpg" alt="my image" />';
289
                $expected = 'my image<br />';
290
                $result = Sanitize::stripImages($string);
291
                $this->assertEquals($expected, $result);
292
293
                $string = '<img src="javascript:alert(\'XSS\');" />';
294
                $expected = '';
295
                $result = Sanitize::stripImages($string);
296
                $this->assertEquals($expected, $result);
297
298
                $string = '<a href="http://www.badsite.com/phising"><img src="/img/test.jpg" alt="test image alt" title="test image title" id="myImage" class="image-left"/></a>';
299
                $expected = '<a href="http://www.badsite.com/phising">test image alt</a><br />';
300
                $result = Sanitize::stripImages($string);
301
                $this->assertEquals($expected, $result);
302
303
                $string = '<a onclick="medium()" href="http://example.com"><img src="foobar.png" onclick="evilFunction(); return false;"/></a>';
304
                $expected = '<a onclick="medium()" href="http://example.com"></a>';
305
                $result = Sanitize::stripImages($string);
306
                $this->assertEquals($expected, $result);
307
        }
308
309
/**
310
 * testStripScripts method
311
 *
312
 * @return void
313
 */
314
        public function testStripScripts() {
315
                $string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />';
316
                $expected = '';
317
                $result = Sanitize::stripScripts($string);
318
                $this->assertEquals($expected, $result);
319
320
                $string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />' . "\n" .
321
                        '<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . "\n" .
322
                        '<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />' . "\n" .
323
                        '<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />';
324
                $expected = "\n" . '<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . "\n" .
325
                        '<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />' . "\n" .
326
                        '<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />';
327
                $result = Sanitize::stripScripts($string);
328
                $this->assertEquals($expected, $result);
329
330
                $string = '<script type="text/javascript"> alert("hacked!");</script>';
331
                $expected = '';
332
                $result = Sanitize::stripScripts($string);
333
                $this->assertEquals($expected, $result);
334
335
                $string = '<script> alert("hacked!");</script>';
336
                $expected = '';
337
                $result = Sanitize::stripScripts($string);
338
                $this->assertEquals($expected, $result);
339
340
                $string = '<style>#content { display:none; }</style>';
341
                $expected = '';
342
                $result = Sanitize::stripScripts($string);
343
                $this->assertEquals($expected, $result);
344
345
                $string = '<style type="text/css"><!-- #content { display:none; } --></style>';
346
                $expected = '';
347
                $result = Sanitize::stripScripts($string);
348
                $this->assertEquals($expected, $result);
349
350
                $string = <<<HTML
351
text
352
<style type="text/css">
353
<!--
354
#content { display:none; }
355
-->
356
</style>
357
text
358
HTML;
359
                $expected = "text\n\ntext";
360
                $result = Sanitize::stripScripts($string);
361
                $this->assertTextEquals($expected, $result);
362
363
                $string = <<<HTML
364
text
365
<script type="text/javascript">
366
<!--
367
alert('wooo');
368
-->
369
</script>
370
text
371
HTML;
372
                $expected = "text\n\ntext";
373
                $result = Sanitize::stripScripts($string);
374
                $this->assertTextEquals($expected, $result);
375
        }
376
377
/**
378
 * testStripAll method
379
 *
380
 * @return void
381
 */
382
        public function testStripAll() {
383
                $string = '<img """><script>alert("xss")</script>"/>';
384
                $expected = '"/>';
385
                $result = Sanitize::stripAll($string);
386
                $this->assertEquals($expected, $result);
387
388
                $string = '<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>';
389
                $expected = '';
390
                $result = Sanitize::stripAll($string);
391
                $this->assertEquals($expected, $result);
392
393
                $string = '<<script>alert("XSS");//<</script>';
394
                $expected = '<';
395
                $result = Sanitize::stripAll($string);
396
                $this->assertEquals($expected, $result);
397
398
                $string = '<img src="http://google.com/images/logo.gif" onload="window.location=\'http://sam.com/\'" />' . "\n" .
399
                        "<p>This is ok      \t\n   text</p>\n" .
400
                        '<link rel="stylesheet" href="/css/master.css" type="text/css" media="screen" title="my sheet" charset="utf-8">' . "\n" .
401
                        '<script src="xss.js" type="text/javascript" charset="utf-8"></script>';
402
                $expected = '<p>This is ok text</p>';
403
                $result = Sanitize::stripAll($string);
404
                $this->assertEquals($expected, $result);
405
        }
406
407
/**
408
 * testStripTags method
409
 *
410
 * @return void
411
 */
412
        public function testStripTags() {
413
                $string = '<h2>Headline</h2><p><a href="http://example.com">My Link</a> could go to a bad site</p>';
414
                $expected = 'Headline<p>My Link could go to a bad site</p>';
415
                $result = Sanitize::stripTags($string, 'h2', 'a');
416
                $this->assertEquals($expected, $result);
417
418
                $string = '<script type="text/javascript" src="http://evildomain.com"> </script>';
419
                $expected = ' ';
420
                $result = Sanitize::stripTags($string, 'script');
421
                $this->assertEquals($expected, $result);
422
423
                $string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>';
424
                $expected = 'Important<p>Additional information here <img src="/img/test.png" />. Read even more here</p>';
425
                $result = Sanitize::stripTags($string, 'h2', 'a');
426
                $this->assertEquals($expected, $result);
427
428
                $string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>';
429
                $expected = 'Important<p>Additional information here . Read even more here</p>';
430
                $result = Sanitize::stripTags($string, 'h2', 'a', 'img');
431
                $this->assertEquals($expected, $result);
432
433
                $string = '<b>Important message!</b><br>This message will self destruct!';
434
                $expected = 'Important message!<br>This message will self destruct!';
435
                $result = Sanitize::stripTags($string, 'b');
436
                $this->assertEquals($expected, $result);
437
438
                $string = '<b>Important message!</b><br />This message will self destruct!';
439
                $expected = 'Important message!<br />This message will self destruct!';
440
                $result = Sanitize::stripTags($string, 'b');
441
                $this->assertEquals($expected, $result);
442
443
                $string = '<h2 onclick="alert(\'evil\'); onmouseover="badness()">Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>';
444
                $expected = 'Important<p>Additional information here . Read even more here</p>';
445
                $result = Sanitize::stripTags($string, 'h2', 'a', 'img');
446
                $this->assertEquals($expected, $result);
447
        }
448
}