2008-05-30 11:40:08 +00:00
< ? php
/* SVN FILE: $Id$ */
/**
* Short description for file .
*
* Long description for file
*
* PHP versions 4 and 5
*
* CakePHP ( tm ) Tests < https :// trac . cakephp . org / wiki / Developement / TestSuite >
2008-10-30 17:30:26 +00:00
* Copyright 2005 - 2008 , Cake Software Foundation , Inc . ( http :// www . cakefoundation . org )
2008-05-30 11:40:08 +00:00
*
* Licensed under The Open Group Test Suite License
* Redistributions of files must retain the above copyright notice .
*
* @ filesource
2008-10-30 17:30:26 +00:00
* @ copyright Copyright 2005 - 2008 , Cake Software Foundation , Inc . ( http :// www . cakefoundation . org )
* @ link https :// trac . cakephp . org / wiki / Developement / TestSuite CakePHP ( tm ) Tests
* @ package cake . tests
* @ subpackage cake . tests . cases . libs
* @ since CakePHP ( tm ) v 1.2 . 0.5428
* @ version $Revision $
* @ modifiedby $LastChangedBy $
* @ lastmodified $Date $
* @ license http :// www . opensource . org / licenses / opengroup . php The Open Group Test Suite License
2008-05-30 11:40:08 +00:00
*/
App :: import ( 'Core' , 'Sanitize' );
2008-06-02 19:22:55 +00:00
/**
* DataTest class
2008-11-08 02:58:37 +00:00
*
2008-10-30 17:30:26 +00:00
* @ package cake
* @ subpackage cake . tests . cases . libs
2008-06-02 19:22:55 +00:00
*/
2008-08-03 15:32:33 +00:00
class SanitizeDataTest extends CakeTestModel {
2008-06-02 19:22:55 +00:00
/**
* name property
2008-11-08 02:58:37 +00:00
*
2008-08-03 15:32:33 +00:00
* @ var string 'SanitizeDataTest'
2008-06-02 19:22:55 +00:00
* @ access public
*/
2008-08-03 15:32:33 +00:00
var $name = 'SanitizeDataTest' ;
/**
* useTable property
2008-11-08 02:58:37 +00:00
*
2008-08-03 15:32:33 +00:00
* @ var string 'data_tests'
* @ access public
*/
var $useTable = 'data_tests' ;
2008-05-30 11:40:08 +00:00
}
2008-06-02 19:22:55 +00:00
/**
* Article class
2008-11-08 02:58:37 +00:00
*
2008-10-30 17:30:26 +00:00
* @ package cake
* @ subpackage cake . tests . cases . libs
2008-06-02 19:22:55 +00:00
*/
2008-08-03 15:32:33 +00:00
class SanitizeArticle extends CakeTestModel {
2008-06-02 19:22:55 +00:00
/**
* name property
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ var string 'Article'
* @ access public
*/
2008-08-03 15:32:33 +00:00
var $name = 'SanitizeArticle' ;
/**
* useTable property
2008-11-08 02:58:37 +00:00
*
2008-08-03 15:32:33 +00:00
* @ var string 'articles'
* @ access public
*/
var $useTable = 'articles' ;
2008-05-30 11:40:08 +00:00
}
/**
* Short description for class .
*
2008-10-30 17:30:26 +00:00
* @ package cake . tests
* @ subpackage cake . tests . cases . libs
2008-05-30 11:40:08 +00:00
*/
class SanitizeTest extends CakeTestCase {
2008-08-03 15:32:33 +00:00
/**
2008-06-02 19:22:55 +00:00
* autoFixtures property
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ var bool false
* @ access public
*/
2008-05-30 11:40:08 +00:00
var $autoFixtures = false ;
2008-08-03 15:32:33 +00:00
/**
2008-06-02 19:22:55 +00:00
* fixtures property
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ var array
* @ access public
*/
2008-05-30 11:40:08 +00:00
var $fixtures = array ( 'core.data_test' , 'core.article' );
2008-08-03 15:32:33 +00:00
/**
2008-06-02 19:22:55 +00:00
* startTest method
2008-11-08 02:58:37 +00:00
*
* @ param mixed $method
2008-06-02 19:22:55 +00:00
* @ access public
* @ return void
*/
2008-05-30 11:40:08 +00:00
function startTest ( $method ) {
parent :: startTest ( $method );
$this -> _initDb ();
}
2008-06-02 19:22:55 +00:00
/**
* testEscapeAlphaNumeric method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ access public
* @ return void
*/
2008-05-30 11:40:08 +00:00
function testEscapeAlphaNumeric () {
$resultAlpha = Sanitize :: escape ( 'abc' , 'test_suite' );
$this -> assertEqual ( $resultAlpha , 'abc' );
$resultNumeric = Sanitize :: escape ( '123' , 'test_suite' );
$this -> assertEqual ( $resultNumeric , '123' );
$resultNumeric = Sanitize :: escape ( 1234 , 'test_suite' );
$this -> assertEqual ( $resultNumeric , 1234 );
$resultNumeric = Sanitize :: escape ( 1234.23 , 'test_suite' );
$this -> assertEqual ( $resultNumeric , 1234.23 );
$resultNumeric = Sanitize :: escape ( '#1234.23' , 'test_suite' );
$this -> assertEqual ( $resultNumeric , '#1234.23' );
$resultNull = Sanitize :: escape ( null , 'test_suite' );
$this -> assertEqual ( $resultNull , null );
$resultNull = Sanitize :: escape ( false , 'test_suite' );
$this -> assertEqual ( $resultNull , false );
$resultNull = Sanitize :: escape ( true , 'test_suite' );
$this -> assertEqual ( $resultNull , true );
}
2008-06-02 19:22:55 +00:00
/**
* testClean method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ access public
* @ return void
*/
2008-05-30 11:40:08 +00:00
function testClean () {
$string = 'test & "quote" \'other\' ;.$ symbol.' . " \r " . 'another line' ;
$expected = 'test & "quote" 'other' ;.$ symbol.another line' ;
$result = Sanitize :: clean ( $string , array ( 'connection' => 'test_suite' ));
$this -> assertEqual ( $result , $expected );
$string = 'test & "quote" \'other\' ;.$ symbol.' . " \r " . 'another line' ;
$expected = 'test & ' . Sanitize :: escape ( '"quote"' , 'test_suite' ) . ' ' . Sanitize :: escape ( '\'other\'' , 'test_suite' ) . ' ;.$ symbol.another line' ;
$result = Sanitize :: clean ( $string , array ( 'encode' => false , 'connection' => 'test_suite' ));
$this -> assertEqual ( $result , $expected );
$string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . " \r " . 'another line' ;
$expected = 'test & "quote" \'other\' ;.$ $ symbol.another line' ;
$result = Sanitize :: clean ( $string , array ( 'encode' => false , 'escape' => false , 'connection' => 'test_suite' ));
$this -> assertEqual ( $result , $expected );
$string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . " \r " . 'another line' ;
$expected = 'test & "quote" \'other\' ;.$ \\$ symbol.another line' ;
$result = Sanitize :: clean ( $string , array ( 'encode' => false , 'escape' => false , 'dollar' => false , 'connection' => 'test_suite' ));
$this -> assertEqual ( $result , $expected );
$string = 'test & "quote" \'other\' ;.$ symbol.' . " \r " . 'another line' ;
$expected = 'test & "quote" \'other\' ;.$ symbol.' . " \r " . 'another line' ;
$result = Sanitize :: clean ( $string , array ( 'encode' => false , 'escape' => false , 'carriage' => false , 'connection' => 'test_suite' ));
$this -> assertEqual ( $result , $expected );
$array = array ( array ( 'test & "quote" \'other\' ;.$ symbol.' . " \r " . 'another line' ));
$expected = array ( array ( 'test & "quote" 'other' ;.$ symbol.another line' ));
$result = Sanitize :: clean ( $array , array ( 'connection' => 'test_suite' ));
$this -> assertEqual ( $result , $expected );
$array = array ( array ( 'test & "quote" \'other\' ;.$ \\$ symbol.' . " \r " . 'another line' ));
$expected = array ( array ( 'test & "quote" \'other\' ;.$ $ symbol.another line' ));
$result = Sanitize :: clean ( $array , array ( 'encode' => false , 'escape' => false , 'connection' => 'test_suite' ));
$this -> assertEqual ( $result , $expected );
$array = array ( array ( 'test odd ' . chr ( 0xCA ) . ' spaces' . chr ( 0xCA )));
$expected = array ( array ( 'test odd ' . chr ( 0xCA ) . ' spaces' . chr ( 0xCA )));
$result = Sanitize :: clean ( $array , array ( 'odd_spaces' => false , 'escape' => false , 'connection' => 'test_suite' ));
$this -> assertEqual ( $result , $expected );
$array = array ( array ( '\\$' , array ( 'key' => 'test & "quote" \'other\' ;.$ \\$ symbol.' . " \r " . 'another line' )));
$expected = array ( array ( '$' , array ( 'key' => 'test & "quote" \'other\' ;.$ $ symbol.another line' )));
$result = Sanitize :: clean ( $array , array ( 'encode' => false , 'escape' => false ));
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '' ;
$expected = '' ;
$result = Sanitize :: clean ( $string );
$this -> assertEqual ( $string , $expected );
}
2008-06-02 19:22:55 +00:00
/**
* testHtml method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ access public
* @ return void
*/
2008-05-30 11:40:08 +00:00
function testHtml () {
$string = '<p>This is a <em>test string</em> & so is this</p>' ;
$expected = 'This is a test string & so is this' ;
$result = Sanitize :: html ( $string , true );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true' ;
$expected = 'The "lazy" dog 'jumped' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true' ;
$result = Sanitize :: html ( $string );
$this -> assertEqual ( $result , $expected );
}
2008-06-02 19:22:55 +00:00
/**
* testStripWhitespace method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ access public
* @ return void
*/
2008-05-30 11:40:08 +00:00
function testStripWhitespace () {
$string = " This sentence \t \t \t has lots of \n \n white \n space \r that \r \n needs to be \t \n trimmed. " ;
$expected = " This sentence has lots of whitespace that needs to be trimmed. " ;
$result = Sanitize :: stripWhitespace ( $string );
$this -> assertEqual ( $result , $expected );
}
2008-06-02 19:22:55 +00:00
/**
* testParanoid method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ access public
* @ return void
*/
2008-05-30 11:40:08 +00:00
function testParanoid () {
$string = 'I would like to !%@#% & dance & sing ^$&*()-+' ;
$expected = 'Iwouldliketodancesing' ;
$result = Sanitize :: paranoid ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = array ( 'This |s th% s0ng that never ends it g*es' ,
'on and on my friends, b^ca#use it is the' ,
'so&g th===t never ends.' );
$expected = array ( 'This s th% s0ng that never ends it g*es' ,
'on and on my friends bcause it is the' ,
'sog tht never ends.' );
$result = Sanitize :: paranoid ( $string , array ( '%' , '*' , '.' , ' ' ));
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = " anything' OR 1 = 1 " ;
$expected = 'anythingOR11' ;
$result = Sanitize :: paranoid ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = " x' AND email IS NULL; -- " ;
$expected = 'xANDemailISNULL' ;
$result = Sanitize :: paranoid ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = " x' AND 1=(SELECT COUNT(*) FROM users); -- " ;
$expected = " xAND1SELECTCOUNTFROMusers " ;
$result = Sanitize :: paranoid ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = " x'; DROP TABLE members; -- " ;
$expected = " xDROPTABLEmembers " ;
$result = Sanitize :: paranoid ( $string );
$this -> assertEqual ( $result , $expected );
}
2008-06-02 19:22:55 +00:00
/**
* testStripImages method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ access public
* @ return void
*/
2008-05-30 11:40:08 +00:00
function testStripImages () {
$string = '<img src="/img/test.jpg" alt="my image" />' ;
$expected = 'my image<br />' ;
$result = Sanitize :: stripImages ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<img src="javascript:alert(\'XSS\');" />' ;
$expected = '' ;
$result = Sanitize :: stripImages ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<a href="http://www.badsite.com/phising"><img src="/img/test.jpg" alt="test image alt" title="test image title" id="myImage" class="image-left"/></a>' ;
$expected = '<a href="http://www.badsite.com/phising">test image alt</a><br />' ;
$result = Sanitize :: stripImages ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<a onclick="medium()" href="http://example.com"><img src="foobar.png" onclick="evilFunction(); return false;"/></a>' ;
$expected = '<a onclick="medium()" href="http://example.com"></a>' ;
$result = Sanitize :: stripImages ( $string );
$this -> assertEqual ( $result , $expected );
}
2008-06-02 19:22:55 +00:00
/**
* testStripScripts method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ access public
* @ return void
*/
2008-05-30 11:40:08 +00:00
function testStripScripts () {
$string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />' ;
$expected = '' ;
$result = Sanitize :: stripScripts ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />' . " \n " . '<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . " \n " . '<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />' . " \n " . '<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />' ;
$expected = " \n " . '<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . " \n " . '<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />' . " \n " . '<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />' ;
$result = Sanitize :: stripScripts ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<script type="text/javascript"> alert("hacked!");</script>' ;
$expected = '' ;
$result = Sanitize :: stripScripts ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<script> alert("hacked!");</script>' ;
$expected = '' ;
$result = Sanitize :: stripScripts ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<style>#content { display:none; }</style>' ;
$expected = '' ;
$result = Sanitize :: stripScripts ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<style type="text/css"><!-- #content { display:none; } --></style>' ;
$expected = '' ;
$result = Sanitize :: stripScripts ( $string );
$this -> assertEqual ( $result , $expected );
}
2008-06-02 19:22:55 +00:00
/**
* testStripAll method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ access public
* @ return void
*/
2008-05-30 11:40:08 +00:00
function testStripAll () {
$string = '<img """><script>alert("xss")</script>"/>' ;
$expected = '"/>' ;
$result = Sanitize :: stripAll ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<IMG SRC=javascript:alert('XSS')>' ;
$expected = '' ;
$result = Sanitize :: stripAll ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<<script>alert("XSS");//<</script>' ;
$expected = '<' ;
$result = Sanitize :: stripAll ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<img src="http://google.com/images/logo.gif" onload="window.location=\'http://sam.com/\'" />' . " \n " .
2008-06-20 20:17:23 +00:00
" <p>This is ok \t \n text</p> \n " .
'<link rel="stylesheet" href="/css/master.css" type="text/css" media="screen" title="my sheet" charset="utf-8">' . " \n " .
'<script src="xss.js" type="text/javascript" charset="utf-8"></script>' ;
2008-05-30 11:40:08 +00:00
$expected = '<p>This is ok text</p>' ;
$result = Sanitize :: stripAll ( $string );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
}
2008-06-05 15:20:45 +00:00
/**
* testStripTags method
2008-11-08 02:58:37 +00:00
*
2008-06-05 15:20:45 +00:00
* @ access public
* @ return void
*/
2008-05-30 11:40:08 +00:00
function testStripTags () {
$string = '<h2>Headline</h2><p><a href="http://example.com">My Link</a> could go to a bad site</p>' ;
$expected = 'Headline<p>My Link could go to a bad site</p>' ;
$result = Sanitize :: stripTags ( $string , 'h2' , 'a' );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<script type="text/javascript" src="http://evildomain.com"> </script>' ;
$expected = ' ' ;
$result = Sanitize :: stripTags ( $string , 'script' );
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>' ;
$expected = 'Important<p>Additional information here <img src="/img/test.png" />. Read even more here</p>' ;
$result = Sanitize :: stripTags ( $string , 'h2' , 'a' );
$this -> assertEqual ( $result , $expected );
2008-11-16 05:00:41 +00:00
$string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>' ;
$expected = 'Important<p>Additional information here . Read even more here</p>' ;
$result = Sanitize :: stripTags ( $string , 'h2' , 'a' , 'img' );
$this -> assertEqual ( $result , $expected );
$string = '<b>Important message!</b><br>This message will self destruct!' ;
$expected = 'Important message!<br>This message will self destruct!' ;
$result = Sanitize :: stripTags ( $string , 'b' );
$this -> assertEqual ( $result , $expected );
$string = '<b>Important message!</b><br />This message will self destruct!' ;
$expected = 'Important message!<br />This message will self destruct!' ;
$result = Sanitize :: stripTags ( $string , 'b' );
$this -> assertEqual ( $result , $expected );
$string = '<h2 onclick="alert(\'evil\'); onmouseover="badness()">Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>' ;
$expected = 'Important<p>Additional information here . Read even more here</p>' ;
$result = Sanitize :: stripTags ( $string , 'h2' , 'a' , 'img' );
$this -> assertEqual ( $result , $expected );
2008-05-30 11:40:08 +00:00
}
2008-06-05 15:20:45 +00:00
/**
* testFormatColumns method
2008-11-08 02:58:37 +00:00
*
2008-06-05 15:20:45 +00:00
* @ access public
* @ return void
*/
2008-05-30 11:40:08 +00:00
function testFormatColumns () {
$this -> loadFixtures ( 'DataTest' , 'Article' );
2008-11-08 02:58:37 +00:00
2008-08-03 15:32:33 +00:00
$this -> DataTest =& new SanitizeDataTest ( array ( 'alias' => 'DataTest' ));
2008-05-30 11:40:08 +00:00
$data = array ( 'DataTest' => array (
'id' => 'z' ,
'count' => '12a' ,
'float' => '2.31456' ,
2008-11-08 02:58:37 +00:00
'updated' => '2008-01-01'
2008-05-30 11:40:08 +00:00
)
);
2008-11-08 02:58:37 +00:00
$this -> DataTest -> set ( $data );
2008-05-30 11:40:08 +00:00
$expected = array ( 'DataTest' => array (
2008-06-20 20:17:23 +00:00
'id' => '0' ,
'count' => '12' ,
'float' => 2.31456 ,
2008-11-08 02:58:37 +00:00
'updated' => '2008-01-01 00:00:00' ,
2008-06-20 20:17:23 +00:00
));
Sanitize :: formatColumns ( $this -> DataTest );
2008-05-30 11:40:08 +00:00
$result = $this -> DataTest -> data ;
$this -> assertEqual ( $result , $expected );
2008-11-08 02:58:37 +00:00
2008-08-03 15:32:33 +00:00
$this -> Article =& new SanitizeArticle ( array ( 'alias' => 'Article' ));
2008-05-30 11:40:08 +00:00
$data = array ( 'Article' => array (
2008-06-20 20:17:23 +00:00
'id' => 'ZB' ,
'user_id' => '12' ,
'title' => 'title of article' ,
'body' => 'body text' ,
'published' => 'QQQQQQQ' ,
));
2008-05-30 11:40:08 +00:00
$this -> Article -> set ( $data );
$expected = array ( 'Article' => array (
2008-06-20 20:17:23 +00:00
'id' => '0' ,
'user_id' => '12' ,
'title' => 'title of article' ,
'body' => 'body text' ,
'published' => 'QQQQQQQ' ,
));
2008-05-30 11:40:08 +00:00
Sanitize :: formatColumns ( $this -> Article );
$result = $this -> Article -> data ;
$this -> assertEqual ( $result , $expected );
}
}
2008-06-20 20:17:23 +00:00
2008-08-03 15:32:33 +00:00
?>
