2008-05-30 11:40:08 +00:00
< ? php
/**
2009-03-19 21:10:13 +00:00
* SanitizeTest file
2008-05-30 11:40:08 +00:00
*
2010-10-03 16:31:21 +00:00
* PHP 5
2008-05-30 11:40:08 +00:00
*
2012-04-27 02:49:18 +00:00
* CakePHP ( tm ) Tests < http :// book . cakephp . org / 2.0 / en / development / testing . html >
2013-02-08 11:59:49 +00:00
* Copyright ( c ) Cake Software Foundation , Inc . ( http :// cakefoundation . org )
2008-05-30 11:40:08 +00:00
*
2010-10-03 16:31:21 +00:00
* Licensed under The MIT License
2013-02-08 12:22:51 +00:00
* For full copyright and license information , please see the LICENSE . txt
2010-10-03 16:31:21 +00:00
* Redistributions of files must retain the above copyright notice
2008-05-30 11:40:08 +00:00
*
2013-02-08 11:59:49 +00:00
* @ copyright Copyright ( c ) Cake Software Foundation , Inc . ( http :// cakefoundation . org )
2012-04-27 02:49:18 +00:00
* @ link http :// book . cakephp . org / 2.0 / en / development / testing . html CakePHP ( tm ) Tests
2011-07-26 06:16:14 +00:00
* @ package Cake . Test . Case . Utility
2008-10-30 17:30:26 +00:00
* @ since CakePHP ( tm ) v 1.2 . 0.5428
2013-05-30 22:11:14 +00:00
* @ license http :// www . opensource . org / licenses / mit - license . php MIT License
2008-05-30 11:40:08 +00:00
*/
2013-05-30 22:11:14 +00:00
2010-12-10 06:23:27 +00:00
App :: uses ( 'Sanitize' , 'Utility' );
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* DataTest class
2008-11-08 02:58:37 +00:00
*
2011-07-26 06:16:14 +00:00
* @ package Cake . Test . Case . Utility
2008-06-02 19:22:55 +00:00
*/
2008-08-03 15:32:33 +00:00
class SanitizeDataTest extends CakeTestModel {
2009-07-24 19:18:37 +00:00
2008-08-03 15:32:33 +00:00
/**
* useTable property
2008-11-08 02:58:37 +00:00
*
2013-06-08 02:29:08 +00:00
* @ var string
2008-08-03 15:32:33 +00:00
*/
2010-04-04 07:14:00 +00:00
public $useTable = 'data_tests' ;
2008-05-30 11:40:08 +00:00
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* Article class
2008-11-08 02:58:37 +00:00
*
2011-07-26 06:16:14 +00:00
* @ package Cake . Test . Case . Utility
2008-06-02 19:22:55 +00:00
*/
2008-08-03 15:32:33 +00:00
class SanitizeArticle extends CakeTestModel {
2009-07-24 19:18:37 +00:00
2008-08-03 15:32:33 +00:00
/**
* useTable property
2008-11-08 02:58:37 +00:00
*
2013-06-08 02:29:08 +00:00
* @ var string
2008-08-03 15:32:33 +00:00
*/
2010-04-04 07:14:00 +00:00
public $useTable = 'articles' ;
2008-05-30 11:40:08 +00:00
}
2009-07-24 19:18:37 +00:00
2008-05-30 11:40:08 +00:00
/**
2009-03-19 21:10:13 +00:00
* SanitizeTest class
2008-05-30 11:40:08 +00:00
*
2011-07-26 06:16:14 +00:00
* @ package Cake . Test . Case . Utility
2008-05-30 11:40:08 +00:00
*/
class SanitizeTest extends CakeTestCase {
2009-07-24 19:18:37 +00:00
2008-08-03 15:32:33 +00:00
/**
2008-06-02 19:22:55 +00:00
* autoFixtures property
2008-11-08 02:58:37 +00:00
*
2013-09-17 12:44:34 +00:00
* @ var boolean
2008-06-02 19:22:55 +00:00
*/
2010-04-04 07:14:00 +00:00
public $autoFixtures = false ;
2009-07-24 19:18:37 +00:00
2008-08-03 15:32:33 +00:00
/**
2008-06-02 19:22:55 +00:00
* fixtures property
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ var array
*/
2010-04-04 07:14:00 +00:00
public $fixtures = array ( 'core.data_test' , 'core.article' );
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testEscapeAlphaNumeric method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testEscapeAlphaNumeric () {
2010-09-20 02:58:30 +00:00
$resultAlpha = Sanitize :: escape ( 'abc' , 'test' );
2012-03-23 06:37:12 +00:00
$this -> assertEquals ( 'abc' , $resultAlpha );
2008-05-30 11:40:08 +00:00
2010-09-20 02:58:30 +00:00
$resultNumeric = Sanitize :: escape ( '123' , 'test' );
2012-03-23 06:37:12 +00:00
$this -> assertEquals ( '123' , $resultNumeric );
2008-05-30 11:40:08 +00:00
2010-09-20 02:58:30 +00:00
$resultNumeric = Sanitize :: escape ( 1234 , 'test' );
2012-03-23 06:37:12 +00:00
$this -> assertEquals ( 1234 , $resultNumeric );
2008-05-30 11:40:08 +00:00
2010-09-20 02:58:30 +00:00
$resultNumeric = Sanitize :: escape ( 1234.23 , 'test' );
2012-03-23 06:37:12 +00:00
$this -> assertEquals ( 1234.23 , $resultNumeric );
2008-05-30 11:40:08 +00:00
2010-09-20 02:58:30 +00:00
$resultNumeric = Sanitize :: escape ( '#1234.23' , 'test' );
2012-03-23 06:37:12 +00:00
$this -> assertEquals ( '#1234.23' , $resultNumeric );
2008-05-30 11:40:08 +00:00
2010-09-20 02:58:30 +00:00
$resultNull = Sanitize :: escape ( null , 'test' );
2012-03-23 06:37:12 +00:00
$this -> assertEquals ( null , $resultNull );
2008-05-30 11:40:08 +00:00
2010-09-20 02:58:30 +00:00
$resultNull = Sanitize :: escape ( false , 'test' );
2012-03-23 06:37:12 +00:00
$this -> assertEquals ( false , $resultNull );
2008-05-30 11:40:08 +00:00
2010-09-20 02:58:30 +00:00
$resultNull = Sanitize :: escape ( true , 'test' );
2012-03-23 06:37:12 +00:00
$this -> assertEquals ( true , $resultNull );
2008-05-30 11:40:08 +00:00
}
2009-07-24 19:18:37 +00:00
2008-06-02 19:22:55 +00:00
/**
* testClean method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testClean () {
2008-05-30 11:40:08 +00:00
$string = 'test & "quote" \'other\' ;.$ symbol.' . " \r " . 'another line' ;
2010-01-07 20:15:10 +00:00
$expected = 'test & "quote" 'other' ;.$ symbol.another line' ;
2010-09-20 02:58:30 +00:00
$result = Sanitize :: clean ( $string , array ( 'connection' => 'test' ));
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-05-30 11:40:08 +00:00
$string = 'test & "quote" \'other\' ;.$ symbol.' . " \r " . 'another line' ;
2010-09-20 02:58:30 +00:00
$expected = 'test & ' . Sanitize :: escape ( '"quote"' , 'test' ) . ' ' . Sanitize :: escape ( '\'other\'' , 'test' ) . ' ;.$ symbol.another line' ;
$result = Sanitize :: clean ( $string , array ( 'encode' => false , 'connection' => 'test' ));
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-05-30 11:40:08 +00:00
$string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . " \r " . 'another line' ;
$expected = 'test & "quote" \'other\' ;.$ $ symbol.another line' ;
2010-09-20 02:58:30 +00:00
$result = Sanitize :: clean ( $string , array ( 'encode' => false , 'escape' => false , 'connection' => 'test' ));
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-05-30 11:40:08 +00:00
$string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . " \r " . 'another line' ;
$expected = 'test & "quote" \'other\' ;.$ \\$ symbol.another line' ;
2010-09-20 02:58:30 +00:00
$result = Sanitize :: clean ( $string , array ( 'encode' => false , 'escape' => false , 'dollar' => false , 'connection' => 'test' ));
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-05-30 11:40:08 +00:00
$string = 'test & "quote" \'other\' ;.$ symbol.' . " \r " . 'another line' ;
$expected = 'test & "quote" \'other\' ;.$ symbol.' . " \r " . 'another line' ;
2010-09-20 02:58:30 +00:00
$result = Sanitize :: clean ( $string , array ( 'encode' => false , 'escape' => false , 'carriage' => false , 'connection' => 'test' ));
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-05-30 11:40:08 +00:00
$array = array ( array ( 'test & "quote" \'other\' ;.$ symbol.' . " \r " . 'another line' ));
2010-01-07 20:15:10 +00:00
$expected = array ( array ( 'test & "quote" 'other' ;.$ symbol.another line' ));
2010-09-20 02:58:30 +00:00
$result = Sanitize :: clean ( $array , array ( 'connection' => 'test' ));
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-05-30 11:40:08 +00:00
$array = array ( array ( 'test & "quote" \'other\' ;.$ \\$ symbol.' . " \r " . 'another line' ));
$expected = array ( array ( 'test & "quote" \'other\' ;.$ $ symbol.another line' ));
2010-09-20 02:58:30 +00:00
$result = Sanitize :: clean ( $array , array ( 'encode' => false , 'escape' => false , 'connection' => 'test' ));
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-05-30 11:40:08 +00:00
2010-01-07 20:15:10 +00:00
$array = array ( array ( 'test odd Ä spacesé' ));
$expected = array ( array ( 'test odd Ä spacesé' ));
2010-09-20 02:58:30 +00:00
$result = Sanitize :: clean ( $array , array ( 'odd_spaces' => false , 'escape' => false , 'connection' => 'test' ));
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-05-30 11:40:08 +00:00
$array = array ( array ( '\\$' , array ( 'key' => 'test & "quote" \'other\' ;.$ \\$ symbol.' . " \r " . 'another line' )));
$expected = array ( array ( '$' , array ( 'key' => 'test & "quote" \'other\' ;.$ $ symbol.another line' )));
2011-05-27 06:10:25 +00:00
$result = Sanitize :: clean ( $array , array ( 'encode' => false , 'escape' => false , 'connection' => 'test' ));
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '' ;
$expected = '' ;
2011-05-27 06:10:25 +00:00
$result = Sanitize :: clean ( $string , array ( 'connection' => 'test' ));
2012-03-23 06:37:12 +00:00
$this -> assertEquals ( $expected , $string );
2010-07-22 03:37:14 +00:00
$data = array (
'Grant' => array (
'title' => '2 o clock grant' ,
'grant_peer_review_id' => 3 ,
'institution_id' => 5 ,
'created_by' => 1 ,
'modified_by' => 1 ,
'created' => '2010-07-15 14:11:00' ,
'modified' => '2010-07-19 10:45:41'
),
'GrantsMember' => array (
0 => array (
'id' => 68 ,
'grant_id' => 120 ,
'member_id' => 16 ,
'program_id' => 29 ,
'pi_percent_commitment' => 1
)
)
);
2011-05-27 06:10:25 +00:00
$result = Sanitize :: clean ( $data , array ( 'connection' => 'test' ));
2012-03-23 06:37:12 +00:00
$this -> assertEquals ( $data , $result );
2008-05-30 11:40:08 +00:00
}
2009-12-29 04:00:38 +00:00
/**
2008-06-02 19:22:55 +00:00
* testHtml method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testHtml () {
2008-05-30 11:40:08 +00:00
$string = '<p>This is a <em>test string</em> & so is this</p>' ;
2010-01-07 20:15:10 +00:00
$expected = 'This is a test string & so is this' ;
$result = Sanitize :: html ( $string , array ( 'remove' => true ));
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true' ;
2010-01-07 20:15:10 +00:00
$expected = 'The "lazy" dog 'jumped' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true' ;
$result = Sanitize :: html ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2011-05-16 22:49:00 +00:00
2010-01-07 20:15:10 +00:00
$string = 'The "lazy" dog \'jumped\'' ;
$expected = 'The "lazy" dog \'jumped\'' ;
$result = Sanitize :: html ( $string , array ( 'quotes' => ENT_COMPAT ));
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2011-05-16 22:49:00 +00:00
2010-01-07 20:15:10 +00:00
$string = 'The "lazy" dog \'jumped\'' ;
$result = Sanitize :: html ( $string , array ( 'quotes' => ENT_NOQUOTES ));
2012-03-23 06:37:12 +00:00
$this -> assertEquals ( $string , $result );
2011-05-16 22:49:00 +00:00
2010-01-07 20:15:10 +00:00
$string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true' ;
$expected = 'The "lazy" dog 'jumped' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true' ;
2008-05-30 11:40:08 +00:00
$result = Sanitize :: html ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2010-10-12 01:25:11 +00:00
$string = 'The "lazy" dog & his friend Apple® conquered the world' ;
$expected = 'The "lazy" dog & his friend Apple&reg; conquered the world' ;
$result = Sanitize :: html ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2010-10-12 01:25:11 +00:00
$string = 'The "lazy" dog & his friend Apple® conquered the world' ;
$expected = 'The "lazy" dog & his friend Apple® conquered the world' ;
$result = Sanitize :: html ( $string , array ( 'double' => false ));
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-05-30 11:40:08 +00:00
}
2009-12-29 04:00:38 +00:00
/**
2008-06-02 19:22:55 +00:00
* testStripWhitespace method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testStripWhitespace () {
2008-05-30 11:40:08 +00:00
$string = " This sentence \t \t \t has lots of \n \n white \n space \r that \r \n needs to be \t \n trimmed. " ;
$expected = " This sentence has lots of whitespace that needs to be trimmed. " ;
$result = Sanitize :: stripWhitespace ( $string );
2011-08-14 18:39:49 +00:00
$this -> assertEquals ( $expected , $result );
2011-07-31 19:44:10 +00:00
$text = 'I love ßá†ö√ letters.' ;
$result = Sanitize :: stripWhitespace ( $text );
$expected = 'I love ßá†ö√ letters.' ;
2012-03-23 06:37:12 +00:00
$this -> assertEquals ( $expected , $result );
2008-05-30 11:40:08 +00:00
}
2009-12-29 04:00:38 +00:00
/**
2008-06-02 19:22:55 +00:00
* testParanoid method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testParanoid () {
2008-05-30 11:40:08 +00:00
$string = 'I would like to !%@#% & dance & sing ^$&*()-+' ;
$expected = 'Iwouldliketodancesing' ;
$result = Sanitize :: paranoid ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = array ( 'This |s th% s0ng that never ends it g*es' ,
'on and on my friends, b^ca#use it is the' ,
'so&g th===t never ends.' );
$expected = array ( 'This s th% s0ng that never ends it g*es' ,
'on and on my friends bcause it is the' ,
'sog tht never ends.' );
$result = Sanitize :: paranoid ( $string , array ( '%' , '*' , '.' , ' ' ));
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = " anything' OR 1 = 1 " ;
$expected = 'anythingOR11' ;
$result = Sanitize :: paranoid ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = " x' AND email IS NULL; -- " ;
$expected = 'xANDemailISNULL' ;
$result = Sanitize :: paranoid ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = " x' AND 1=(SELECT COUNT(*) FROM users); -- " ;
2013-06-09 15:20:08 +00:00
$expected = 'xAND1SELECTCOUNTFROMusers' ;
2008-05-30 11:40:08 +00:00
$result = Sanitize :: paranoid ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = " x'; DROP TABLE members; -- " ;
2013-06-09 15:20:08 +00:00
$expected = 'xDROPTABLEmembers' ;
2008-05-30 11:40:08 +00:00
$result = Sanitize :: paranoid ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-05-30 11:40:08 +00:00
}
2009-12-29 04:00:38 +00:00
/**
2008-06-02 19:22:55 +00:00
* testStripImages method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testStripImages () {
2008-05-30 11:40:08 +00:00
$string = '<img src="/img/test.jpg" alt="my image" />' ;
$expected = 'my image<br />' ;
$result = Sanitize :: stripImages ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<img src="javascript:alert(\'XSS\');" />' ;
$expected = '' ;
$result = Sanitize :: stripImages ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<a href="http://www.badsite.com/phising"><img src="/img/test.jpg" alt="test image alt" title="test image title" id="myImage" class="image-left"/></a>' ;
$expected = '<a href="http://www.badsite.com/phising">test image alt</a><br />' ;
$result = Sanitize :: stripImages ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<a onclick="medium()" href="http://example.com"><img src="foobar.png" onclick="evilFunction(); return false;"/></a>' ;
$expected = '<a onclick="medium()" href="http://example.com"></a>' ;
$result = Sanitize :: stripImages ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-05-30 11:40:08 +00:00
}
2009-12-29 04:00:38 +00:00
/**
2008-06-02 19:22:55 +00:00
* testStripScripts method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testStripScripts () {
2008-05-30 11:40:08 +00:00
$string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />' ;
$expected = '' ;
$result = Sanitize :: stripScripts ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2012-03-14 02:59:20 +00:00
$string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />' . " \n " .
'<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . " \n " .
'<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />' . " \n " .
'<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />' ;
$expected = " \n " . '<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . " \n " .
'<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />' . " \n " .
'<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />' ;
2008-05-30 11:40:08 +00:00
$result = Sanitize :: stripScripts ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<script type="text/javascript"> alert("hacked!");</script>' ;
$expected = '' ;
$result = Sanitize :: stripScripts ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<script> alert("hacked!");</script>' ;
$expected = '' ;
$result = Sanitize :: stripScripts ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<style>#content { display:none; }</style>' ;
$expected = '' ;
$result = Sanitize :: stripScripts ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<style type="text/css"><!-- #content { display:none; } --></style>' ;
$expected = '' ;
$result = Sanitize :: stripScripts ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2010-05-04 02:31:55 +00:00
$string = <<< HTML
text
< style type = " text/css " >
2011-05-16 22:49:00 +00:00
<!--
#content { display:none; }
2010-05-04 02:31:55 +00:00
-->
</ style >
text
HTML ;
$expected = " text \n \n text " ;
$result = Sanitize :: stripScripts ( $string );
2012-01-25 02:12:26 +00:00
$this -> assertTextEquals ( $expected , $result );
2010-05-04 02:31:55 +00:00
$string = <<< HTML
text
< script type = " text/javascript " >
2011-05-16 22:49:00 +00:00
<!--
2010-05-04 02:31:55 +00:00
alert ( 'wooo' );
-->
</ script >
text
HTML ;
$expected = " text \n \n text " ;
$result = Sanitize :: stripScripts ( $string );
2012-01-25 02:12:26 +00:00
$this -> assertTextEquals ( $expected , $result );
2008-05-30 11:40:08 +00:00
}
2009-12-29 04:00:38 +00:00
/**
2008-06-02 19:22:55 +00:00
* testStripAll method
2008-11-08 02:58:37 +00:00
*
2008-06-02 19:22:55 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testStripAll () {
2008-05-30 11:40:08 +00:00
$string = '<img """><script>alert("xss")</script>"/>' ;
2012-03-14 02:59:20 +00:00
$expected = '"/>' ;
2008-05-30 11:40:08 +00:00
$result = Sanitize :: stripAll ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<IMG SRC=javascript:alert('XSS')>' ;
$expected = '' ;
$result = Sanitize :: stripAll ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<<script>alert("XSS");//<</script>' ;
$expected = '<' ;
$result = Sanitize :: stripAll ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2012-03-14 02:59:20 +00:00
$string = '<img src="http://google.com/images/logo.gif" onload="window.location=\'http://sam.com/\'" />' . " \n " .
" <p>This is ok \t \n text</p> \n " .
'<link rel="stylesheet" href="/css/master.css" type="text/css" media="screen" title="my sheet" charset="utf-8">' . " \n " .
'<script src="xss.js" type="text/javascript" charset="utf-8"></script>' ;
2008-05-30 11:40:08 +00:00
$expected = '<p>This is ok text</p>' ;
$result = Sanitize :: stripAll ( $string );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-05-30 11:40:08 +00:00
}
2009-12-29 04:00:38 +00:00
/**
2008-06-05 15:20:45 +00:00
* testStripTags method
2008-11-08 02:58:37 +00:00
*
2008-06-05 15:20:45 +00:00
* @ return void
*/
2011-05-30 20:02:32 +00:00
public function testStripTags () {
2008-05-30 11:40:08 +00:00
$string = '<h2>Headline</h2><p><a href="http://example.com">My Link</a> could go to a bad site</p>' ;
$expected = 'Headline<p>My Link could go to a bad site</p>' ;
$result = Sanitize :: stripTags ( $string , 'h2' , 'a' );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<script type="text/javascript" src="http://evildomain.com"> </script>' ;
$expected = ' ' ;
$result = Sanitize :: stripTags ( $string , 'script' );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-08 02:58:37 +00:00
2008-05-30 11:40:08 +00:00
$string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>' ;
$expected = 'Important<p>Additional information here <img src="/img/test.png" />. Read even more here</p>' ;
$result = Sanitize :: stripTags ( $string , 'h2' , 'a' );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-16 05:00:41 +00:00
$string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>' ;
$expected = 'Important<p>Additional information here . Read even more here</p>' ;
$result = Sanitize :: stripTags ( $string , 'h2' , 'a' , 'img' );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-16 05:00:41 +00:00
$string = '<b>Important message!</b><br>This message will self destruct!' ;
$expected = 'Important message!<br>This message will self destruct!' ;
$result = Sanitize :: stripTags ( $string , 'b' );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-16 05:00:41 +00:00
$string = '<b>Important message!</b><br />This message will self destruct!' ;
$expected = 'Important message!<br />This message will self destruct!' ;
$result = Sanitize :: stripTags ( $string , 'b' );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-11-16 05:00:41 +00:00
$string = '<h2 onclick="alert(\'evil\'); onmouseover="badness()">Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>' ;
$expected = 'Important<p>Additional information here . Read even more here</p>' ;
$result = Sanitize :: stripTags ( $string , 'h2' , 'a' , 'img' );
2011-11-16 00:07:56 +00:00
$this -> assertEquals ( $expected , $result );
2008-05-30 11:40:08 +00:00
}
}