pictcode / lib / Cake / Test / Case / Utility / SanitizeTest.php @ master
履歴 | 表示 | アノテート | ダウンロード (15.852 KB)
1 |
<?php
|
---|---|
2 |
/**
|
3 |
* SanitizeTest file
|
4 |
*
|
5 |
* CakePHP(tm) Tests <http://book.cakephp.org/2.0/en/development/testing.html>
|
6 |
* Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
7 |
*
|
8 |
* Licensed under The MIT License
|
9 |
* For full copyright and license information, please see the LICENSE.txt
|
10 |
* Redistributions of files must retain the above copyright notice
|
11 |
*
|
12 |
* @copyright Copyright (c) Cake Software Foundation, Inc. (http://cakefoundation.org)
|
13 |
* @link http://book.cakephp.org/2.0/en/development/testing.html CakePHP(tm) Tests
|
14 |
* @package Cake.Test.Case.Utility
|
15 |
* @since CakePHP(tm) v 1.2.0.5428
|
16 |
* @license http://www.opensource.org/licenses/mit-license.php MIT License
|
17 |
*/
|
18 |
|
19 |
App::uses('Sanitize', 'Utility'); |
20 |
|
21 |
/**
|
22 |
* DataTest class
|
23 |
*
|
24 |
* @package Cake.Test.Case.Utility
|
25 |
*/
|
26 |
class SanitizeDataTest extends CakeTestModel { |
27 |
|
28 |
/**
|
29 |
* useTable property
|
30 |
*
|
31 |
* @var string
|
32 |
*/
|
33 |
public $useTable = 'data_tests'; |
34 |
} |
35 |
|
36 |
/**
|
37 |
* Article class
|
38 |
*
|
39 |
* @package Cake.Test.Case.Utility
|
40 |
*/
|
41 |
class SanitizeArticle extends CakeTestModel { |
42 |
|
43 |
/**
|
44 |
* useTable property
|
45 |
*
|
46 |
* @var string
|
47 |
*/
|
48 |
public $useTable = 'articles'; |
49 |
} |
50 |
|
51 |
/**
|
52 |
* SanitizeTest class
|
53 |
*
|
54 |
* @package Cake.Test.Case.Utility
|
55 |
*/
|
56 |
class SanitizeTest extends CakeTestCase { |
57 |
|
58 |
/**
|
59 |
* autoFixtures property
|
60 |
*
|
61 |
* @var bool
|
62 |
*/
|
63 |
public $autoFixtures = false; |
64 |
|
65 |
/**
|
66 |
* fixtures property
|
67 |
*
|
68 |
* @var array
|
69 |
*/
|
70 |
public $fixtures = array('core.data_test', 'core.article'); |
71 |
|
72 |
/**
|
73 |
* testEscapeAlphaNumeric method
|
74 |
*
|
75 |
* @return void
|
76 |
*/
|
77 |
public function testEscapeAlphaNumeric() { |
78 |
$resultAlpha = Sanitize::escape('abc', 'test'); |
79 |
$this->assertEquals('abc', $resultAlpha); |
80 |
|
81 |
$resultNumeric = Sanitize::escape('123', 'test'); |
82 |
$this->assertEquals('123', $resultNumeric); |
83 |
|
84 |
$resultNumeric = Sanitize::escape(1234, 'test'); |
85 |
$this->assertEquals(1234, $resultNumeric); |
86 |
|
87 |
$resultNumeric = Sanitize::escape(1234.23, 'test'); |
88 |
$this->assertEquals(1234.23, $resultNumeric); |
89 |
|
90 |
$resultNumeric = Sanitize::escape('#1234.23', 'test'); |
91 |
$this->assertEquals('#1234.23', $resultNumeric); |
92 |
|
93 |
$resultNull = Sanitize::escape(null, 'test'); |
94 |
$this->assertEquals(null, $resultNull); |
95 |
|
96 |
$resultNull = Sanitize::escape(false, 'test'); |
97 |
$this->assertEquals(false, $resultNull); |
98 |
|
99 |
$resultNull = Sanitize::escape(true, 'test'); |
100 |
$this->assertEquals(true, $resultNull); |
101 |
} |
102 |
|
103 |
/**
|
104 |
* testClean method
|
105 |
*
|
106 |
* @return void
|
107 |
*/
|
108 |
public function testClean() { |
109 |
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
110 |
$expected = 'test & "quote" 'other' ;.$ symbol.another line'; |
111 |
$result = Sanitize::clean($string, array('connection' => 'test')); |
112 |
$this->assertEquals($expected, $result); |
113 |
|
114 |
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
115 |
$expected = 'test & ' . Sanitize::escape('"quote"', 'test') . ' ' . Sanitize::escape('\'other\'', 'test') . ' ;.$ symbol.another line'; |
116 |
$result = Sanitize::clean($string, array('encode' => false, 'connection' => 'test')); |
117 |
$this->assertEquals($expected, $result); |
118 |
|
119 |
$string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line'; |
120 |
$expected = 'test & "quote" \'other\' ;.$ $ symbol.another line'; |
121 |
$result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'connection' => 'test')); |
122 |
$this->assertEquals($expected, $result); |
123 |
|
124 |
$string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line'; |
125 |
$expected = 'test & "quote" \'other\' ;.$ \\$ symbol.another line'; |
126 |
$result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'dollar' => false, 'connection' => 'test')); |
127 |
$this->assertEquals($expected, $result); |
128 |
|
129 |
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
130 |
$expected = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'; |
131 |
$result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'carriage' => false, 'connection' => 'test')); |
132 |
$this->assertEquals($expected, $result); |
133 |
|
134 |
$array = array(array('test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line')); |
135 |
$expected = array(array('test & "quote" 'other' ;.$ symbol.another line')); |
136 |
$result = Sanitize::clean($array, array('connection' => 'test')); |
137 |
$this->assertEquals($expected, $result); |
138 |
|
139 |
$array = array(array('test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line')); |
140 |
$expected = array(array('test & "quote" \'other\' ;.$ $ symbol.another line')); |
141 |
$result = Sanitize::clean($array, array('encode' => false, 'escape' => false, 'connection' => 'test')); |
142 |
$this->assertEquals($expected, $result); |
143 |
|
144 |
$array = array(array('test odd Ä spacesé')); |
145 |
$expected = array(array('test odd Ä spacesé')); |
146 |
$result = Sanitize::clean($array, array('odd_spaces' => false, 'escape' => false, 'connection' => 'test')); |
147 |
$this->assertEquals($expected, $result); |
148 |
|
149 |
$array = array(array('\\$', array('key' => 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line'))); |
150 |
$expected = array(array('$', array('key' => 'test & "quote" \'other\' ;.$ $ symbol.another line'))); |
151 |
$result = Sanitize::clean($array, array('encode' => false, 'escape' => false, 'connection' => 'test')); |
152 |
$this->assertEquals($expected, $result); |
153 |
|
154 |
$string = ''; |
155 |
$expected = ''; |
156 |
$result = Sanitize::clean($string, array('connection' => 'test')); |
157 |
$this->assertEquals($expected, $result); |
158 |
|
159 |
$data = array( |
160 |
'Grant' => array( |
161 |
'title' => '2 o clock grant', |
162 |
'grant_peer_review_id' => 3, |
163 |
'institution_id' => 5, |
164 |
'created_by' => 1, |
165 |
'modified_by' => 1, |
166 |
'created' => '2010-07-15 14:11:00', |
167 |
'modified' => '2010-07-19 10:45:41' |
168 |
), |
169 |
'GrantsMember' => array( |
170 |
0 => array( |
171 |
'id' => 68, |
172 |
'grant_id' => 120, |
173 |
'member_id' => 16, |
174 |
'program_id' => 29, |
175 |
'pi_percent_commitment' => 1 |
176 |
) |
177 |
) |
178 |
); |
179 |
$result = Sanitize::clean($data, array('connection' => 'test')); |
180 |
$this->assertEquals($data, $result); |
181 |
} |
182 |
|
183 |
/**
|
184 |
* testHtml method
|
185 |
*
|
186 |
* @return void
|
187 |
*/
|
188 |
public function testHtml() { |
189 |
$string = '<p>This is a <em>test string</em> & so is this</p>'; |
190 |
$expected = 'This is a test string & so is this'; |
191 |
$result = Sanitize::html($string, array('remove' => true)); |
192 |
$this->assertEquals($expected, $result); |
193 |
|
194 |
$string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
195 |
$expected = 'The "lazy" dog 'jumped' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
196 |
$result = Sanitize::html($string); |
197 |
$this->assertEquals($expected, $result); |
198 |
|
199 |
$string = 'The "lazy" dog \'jumped\''; |
200 |
$expected = 'The "lazy" dog \'jumped\''; |
201 |
$result = Sanitize::html($string, array('quotes' => ENT_COMPAT)); |
202 |
$this->assertEquals($expected, $result); |
203 |
|
204 |
$string = 'The "lazy" dog \'jumped\''; |
205 |
$result = Sanitize::html($string, array('quotes' => ENT_NOQUOTES)); |
206 |
$this->assertEquals($string, $result); |
207 |
|
208 |
$string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
209 |
$expected = 'The "lazy" dog 'jumped' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true'; |
210 |
$result = Sanitize::html($string); |
211 |
$this->assertEquals($expected, $result); |
212 |
|
213 |
$string = 'The "lazy" dog & his friend Apple® conquered the world'; |
214 |
$expected = 'The "lazy" dog & his friend Apple&reg; conquered the world'; |
215 |
$result = Sanitize::html($string); |
216 |
$this->assertEquals($expected, $result); |
217 |
|
218 |
$string = 'The "lazy" dog & his friend Apple® conquered the world'; |
219 |
$expected = 'The "lazy" dog & his friend Apple® conquered the world'; |
220 |
$result = Sanitize::html($string, array('double' => false)); |
221 |
$this->assertEquals($expected, $result); |
222 |
} |
223 |
|
224 |
/**
|
225 |
* testStripWhitespace method
|
226 |
*
|
227 |
* @return void
|
228 |
*/
|
229 |
public function testStripWhitespace() { |
230 |
$string = "This sentence \t\t\t has lots of \n\n white\nspace \rthat \r\n needs to be \t \n trimmed."; |
231 |
$expected = "This sentence has lots of whitespace that needs to be trimmed."; |
232 |
$result = Sanitize::stripWhitespace($string); |
233 |
$this->assertEquals($expected, $result); |
234 |
|
235 |
$text = 'I love ßá†ö√ letters.'; |
236 |
$result = Sanitize::stripWhitespace($text); |
237 |
$expected = 'I love ßá†ö√ letters.'; |
238 |
$this->assertEquals($expected, $result); |
239 |
} |
240 |
|
241 |
/**
|
242 |
* testParanoid method
|
243 |
*
|
244 |
* @return void
|
245 |
*/
|
246 |
public function testParanoid() { |
247 |
$string = 'I would like to !%@#% & dance & sing ^$&*()-+'; |
248 |
$expected = 'Iwouldliketodancesing'; |
249 |
$result = Sanitize::paranoid($string); |
250 |
$this->assertEquals($expected, $result); |
251 |
|
252 |
$string = array('This |s th% s0ng that never ends it g*es', |
253 |
'on and on my friends, b^ca#use it is the',
|
254 |
'so&g th===t never ends.');
|
255 |
$expected = array('This s th% s0ng that never ends it g*es', |
256 |
'on and on my friends bcause it is the',
|
257 |
'sog tht never ends.');
|
258 |
$result = Sanitize::paranoid($string, array('%', '*', '.', ' ')); |
259 |
$this->assertEquals($expected, $result); |
260 |
|
261 |
$string = "anything' OR 1 = 1"; |
262 |
$expected = 'anythingOR11'; |
263 |
$result = Sanitize::paranoid($string); |
264 |
$this->assertEquals($expected, $result); |
265 |
|
266 |
$string = "x' AND email IS NULL; --"; |
267 |
$expected = 'xANDemailISNULL'; |
268 |
$result = Sanitize::paranoid($string); |
269 |
$this->assertEquals($expected, $result); |
270 |
|
271 |
$string = "x' AND 1=(SELECT COUNT(*) FROM users); --"; |
272 |
$expected = 'xAND1SELECTCOUNTFROMusers'; |
273 |
$result = Sanitize::paranoid($string); |
274 |
$this->assertEquals($expected, $result); |
275 |
|
276 |
$string = "x'; DROP TABLE members; --"; |
277 |
$expected = 'xDROPTABLEmembers'; |
278 |
$result = Sanitize::paranoid($string); |
279 |
$this->assertEquals($expected, $result); |
280 |
} |
281 |
|
282 |
/**
|
283 |
* testStripImages method
|
284 |
*
|
285 |
* @return void
|
286 |
*/
|
287 |
public function testStripImages() { |
288 |
$string = '<img src="/img/test.jpg" alt="my image" />'; |
289 |
$expected = 'my image<br />'; |
290 |
$result = Sanitize::stripImages($string); |
291 |
$this->assertEquals($expected, $result); |
292 |
|
293 |
$string = '<img src="javascript:alert(\'XSS\');" />'; |
294 |
$expected = ''; |
295 |
$result = Sanitize::stripImages($string); |
296 |
$this->assertEquals($expected, $result); |
297 |
|
298 |
$string = '<a href="http://www.badsite.com/phising"><img src="/img/test.jpg" alt="test image alt" title="test image title" id="myImage" class="image-left"/></a>'; |
299 |
$expected = '<a href="http://www.badsite.com/phising">test image alt</a><br />'; |
300 |
$result = Sanitize::stripImages($string); |
301 |
$this->assertEquals($expected, $result); |
302 |
|
303 |
$string = '<a onclick="medium()" href="http://example.com"><img src="foobar.png" onclick="evilFunction(); return false;"/></a>'; |
304 |
$expected = '<a onclick="medium()" href="http://example.com"></a>'; |
305 |
$result = Sanitize::stripImages($string); |
306 |
$this->assertEquals($expected, $result); |
307 |
} |
308 |
|
309 |
/**
|
310 |
* testStripScripts method
|
311 |
*
|
312 |
* @return void
|
313 |
*/
|
314 |
public function testStripScripts() { |
315 |
$string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />'; |
316 |
$expected = ''; |
317 |
$result = Sanitize::stripScripts($string); |
318 |
$this->assertEquals($expected, $result); |
319 |
|
320 |
$string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />' . "\n" . |
321 |
'<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
322 |
'<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
323 |
'<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />';
|
324 |
$expected = "\n" . '<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
325 |
'<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . |
326 |
'<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />';
|
327 |
$result = Sanitize::stripScripts($string); |
328 |
$this->assertEquals($expected, $result); |
329 |
|
330 |
$string = '<script type="text/javascript"> alert("hacked!");</script>'; |
331 |
$expected = ''; |
332 |
$result = Sanitize::stripScripts($string); |
333 |
$this->assertEquals($expected, $result); |
334 |
|
335 |
$string = '<script> alert("hacked!");</script>'; |
336 |
$expected = ''; |
337 |
$result = Sanitize::stripScripts($string); |
338 |
$this->assertEquals($expected, $result); |
339 |
|
340 |
$string = '<style>#content { display:none; }</style>'; |
341 |
$expected = ''; |
342 |
$result = Sanitize::stripScripts($string); |
343 |
$this->assertEquals($expected, $result); |
344 |
|
345 |
$string = '<style type="text/css"><!-- #content { display:none; } --></style>'; |
346 |
$expected = ''; |
347 |
$result = Sanitize::stripScripts($string); |
348 |
$this->assertEquals($expected, $result); |
349 |
|
350 |
$string = <<<HTML |
351 |
text
|
352 |
<style type="text/css">
|
353 |
<!--
|
354 |
#content { display:none; }
|
355 |
-->
|
356 |
</style>
|
357 |
text
|
358 |
HTML;
|
359 |
$expected = "text\n\ntext"; |
360 |
$result = Sanitize::stripScripts($string); |
361 |
$this->assertTextEquals($expected, $result); |
362 |
|
363 |
$string = <<<HTML |
364 |
text
|
365 |
<script type="text/javascript">
|
366 |
<!--
|
367 |
alert('wooo');
|
368 |
-->
|
369 |
</script>
|
370 |
text
|
371 |
HTML;
|
372 |
$expected = "text\n\ntext"; |
373 |
$result = Sanitize::stripScripts($string); |
374 |
$this->assertTextEquals($expected, $result); |
375 |
} |
376 |
|
377 |
/**
|
378 |
* testStripAll method
|
379 |
*
|
380 |
* @return void
|
381 |
*/
|
382 |
public function testStripAll() { |
383 |
$string = '<img """><script>alert("xss")</script>"/>'; |
384 |
$expected = '"/>'; |
385 |
$result = Sanitize::stripAll($string); |
386 |
$this->assertEquals($expected, $result); |
387 |
|
388 |
$string = '<IMG SRC=javascript:alert('XSS')>'; |
389 |
$expected = ''; |
390 |
$result = Sanitize::stripAll($string); |
391 |
$this->assertEquals($expected, $result); |
392 |
|
393 |
$string = '<<script>alert("XSS");//<</script>'; |
394 |
$expected = '<'; |
395 |
$result = Sanitize::stripAll($string); |
396 |
$this->assertEquals($expected, $result); |
397 |
|
398 |
$string = '<img src="http://google.com/images/logo.gif" onload="window.location=\'http://sam.com/\'" />' . "\n" . |
399 |
"<p>This is ok \t\n text</p>\n" .
|
400 |
'<link rel="stylesheet" href="/css/master.css" type="text/css" media="screen" title="my sheet" charset="utf-8">' . "\n" . |
401 |
'<script src="xss.js" type="text/javascript" charset="utf-8"></script>';
|
402 |
$expected = '<p>This is ok text</p>'; |
403 |
$result = Sanitize::stripAll($string); |
404 |
$this->assertEquals($expected, $result); |
405 |
} |
406 |
|
407 |
/**
|
408 |
* testStripTags method
|
409 |
*
|
410 |
* @return void
|
411 |
*/
|
412 |
public function testStripTags() { |
413 |
$string = '<h2>Headline</h2><p><a href="http://example.com">My Link</a> could go to a bad site</p>'; |
414 |
$expected = 'Headline<p>My Link could go to a bad site</p>'; |
415 |
$result = Sanitize::stripTags($string, 'h2', 'a'); |
416 |
$this->assertEquals($expected, $result); |
417 |
|
418 |
$string = '<script type="text/javascript" src="http://evildomain.com"> </script>'; |
419 |
$expected = ' '; |
420 |
$result = Sanitize::stripTags($string, 'script'); |
421 |
$this->assertEquals($expected, $result); |
422 |
|
423 |
$string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>'; |
424 |
$expected = 'Important<p>Additional information here <img src="/img/test.png" />. Read even more here</p>'; |
425 |
$result = Sanitize::stripTags($string, 'h2', 'a'); |
426 |
$this->assertEquals($expected, $result); |
427 |
|
428 |
$string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>'; |
429 |
$expected = 'Important<p>Additional information here . Read even more here</p>'; |
430 |
$result = Sanitize::stripTags($string, 'h2', 'a', 'img'); |
431 |
$this->assertEquals($expected, $result); |
432 |
|
433 |
$string = '<b>Important message!</b><br>This message will self destruct!'; |
434 |
$expected = 'Important message!<br>This message will self destruct!'; |
435 |
$result = Sanitize::stripTags($string, 'b'); |
436 |
$this->assertEquals($expected, $result); |
437 |
|
438 |
$string = '<b>Important message!</b><br />This message will self destruct!'; |
439 |
$expected = 'Important message!<br />This message will self destruct!'; |
440 |
$result = Sanitize::stripTags($string, 'b'); |
441 |
$this->assertEquals($expected, $result); |
442 |
|
443 |
$string = '<h2 onclick="alert(\'evil\'); onmouseover="badness()">Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>'; |
444 |
$expected = 'Important<p>Additional information here . Read even more here</p>'; |
445 |
$result = Sanitize::stripTags($string, 'h2', 'a', 'img'); |
446 |
$this->assertEquals($expected, $result); |
447 |
} |
448 |
} |