pictcode / lib / Cake / Test / Case / Utility / SanitizeTest.php @ 8b8631af
履歴 | 表示 | アノテート | ダウンロード (15.852 KB)
1 | 635eef61 | spyder1211 | <?php
2 | /**
3 | * SanitizeTest file
4 | *
5 | * CakePHP(tm) Tests <http://book.cakephp.org/2.0/en/development/testing.html>
6 | * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
7 | *
8 | * Licensed under The MIT License
9 | * For full copyright and license information, please see the LICENSE.txt
10 | * Redistributions of files must retain the above copyright notice
11 | *
12 | * @copyright Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
13 | * @link http://book.cakephp.org/2.0/en/development/testing.html CakePHP(tm) Tests
14 | * @package Cake.Test.Case.Utility
15 | * @since CakePHP(tm) v
16 | * @license http://www.opensource.org/licenses/mit-license.php MIT License
17 | */
18 | |||
19 | App::uses('Sanitize', 'Utility'); |
20 | |||
21 | /**
22 | * DataTest class
23 | *
24 | * @package Cake.Test.Case.Utility
25 | */
26 | class SanitizeDataTest extends CakeTestModel { |
27 | |||
28 | /**
29 | * useTable property
30 | *
31 | * @var string
32 | */
33 | public $useTable = 'data_tests'; |
34 | } |
35 | |||
36 | /**
37 | * Article class
38 | *
39 | * @package Cake.Test.Case.Utility
40 | */
41 | class SanitizeArticle extends CakeTestModel { |
42 | |||
43 | /**
44 | * useTable property
45 | *
46 | * @var string
47 | */
48 | public $useTable = 'articles'; |
49 | } |
50 | |||
51 | /**
52 | * SanitizeTest class
53 | *
54 | * @package Cake.Test.Case.Utility
55 | */
56 | class SanitizeTest extends CakeTestCase { |
57 | |||
58 | /**
59 | * autoFixtures property
60 | *
61 | * @var bool
62 | */
63 | public $autoFixtures = false; |
64 | |||
65 | /**
66 | * fixtures property
67 | *
68 | * @var array
69 | */
70 | public $fixtures = array('core.data_test', 'core.article'); |
71 | |||
72 | /**
73 | * testEscapeAlphaNumeric method
74 | *
75 | * @return void
76 | */
77 | public function testEscapeAlphaNumeric() { |
78 | $resultAlpha = Sanitize::escape('abc', 'test'); |
79 | $this->assertEquals('abc', $resultAlpha); |
80 | |||
81 | $resultNumeric = Sanitize::escape('123', 'test'); |
82 | $this->assertEquals('123', $resultNumeric); |
83 | |||
84 | $resultNumeric = Sanitize::escape(1234, 'test'); |
85 | $this->assertEquals(1234, $resultNumeric); |
86 | |||
87 | $resultNumeric = Sanitize::escape(1234.23, 'test'); |
88 | $this->assertEquals(1234.23, $resultNumeric); |
89 | |||
90 | $resultNumeric = Sanitize::escape('#1234.23', 'test'); |
91 | $this->assertEquals('#1234.23', $resultNumeric); |
92 | |||
93 | $resultNull = Sanitize::escape(null, 'test'); |
94 | $this->assertEquals(null, $resultNull); |
95 | |||
96 | $resultNull = Sanitize::escape(false, 'test'); |
97 | $this->assertEquals(false, $resultNull); |
98 | |||
99 | $resultNull = Sanitize::escape(true, 'test'); |
100 | $this->assertEquals(true, $resultNull); |
101 | } |
102 | |||
103 | /**
104 | * testClean method
105 | *
106 | * @return void
107 | */
108 | public function testClean() { |
109 | $string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
110 | $expected = 'test & "quote" 'other' ;.$ symbol.another line'; |
111 | $result = Sanitize::clean($string, array('connection' => 'test')); |
112 | $this->assertEquals($expected, $result); |
113 | |||
114 | $string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
115 | $expected = 'test & ' . Sanitize::escape('"quote"', 'test') . ' ' . Sanitize::escape('\'other\'', 'test') . ' ;.$ symbol.another line'; |
116 | $result = Sanitize::clean($string, array('encode' => false, 'connection' => 'test')); |
117 | $this->assertEquals($expected, $result); |
118 | |||
119 | $string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line'; |
120 | $expected = 'test & "quote" \'other\' ;.$ $ symbol.another line'; |
121 | $result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'connection' => 'test')); |
122 | $this->assertEquals($expected, $result); |
123 | |||
124 | $string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line'; |
125 | $expected = 'test & "quote" \'other\' ;.$ \\$ symbol.another line'; |
126 | $result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'dollar' => false, 'connection' => 'test')); |
127 | $this->assertEquals($expected, $result); |
128 | |||
129 | $string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
130 | $expected = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
131 | $result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'carriage' => false, 'connection' => 'test')); |
132 | $this->assertEquals($expected, $result); |
133 | |||
134 | $array = array(array('test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line')); |
135 | $expected = array(array('test & "quote" 'other' ;.$ symbol.another line')); |
136 | $result = Sanitize::clean($array, array('connection' => 'test')); |
137 | $this->assertEquals($expected, $result); |
138 | |||
139 | $array = array(array('test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line')); |
140 | $expected = array(array('test & "quote" \'other\' ;.$ $ symbol.another line')); |
141 | $result = Sanitize::clean($array, array('encode' => false, 'escape' => false, 'connection' => 'test')); |
142 | $this->assertEquals($expected, $result); |
143 | |||
144 | $array = array(array('test odd Ä spacesé')); |
145 | $expected = array(array('test odd Ä spacesé')); |
146 | $result = Sanitize::clean($array, array('odd_spaces' => false, 'escape' => false, 'connection' => 'test')); |
147 | $this->assertEquals($expected, $result); |
148 | |||
149 | $array = array(array('\\$', array('key' => 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line'))); |
150 | $expected = array(array('$', array('key' => 'test & "quote" \'other\' ;.$ $ symbol.another line'))); |
151 | $result = Sanitize::clean($array, array('encode' => false, 'escape' => false, 'connection' => 'test')); |
152 | $this->assertEquals($expected, $result); |
153 | |||
154 | $string = ''; |
155 | $expected = ''; |
156 | $result = Sanitize::clean($string, array('connection' => 'test')); |
157 | $this->assertEquals($expected, $result); |
158 | |||
159 | $data = array( |
160 | 'Grant' => array( |
161 | 'title' => '2 o clock grant', |
162 | 'grant_peer_review_id' => 3, |
163 | 'institution_id' => 5, |
164 | 'created_by' => 1, |
165 | 'modified_by' => 1, |
166 | 'created' => '2010-07-15 14:11:00', |
167 | 'modified' => '2010-07-19 10:45:41' |
168 | ), |
169 | 'GrantsMember' => array( |
170 | 0 => array( |
171 | 'id' => 68, |
172 | 'grant_id' => 120, |
173 | 'member_id' => 16, |
174 | 'program_id' => 29, |
175 | 'pi_percent_commitment' => 1 |
176 | ) |
177 | ) |
178 | ); |
179 | $result = Sanitize::clean($data, array('connection' => 'test')); |
180 | $this->assertEquals($data, $result); |
181 | } |
182 | |||
183 | /**
184 | * testHtml method
185 | *
186 | * @return void
187 | */
188 | public function testHtml() { |
189 | $string = '<p>This is a <em>test string</em> & so is this</p>'; |
190 | $expected = 'This is a test string & so is this'; |
191 | $result = Sanitize::html($string, array('remove' => true)); |
192 | $this->assertEquals($expected, $result); |
193 | |||
194 | $string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
195 | $expected = 'The "lazy" dog 'jumped' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
196 | $result = Sanitize::html($string); |
197 | $this->assertEquals($expected, $result); |
198 | |||
199 | $string = 'The "lazy" dog \'jumped\''; |
200 | $expected = 'The "lazy" dog \'jumped\''; |
201 | $result = Sanitize::html($string, array('quotes' => ENT_COMPAT)); |
202 | $this->assertEquals($expected, $result); |
203 | |||
204 | $string = 'The "lazy" dog \'jumped\''; |
205 | $result = Sanitize::html($string, array('quotes' => ENT_NOQUOTES)); |
206 | $this->assertEquals($string, $result); |
207 | |||
208 | $string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
209 | $expected = 'The "lazy" dog 'jumped' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
210 | $result = Sanitize::html($string); |
211 | $this->assertEquals($expected, $result); |
212 | |||
213 | $string = 'The "lazy" dog & his friend Apple® conquered the world'; |
214 | $expected = 'The "lazy" dog & his friend Apple&reg; conquered the world'; |
215 | $result = Sanitize::html($string); |
216 | $this->assertEquals($expected, $result); |
217 | |||
218 | $string = 'The "lazy" dog & his friend Apple® conquered the world'; |
219 | $expected = 'The "lazy" dog & his friend Apple® conquered the world'; |
220 | $result = Sanitize::html($string, array('double' => false)); |
221 | $this->assertEquals($expected, $result); |
222 | } |
223 | |||
224 | /**
225 | * testStripWhitespace method
226 | *
227 | * @return void
228 | */
229 | public function testStripWhitespace() { |
230 | $string = "This sentence \t\t\t has lots of \n\n white\nspace \rthat \r\n needs to be \t \n trimmed."; |
231 | $expected = "This sentence has lots of whitespace that needs to be trimmed."; |
232 | $result = Sanitize::stripWhitespace($string); |
233 | $this->assertEquals($expected, $result); |
234 | |||
235 | $text = 'I love ßá†ö√ letters.'; |
236 | $result = Sanitize::stripWhitespace($text); |
237 | $expected = 'I love ßá†ö√ letters.'; |
238 | $this->assertEquals($expected, $result); |
239 | } |
240 | |||
241 | /**
242 | * testParanoid method
243 | *
244 | * @return void
245 | */
246 | public function testParanoid() { |
247 | $string = 'I would like to !%@#% & dance & sing ^$&*()-+'; |
248 | $expected = 'Iwouldliketodancesing'; |
249 | $result = Sanitize::paranoid($string); |
250 | $this->assertEquals($expected, $result); |
251 | |||
252 | $string = array('This |s th% s0ng that never ends it g*es', |
253 | 'on and on my friends, b^ca#use it is the',
254 | 'so&g th===t never ends.');
255 | $expected = array('This s th% s0ng that never ends it g*es', |
256 | 'on and on my friends bcause it is the',
257 | 'sog tht never ends.');
258 | $result = Sanitize::paranoid($string, array('%', '*', '.', ' ')); |
259 | $this->assertEquals($expected, $result); |
260 | |||
261 | $string = "anything' OR 1 = 1"; |
262 | $expected = 'anythingOR11'; |
263 | $result = Sanitize::paranoid($string); |
264 | $this->assertEquals($expected, $result); |
265 | |||
266 | $string = "x' AND email IS NULL; --"; |
267 | $expected = 'xANDemailISNULL'; |
268 | $result = Sanitize::paranoid($string); |
269 | $this->assertEquals($expected, $result); |
270 | |||
271 | $string = "x' AND 1=(SELECT COUNT(*) FROM users); --"; |
272 | $expected = 'xAND1SELECTCOUNTFROMusers'; |
273 | $result = Sanitize::paranoid($string); |
274 | $this->assertEquals($expected, $result); |
275 | |||
276 | $string = "x'; DROP TABLE members; --"; |
277 | $expected = 'xDROPTABLEmembers'; |
278 | $result = Sanitize::paranoid($string); |
279 | $this->assertEquals($expected, $result); |
280 | } |
281 | |||
282 | /**
283 | * testStripImages method
284 | *
285 | * @return void
286 | */
287 | public function testStripImages() { |
288 | $string = '<img src="/img/test.jpg" alt="my image" />'; |
289 | $expected = 'my image<br />'; |
290 | $result = Sanitize::stripImages($string); |
291 | $this->assertEquals($expected, $result); |
292 | |||
293 | $string = '<img src="javascript:alert(\'XSS\');" />'; |
294 | $expected = ''; |
295 | $result = Sanitize::stripImages($string); |
296 | $this->assertEquals($expected, $result); |
297 | |||
298 | $string = '<a href="http://www.badsite.com/phising"><img src="/img/test.jpg" alt="test image alt" title="test image title" id="myImage" class="image-left"/></a>'; |
299 | $expected = '<a href="http://www.badsite.com/phising">test image alt</a><br />'; |
300 | $result = Sanitize::stripImages($string); |
301 | $this->assertEquals($expected, $result); |
302 | |||
303 | $string = '<a onclick="medium()" href="http://example.com"><img src="foobar.png" onclick="evilFunction(); return false;"/></a>'; |
304 | $expected = '<a onclick="medium()" href="http://example.com"></a>'; |
305 | $result = Sanitize::stripImages($string); |
306 | $this->assertEquals($expected, $result); |
307 | } |
308 | |||
309 | /**
310 | * testStripScripts method
311 | *
312 | * @return void
313 | */
314 | public function testStripScripts() { |
315 | $string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />'; |
316 | $expected = ''; |
317 | $result = Sanitize::stripScripts($string); |
318 | $this->assertEquals($expected, $result); |
319 | |||
320 | $string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />' . "\n" . |
321 | '<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
322 | '<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
323 | '<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />';
324 | $expected = "\n" . '<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
325 | '<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
326 | '<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />';
327 | $result = Sanitize::stripScripts($string); |
328 | $this->assertEquals($expected, $result); |
329 | |||
330 | $string = '<script type="text/javascript"> alert("hacked!");</script>'; |
331 | $expected = ''; |
332 | $result = Sanitize::stripScripts($string); |
333 | $this->assertEquals($expected, $result); |
334 | |||
335 | $string = '<script> alert("hacked!");</script>'; |
336 | $expected = ''; |
337 | $result = Sanitize::stripScripts($string); |
338 | $this->assertEquals($expected, $result); |
339 | |||
340 | $string = '<style>#content { display:none; }</style>'; |
341 | $expected = ''; |
342 | $result = Sanitize::stripScripts($string); |
343 | $this->assertEquals($expected, $result); |
344 | |||
345 | $string = '<style type="text/css"><!-- #content { display:none; } --></style>'; |
346 | $expected = ''; |
347 | $result = Sanitize::stripScripts($string); |
348 | $this->assertEquals($expected, $result); |
349 | |||
350 | $string = <<<HTML |
351 | text
352 | <style type="text/css">
353 | <!--
354 | #content { display:none; }
355 | -->
356 | </style>
357 | text
358 | HTML;
359 | $expected = "text\n\ntext"; |
360 | $result = Sanitize::stripScripts($string); |
361 | $this->assertTextEquals($expected, $result); |
362 | |||
363 | $string = <<<HTML |
364 | text
365 | <script type="text/javascript">
366 | <!--
367 | alert('wooo');
368 | -->
369 | </script>
370 | text
371 | HTML;
372 | $expected = "text\n\ntext"; |
373 | $result = Sanitize::stripScripts($string); |
374 | $this->assertTextEquals($expected, $result); |
375 | } |
376 | |||
377 | /**
378 | * testStripAll method
379 | *
380 | * @return void
381 | */
382 | public function testStripAll() { |
383 | $string = '<img """><script>alert("xss")</script>"/>'; |
384 | $expected = '"/>'; |
385 | $result = Sanitize::stripAll($string); |
386 | $this->assertEquals($expected, $result); |
387 | |||
388 | $string = '<IMG SRC=javascript:alert('XSS')>'; |
389 | $expected = ''; |
390 | $result = Sanitize::stripAll($string); |
391 | $this->assertEquals($expected, $result); |
392 | |||
393 | $string = '<<script>alert("XSS");//<</script>'; |
394 | $expected = '<'; |
395 | $result = Sanitize::stripAll($string); |
396 | $this->assertEquals($expected, $result); |
397 | |||
398 | $string = '<img src="http://google.com/images/logo.gif" onload="window.location=\'http://sam.com/\'" />' . "\n" . |
399 | "<p>This is ok \t\n text</p>\n" .
400 | '<link rel="stylesheet" href="/css/master.css" type="text/css" media="screen" title="my sheet" charset="utf-8">' . "\n" . |
401 | '<script src="xss.js" type="text/javascript" charset="utf-8"></script>';
402 | $expected = '<p>This is ok text</p>'; |
403 | $result = Sanitize::stripAll($string); |
404 | $this->assertEquals($expected, $result); |
405 | } |
406 | |||
407 | /**
408 | * testStripTags method
409 | *
410 | * @return void
411 | */
412 | public function testStripTags() { |
413 | $string = '<h2>Headline</h2><p><a href="http://example.com">My Link</a> could go to a bad site</p>'; |
414 | $expected = 'Headline<p>My Link could go to a bad site</p>'; |
415 | $result = Sanitize::stripTags($string, 'h2', 'a'); |
416 | $this->assertEquals($expected, $result); |
417 | |||
418 | $string = '<script type="text/javascript" src="http://evildomain.com"> </script>'; |
419 | $expected = ' '; |
420 | $result = Sanitize::stripTags($string, 'script'); |
421 | $this->assertEquals($expected, $result); |
422 | |||
423 | $string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>'; |
424 | $expected = 'Important<p>Additional information here <img src="/img/test.png" />. Read even more here</p>'; |
425 | $result = Sanitize::stripTags($string, 'h2', 'a'); |
426 | $this->assertEquals($expected, $result); |
427 | |||
428 | $string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>'; |
429 | $expected = 'Important<p>Additional information here . Read even more here</p>'; |
430 | $result = Sanitize::stripTags($string, 'h2', 'a', 'img'); |
431 | $this->assertEquals($expected, $result); |
432 | |||
433 | $string = '<b>Important message!</b><br>This message will self destruct!'; |
434 | $expected = 'Important message!<br>This message will self destruct!'; |
435 | $result = Sanitize::stripTags($string, 'b'); |
436 | $this->assertEquals($expected, $result); |
437 | |||
438 | $string = '<b>Important message!</b><br />This message will self destruct!'; |
439 | $expected = 'Important message!<br />This message will self destruct!'; |
440 | $result = Sanitize::stripTags($string, 'b'); |
441 | $this->assertEquals($expected, $result); |
442 | |||
443 | $string = '<h2 onclick="alert(\'evil\'); onmouseover="badness()">Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>'; |
444 | $expected = 'Important<p>Additional information here . Read even more here</p>'; |
445 | $result = Sanitize::stripTags($string, 'h2', 'a', 'img'); |
446 | $this->assertEquals($expected, $result); |
447 | } |
448 | } |