pictcode / lib / Cake / Test / Case / Utility / SanitizeTest.php @ 9ddbf630
履歴 | 表示 | アノテート | ダウンロード (15.852 KB)
1 | 635eef61 | spyder1211 | <?php
|
---|---|---|---|
2 | /**
|
||
3 | * SanitizeTest file
|
||
4 | *
|
||
5 | * CakePHP(tm) Tests <http://book.cakephp.org/2.0/en/development/testing.html>
|
||
6 | * Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
||
7 | *
|
||
8 | * Licensed under The MIT License
|
||
9 | * For full copyright and license information, please see the LICENSE.txt
|
||
10 | * Redistributions of files must retain the above copyright notice
|
||
11 | *
|
||
12 | * @copyright Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
||
13 | * @link http://book.cakephp.org/2.0/en/development/testing.html CakePHP(tm) Tests
|
||
14 | * @package Cake.Test.Case.Utility
|
||
15 | * @since CakePHP(tm) v 1.2.0.5428
|
||
16 | * @license http://www.opensource.org/licenses/mit-license.php MIT License
|
||
17 | */
|
||
18 | |||
19 | App::uses('Sanitize', 'Utility'); |
||
20 | |||
21 | /**
|
||
22 | * DataTest class
|
||
23 | *
|
||
24 | * @package Cake.Test.Case.Utility
|
||
25 | */
|
||
26 | class SanitizeDataTest extends CakeTestModel { |
||
27 | |||
28 | /**
|
||
29 | * useTable property
|
||
30 | *
|
||
31 | * @var string
|
||
32 | */
|
||
33 | public $useTable = 'data_tests'; |
||
34 | } |
||
35 | |||
36 | /**
|
||
37 | * Article class
|
||
38 | *
|
||
39 | * @package Cake.Test.Case.Utility
|
||
40 | */
|
||
41 | class SanitizeArticle extends CakeTestModel { |
||
42 | |||
43 | /**
|
||
44 | * useTable property
|
||
45 | *
|
||
46 | * @var string
|
||
47 | */
|
||
48 | public $useTable = 'articles'; |
||
49 | } |
||
50 | |||
51 | /**
|
||
52 | * SanitizeTest class
|
||
53 | *
|
||
54 | * @package Cake.Test.Case.Utility
|
||
55 | */
|
||
56 | class SanitizeTest extends CakeTestCase { |
||
57 | |||
58 | /**
|
||
59 | * autoFixtures property
|
||
60 | *
|
||
61 | * @var bool
|
||
62 | */
|
||
63 | public $autoFixtures = false; |
||
64 | |||
65 | /**
|
||
66 | * fixtures property
|
||
67 | *
|
||
68 | * @var array
|
||
69 | */
|
||
70 | public $fixtures = array('core.data_test', 'core.article'); |
||
71 | |||
72 | /**
|
||
73 | * testEscapeAlphaNumeric method
|
||
74 | *
|
||
75 | * @return void
|
||
76 | */
|
||
77 | public function testEscapeAlphaNumeric() { |
||
78 | $resultAlpha = Sanitize::escape('abc', 'test'); |
||
79 | $this->assertEquals('abc', $resultAlpha); |
||
80 | |||
81 | $resultNumeric = Sanitize::escape('123', 'test'); |
||
82 | $this->assertEquals('123', $resultNumeric); |
||
83 | |||
84 | $resultNumeric = Sanitize::escape(1234, 'test'); |
||
85 | $this->assertEquals(1234, $resultNumeric); |
||
86 | |||
87 | $resultNumeric = Sanitize::escape(1234.23, 'test'); |
||
88 | $this->assertEquals(1234.23, $resultNumeric); |
||
89 | |||
90 | $resultNumeric = Sanitize::escape('#1234.23', 'test'); |
||
91 | $this->assertEquals('#1234.23', $resultNumeric); |
||
92 | |||
93 | $resultNull = Sanitize::escape(null, 'test'); |
||
94 | $this->assertEquals(null, $resultNull); |
||
95 | |||
96 | $resultNull = Sanitize::escape(false, 'test'); |
||
97 | $this->assertEquals(false, $resultNull); |
||
98 | |||
99 | $resultNull = Sanitize::escape(true, 'test'); |
||
100 | $this->assertEquals(true, $resultNull); |
||
101 | } |
||
102 | |||
103 | /**
|
||
104 | * testClean method
|
||
105 | *
|
||
106 | * @return void
|
||
107 | */
|
||
108 | public function testClean() { |
||
109 | $string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
||
110 | $expected = 'test & "quote" 'other' ;.$ symbol.another line'; |
||
111 | $result = Sanitize::clean($string, array('connection' => 'test')); |
||
112 | $this->assertEquals($expected, $result); |
||
113 | |||
114 | $string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
||
115 | $expected = 'test & ' . Sanitize::escape('"quote"', 'test') . ' ' . Sanitize::escape('\'other\'', 'test') . ' ;.$ symbol.another line'; |
||
116 | $result = Sanitize::clean($string, array('encode' => false, 'connection' => 'test')); |
||
117 | $this->assertEquals($expected, $result); |
||
118 | |||
119 | $string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line'; |
||
120 | $expected = 'test & "quote" \'other\' ;.$ $ symbol.another line'; |
||
121 | $result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'connection' => 'test')); |
||
122 | $this->assertEquals($expected, $result); |
||
123 | |||
124 | $string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line'; |
||
125 | $expected = 'test & "quote" \'other\' ;.$ \\$ symbol.another line'; |
||
126 | $result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'dollar' => false, 'connection' => 'test')); |
||
127 | $this->assertEquals($expected, $result); |
||
128 | |||
129 | $string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
||
130 | $expected = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
||
131 | $result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'carriage' => false, 'connection' => 'test')); |
||
132 | $this->assertEquals($expected, $result); |
||
133 | |||
134 | $array = array(array('test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line')); |
||
135 | $expected = array(array('test & "quote" 'other' ;.$ symbol.another line')); |
||
136 | $result = Sanitize::clean($array, array('connection' => 'test')); |
||
137 | $this->assertEquals($expected, $result); |
||
138 | |||
139 | $array = array(array('test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line')); |
||
140 | $expected = array(array('test & "quote" \'other\' ;.$ $ symbol.another line')); |
||
141 | $result = Sanitize::clean($array, array('encode' => false, 'escape' => false, 'connection' => 'test')); |
||
142 | $this->assertEquals($expected, $result); |
||
143 | |||
144 | $array = array(array('test odd Ä spacesé')); |
||
145 | $expected = array(array('test odd Ä spacesé')); |
||
146 | $result = Sanitize::clean($array, array('odd_spaces' => false, 'escape' => false, 'connection' => 'test')); |
||
147 | $this->assertEquals($expected, $result); |
||
148 | |||
149 | $array = array(array('\\$', array('key' => 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line'))); |
||
150 | $expected = array(array('$', array('key' => 'test & "quote" \'other\' ;.$ $ symbol.another line'))); |
||
151 | $result = Sanitize::clean($array, array('encode' => false, 'escape' => false, 'connection' => 'test')); |
||
152 | $this->assertEquals($expected, $result); |
||
153 | |||
154 | $string = ''; |
||
155 | $expected = ''; |
||
156 | $result = Sanitize::clean($string, array('connection' => 'test')); |
||
157 | $this->assertEquals($expected, $result); |
||
158 | |||
159 | $data = array( |
||
160 | 'Grant' => array( |
||
161 | 'title' => '2 o clock grant', |
||
162 | 'grant_peer_review_id' => 3, |
||
163 | 'institution_id' => 5, |
||
164 | 'created_by' => 1, |
||
165 | 'modified_by' => 1, |
||
166 | 'created' => '2010-07-15 14:11:00', |
||
167 | 'modified' => '2010-07-19 10:45:41' |
||
168 | ), |
||
169 | 'GrantsMember' => array( |
||
170 | 0 => array( |
||
171 | 'id' => 68, |
||
172 | 'grant_id' => 120, |
||
173 | 'member_id' => 16, |
||
174 | 'program_id' => 29, |
||
175 | 'pi_percent_commitment' => 1 |
||
176 | ) |
||
177 | ) |
||
178 | ); |
||
179 | $result = Sanitize::clean($data, array('connection' => 'test')); |
||
180 | $this->assertEquals($data, $result); |
||
181 | } |
||
182 | |||
183 | /**
|
||
184 | * testHtml method
|
||
185 | *
|
||
186 | * @return void
|
||
187 | */
|
||
188 | public function testHtml() { |
||
189 | $string = '<p>This is a <em>test string</em> & so is this</p>'; |
||
190 | $expected = 'This is a test string & so is this'; |
||
191 | $result = Sanitize::html($string, array('remove' => true)); |
||
192 | $this->assertEquals($expected, $result); |
||
193 | |||
194 | $string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
||
195 | $expected = 'The "lazy" dog 'jumped' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
||
196 | $result = Sanitize::html($string); |
||
197 | $this->assertEquals($expected, $result); |
||
198 | |||
199 | $string = 'The "lazy" dog \'jumped\''; |
||
200 | $expected = 'The "lazy" dog \'jumped\''; |
||
201 | $result = Sanitize::html($string, array('quotes' => ENT_COMPAT)); |
||
202 | $this->assertEquals($expected, $result); |
||
203 | |||
204 | $string = 'The "lazy" dog \'jumped\''; |
||
205 | $result = Sanitize::html($string, array('quotes' => ENT_NOQUOTES)); |
||
206 | $this->assertEquals($string, $result); |
||
207 | |||
208 | $string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
||
209 | $expected = 'The "lazy" dog 'jumped' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
||
210 | $result = Sanitize::html($string); |
||
211 | $this->assertEquals($expected, $result); |
||
212 | |||
213 | $string = 'The "lazy" dog & his friend Apple® conquered the world'; |
||
214 | $expected = 'The "lazy" dog & his friend Apple&reg; conquered the world'; |
||
215 | $result = Sanitize::html($string); |
||
216 | $this->assertEquals($expected, $result); |
||
217 | |||
218 | $string = 'The "lazy" dog & his friend Apple® conquered the world'; |
||
219 | $expected = 'The "lazy" dog & his friend Apple® conquered the world'; |
||
220 | $result = Sanitize::html($string, array('double' => false)); |
||
221 | $this->assertEquals($expected, $result); |
||
222 | } |
||
223 | |||
224 | /**
|
||
225 | * testStripWhitespace method
|
||
226 | *
|
||
227 | * @return void
|
||
228 | */
|
||
229 | public function testStripWhitespace() { |
||
230 | $string = "This sentence \t\t\t has lots of \n\n white\nspace \rthat \r\n needs to be \t \n trimmed."; |
||
231 | $expected = "This sentence has lots of whitespace that needs to be trimmed."; |
||
232 | $result = Sanitize::stripWhitespace($string); |
||
233 | $this->assertEquals($expected, $result); |
||
234 | |||
235 | $text = 'I love ßá†ö√ letters.'; |
||
236 | $result = Sanitize::stripWhitespace($text); |
||
237 | $expected = 'I love ßá†ö√ letters.'; |
||
238 | $this->assertEquals($expected, $result); |
||
239 | } |
||
240 | |||
241 | /**
|
||
242 | * testParanoid method
|
||
243 | *
|
||
244 | * @return void
|
||
245 | */
|
||
246 | public function testParanoid() { |
||
247 | $string = 'I would like to !%@#% & dance & sing ^$&*()-+'; |
||
248 | $expected = 'Iwouldliketodancesing'; |
||
249 | $result = Sanitize::paranoid($string); |
||
250 | $this->assertEquals($expected, $result); |
||
251 | |||
252 | $string = array('This |s th% s0ng that never ends it g*es', |
||
253 | 'on and on my friends, b^ca#use it is the',
|
||
254 | 'so&g th===t never ends.');
|
||
255 | $expected = array('This s th% s0ng that never ends it g*es', |
||
256 | 'on and on my friends bcause it is the',
|
||
257 | 'sog tht never ends.');
|
||
258 | $result = Sanitize::paranoid($string, array('%', '*', '.', ' ')); |
||
259 | $this->assertEquals($expected, $result); |
||
260 | |||
261 | $string = "anything' OR 1 = 1"; |
||
262 | $expected = 'anythingOR11'; |
||
263 | $result = Sanitize::paranoid($string); |
||
264 | $this->assertEquals($expected, $result); |
||
265 | |||
266 | $string = "x' AND email IS NULL; --"; |
||
267 | $expected = 'xANDemailISNULL'; |
||
268 | $result = Sanitize::paranoid($string); |
||
269 | $this->assertEquals($expected, $result); |
||
270 | |||
271 | $string = "x' AND 1=(SELECT COUNT(*) FROM users); --"; |
||
272 | $expected = 'xAND1SELECTCOUNTFROMusers'; |
||
273 | $result = Sanitize::paranoid($string); |
||
274 | $this->assertEquals($expected, $result); |
||
275 | |||
276 | $string = "x'; DROP TABLE members; --"; |
||
277 | $expected = 'xDROPTABLEmembers'; |
||
278 | $result = Sanitize::paranoid($string); |
||
279 | $this->assertEquals($expected, $result); |
||
280 | } |
||
281 | |||
282 | /**
|
||
283 | * testStripImages method
|
||
284 | *
|
||
285 | * @return void
|
||
286 | */
|
||
287 | public function testStripImages() { |
||
288 | $string = '<img src="/img/test.jpg" alt="my image" />'; |
||
289 | $expected = 'my image<br />'; |
||
290 | $result = Sanitize::stripImages($string); |
||
291 | $this->assertEquals($expected, $result); |
||
292 | |||
293 | $string = '<img src="javascript:alert(\'XSS\');" />'; |
||
294 | $expected = ''; |
||
295 | $result = Sanitize::stripImages($string); |
||
296 | $this->assertEquals($expected, $result); |
||
297 | |||
298 | $string = '<a href="http://www.badsite.com/phising"><img src="/img/test.jpg" alt="test image alt" title="test image title" id="myImage" class="image-left"/></a>'; |
||
299 | $expected = '<a href="http://www.badsite.com/phising">test image alt</a><br />'; |
||
300 | $result = Sanitize::stripImages($string); |
||
301 | $this->assertEquals($expected, $result); |
||
302 | |||
303 | $string = '<a onclick="medium()" href="http://example.com"><img src="foobar.png" onclick="evilFunction(); return false;"/></a>'; |
||
304 | $expected = '<a onclick="medium()" href="http://example.com"></a>'; |
||
305 | $result = Sanitize::stripImages($string); |
||
306 | $this->assertEquals($expected, $result); |
||
307 | } |
||
308 | |||
309 | /**
|
||
310 | * testStripScripts method
|
||
311 | *
|
||
312 | * @return void
|
||
313 | */
|
||
314 | public function testStripScripts() { |
||
315 | $string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />'; |
||
316 | $expected = ''; |
||
317 | $result = Sanitize::stripScripts($string); |
||
318 | $this->assertEquals($expected, $result); |
||
319 | |||
320 | $string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />' . "\n" . |
||
321 | '<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
||
322 | '<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
||
323 | '<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />';
|
||
324 | $expected = "\n" . '<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
||
325 | '<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
||
326 | '<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />';
|
||
327 | $result = Sanitize::stripScripts($string); |
||
328 | $this->assertEquals($expected, $result); |
||
329 | |||
330 | $string = '<script type="text/javascript"> alert("hacked!");</script>'; |
||
331 | $expected = ''; |
||
332 | $result = Sanitize::stripScripts($string); |
||
333 | $this->assertEquals($expected, $result); |
||
334 | |||
335 | $string = '<script> alert("hacked!");</script>'; |
||
336 | $expected = ''; |
||
337 | $result = Sanitize::stripScripts($string); |
||
338 | $this->assertEquals($expected, $result); |
||
339 | |||
340 | $string = '<style>#content { display:none; }</style>'; |
||
341 | $expected = ''; |
||
342 | $result = Sanitize::stripScripts($string); |
||
343 | $this->assertEquals($expected, $result); |
||
344 | |||
345 | $string = '<style type="text/css"><!-- #content { display:none; } --></style>'; |
||
346 | $expected = ''; |
||
347 | $result = Sanitize::stripScripts($string); |
||
348 | $this->assertEquals($expected, $result); |
||
349 | |||
350 | $string = <<<HTML |
||
351 | text
|
||
352 | <style type="text/css">
|
||
353 | <!--
|
||
354 | #content { display:none; }
|
||
355 | -->
|
||
356 | </style>
|
||
357 | text
|
||
358 | HTML;
|
||
359 | $expected = "text\n\ntext"; |
||
360 | $result = Sanitize::stripScripts($string); |
||
361 | $this->assertTextEquals($expected, $result); |
||
362 | |||
363 | $string = <<<HTML |
||
364 | text
|
||
365 | <script type="text/javascript">
|
||
366 | <!--
|
||
367 | alert('wooo');
|
||
368 | -->
|
||
369 | </script>
|
||
370 | text
|
||
371 | HTML;
|
||
372 | $expected = "text\n\ntext"; |
||
373 | $result = Sanitize::stripScripts($string); |
||
374 | $this->assertTextEquals($expected, $result); |
||
375 | } |
||
376 | |||
377 | /**
|
||
378 | * testStripAll method
|
||
379 | *
|
||
380 | * @return void
|
||
381 | */
|
||
382 | public function testStripAll() { |
||
383 | $string = '<img """><script>alert("xss")</script>"/>'; |
||
384 | $expected = '"/>'; |
||
385 | $result = Sanitize::stripAll($string); |
||
386 | $this->assertEquals($expected, $result); |
||
387 | |||
388 | $string = '<IMG SRC=javascript:alert('XSS')>'; |
||
389 | $expected = ''; |
||
390 | $result = Sanitize::stripAll($string); |
||
391 | $this->assertEquals($expected, $result); |
||
392 | |||
393 | $string = '<<script>alert("XSS");//<</script>'; |
||
394 | $expected = '<'; |
||
395 | $result = Sanitize::stripAll($string); |
||
396 | $this->assertEquals($expected, $result); |
||
397 | |||
398 | $string = '<img src="http://google.com/images/logo.gif" onload="window.location=\'http://sam.com/\'" />' . "\n" . |
||
399 | "<p>This is ok \t\n text</p>\n" .
|
||
400 | '<link rel="stylesheet" href="/css/master.css" type="text/css" media="screen" title="my sheet" charset="utf-8">' . "\n" . |
||
401 | '<script src="xss.js" type="text/javascript" charset="utf-8"></script>';
|
||
402 | $expected = '<p>This is ok text</p>'; |
||
403 | $result = Sanitize::stripAll($string); |
||
404 | $this->assertEquals($expected, $result); |
||
405 | } |
||
406 | |||
407 | /**
|
||
408 | * testStripTags method
|
||
409 | *
|
||
410 | * @return void
|
||
411 | */
|
||
412 | public function testStripTags() { |
||
413 | $string = '<h2>Headline</h2><p><a href="http://example.com">My Link</a> could go to a bad site</p>'; |
||
414 | $expected = 'Headline<p>My Link could go to a bad site</p>'; |
||
415 | $result = Sanitize::stripTags($string, 'h2', 'a'); |
||
416 | $this->assertEquals($expected, $result); |
||
417 | |||
418 | $string = '<script type="text/javascript" src="http://evildomain.com"> </script>'; |
||
419 | $expected = ' '; |
||
420 | $result = Sanitize::stripTags($string, 'script'); |
||
421 | $this->assertEquals($expected, $result); |
||
422 | |||
423 | $string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>'; |
||
424 | $expected = 'Important<p>Additional information here <img src="/img/test.png" />. Read even more here</p>'; |
||
425 | $result = Sanitize::stripTags($string, 'h2', 'a'); |
||
426 | $this->assertEquals($expected, $result); |
||
427 | |||
428 | $string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>'; |
||
429 | $expected = 'Important<p>Additional information here . Read even more here</p>'; |
||
430 | $result = Sanitize::stripTags($string, 'h2', 'a', 'img'); |
||
431 | $this->assertEquals($expected, $result); |
||
432 | |||
433 | $string = '<b>Important message!</b><br>This message will self destruct!'; |
||
434 | $expected = 'Important message!<br>This message will self destruct!'; |
||
435 | $result = Sanitize::stripTags($string, 'b'); |
||
436 | $this->assertEquals($expected, $result); |
||
437 | |||
438 | $string = '<b>Important message!</b><br />This message will self destruct!'; |
||
439 | $expected = 'Important message!<br />This message will self destruct!'; |
||
440 | $result = Sanitize::stripTags($string, 'b'); |
||
441 | $this->assertEquals($expected, $result); |
||
442 | |||
443 | $string = '<h2 onclick="alert(\'evil\'); onmouseover="badness()">Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>'; |
||
444 | $expected = 'Important<p>Additional information here . Read even more here</p>'; |
||
445 | $result = Sanitize::stripTags($string, 'h2', 'a', 'img'); |
||
446 | $this->assertEquals($expected, $result); |
||
447 | } |
||
448 | } |