diff options
| author | Andreas Fischer <bantu@owncloud.com> | 2014-04-24 15:09:36 +0200 |
|---|---|---|
| committer | Andreas Fischer <bantu@owncloud.com> | 2014-04-24 15:09:36 +0200 |
| commit | f9091a85847124a12dd459d5cb9683b400d69b6b (patch) | |
| tree | ce8074fb7480bc0beec19077dfbb7e8b754b3fc7 /tests | |
| parent | 522d10160785cf5e5c05de36cd7d614d18e9a8e3 (diff) | |
| parent | 9d3b639ce68b1b60845b7bf605f16292fd0a6019 (diff) | |
| download | nextcloud-server-f9091a85847124a12dd459d5cb9683b400d69b6b.tar.gz nextcloud-server-f9091a85847124a12dd459d5cb9683b400d69b6b.zip | |
Merge pull request #8304 from owncloud/add-xss-tests
Add unit tests for arrays and quotationmark
* owncloud/add-xss-tests:
Remove uneeded newline
Fix indentation
Add unit tests for arrays and "
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/lib/template.php | 18 | ||||
| -rw-r--r-- | tests/lib/util.php | 25 |
2 files changed, 35 insertions, 8 deletions
diff --git a/tests/lib/template.php b/tests/lib/template.php index b4f1a4c4053..b3d0975b793 100644 --- a/tests/lib/template.php +++ b/tests/lib/template.php @@ -28,13 +28,23 @@ class Test_TemplateFunctions extends PHPUnit_Framework_TestCase { } public function testP() { - // FIXME: do we need more testcases? - $htmlString = "<script>alert('xss');</script>"; + $badString = '<img onload="alert(1)" />'; + ob_start(); + p($badString); + $result = ob_get_clean(); + $this->assertEquals('<img onload="alert(1)" />', $result); + + $badString = "<script>alert('Hacked!');</script>"; ob_start(); - p($htmlString); + p($badString); $result = ob_get_clean(); + $this->assertEquals('<script>alert('Hacked!');</script>', $result); - $this->assertEquals("<script>alert('xss');</script>", $result); + $goodString = 'This is a good string without HTML.'; + ob_start(); + p($goodString); + $result = ob_get_clean(); + $this->assertEquals('This is a good string without HTML.', $result); } public function testPNormalString() { diff --git a/tests/lib/util.php b/tests/lib/util.php index ee336aa1118..c4780cc5f48 100644 --- a/tests/lib/util.php +++ b/tests/lib/util.php @@ -43,15 +43,32 @@ class Test_Util extends PHPUnit_Framework_TestCase { } function testSanitizeHTML() { + $badArray = array( + 'While it is unusual to pass an array', + 'this function actually <blink>supports</blink> it.', + 'And therefore there needs to be a <script>alert("Unit"+\'test\')</script> for it!' + ); + $goodArray = array( + 'While it is unusual to pass an array', + 'this function actually <blink>supports</blink> it.', + 'And therefore there needs to be a <script>alert("Unit"+'test')</script> for it!' + ); + $result = OC_Util::sanitizeHTML($badArray); + $this->assertEquals($goodArray, $result); + + $badString = '<img onload="alert(1)" />'; + $result = OC_Util::sanitizeHTML($badString); + $this->assertEquals('<img onload="alert(1)" />', $result); + $badString = "<script>alert('Hacked!');</script>"; $result = OC_Util::sanitizeHTML($badString); - $this->assertEquals("<script>alert('Hacked!');</script>", $result); + $this->assertEquals('<script>alert('Hacked!');</script>', $result); - $goodString = "This is an harmless string."; + $goodString = 'This is a good string without HTML.'; $result = OC_Util::sanitizeHTML($goodString); - $this->assertEquals("This is an harmless string.", $result); + $this->assertEquals('This is a good string without HTML.', $result); } - + function testEncodePath(){ $component = '/§#@test%&^ä/-child'; $result = OC_Util::encodePath($component); |