Merge pull request #8304 from owncloud/add-xss-tests
Add unit tests for arrays and quotationmark * owncloud/add-xss-tests: Remove uneeded newline Fix indentation Add unit tests for arrays and "
This commit is contained in:
commit
f9091a8584
2 changed files with 35 additions and 8 deletions
|
@ -28,13 +28,23 @@ class Test_TemplateFunctions extends PHPUnit_Framework_TestCase {
|
|||
}
|
||||
|
||||
public function testP() {
|
||||
// FIXME: do we need more testcases?
|
||||
$htmlString = "<script>alert('xss');</script>";
|
||||
$badString = '<img onload="alert(1)" />';
|
||||
ob_start();
|
||||
p($htmlString);
|
||||
p($badString);
|
||||
$result = ob_get_clean();
|
||||
$this->assertEquals('<img onload="alert(1)" />', $result);
|
||||
|
||||
$this->assertEquals("<script>alert('xss');</script>", $result);
|
||||
$badString = "<script>alert('Hacked!');</script>";
|
||||
ob_start();
|
||||
p($badString);
|
||||
$result = ob_get_clean();
|
||||
$this->assertEquals('<script>alert('Hacked!');</script>', $result);
|
||||
|
||||
$goodString = 'This is a good string without HTML.';
|
||||
ob_start();
|
||||
p($goodString);
|
||||
$result = ob_get_clean();
|
||||
$this->assertEquals('This is a good string without HTML.', $result);
|
||||
}
|
||||
|
||||
public function testPNormalString() {
|
||||
|
|
|
@ -43,15 +43,32 @@ class Test_Util extends PHPUnit_Framework_TestCase {
|
|||
}
|
||||
|
||||
function testSanitizeHTML() {
|
||||
$badArray = array(
|
||||
'While it is unusual to pass an array',
|
||||
'this function actually <blink>supports</blink> it.',
|
||||
'And therefore there needs to be a <script>alert("Unit"+\'test\')</script> for it!'
|
||||
);
|
||||
$goodArray = array(
|
||||
'While it is unusual to pass an array',
|
||||
'this function actually <blink>supports</blink> it.',
|
||||
'And therefore there needs to be a <script>alert("Unit"+'test')</script> for it!'
|
||||
);
|
||||
$result = OC_Util::sanitizeHTML($badArray);
|
||||
$this->assertEquals($goodArray, $result);
|
||||
|
||||
$badString = '<img onload="alert(1)" />';
|
||||
$result = OC_Util::sanitizeHTML($badString);
|
||||
$this->assertEquals('<img onload="alert(1)" />', $result);
|
||||
|
||||
$badString = "<script>alert('Hacked!');</script>";
|
||||
$result = OC_Util::sanitizeHTML($badString);
|
||||
$this->assertEquals("<script>alert('Hacked!');</script>", $result);
|
||||
$this->assertEquals('<script>alert('Hacked!');</script>', $result);
|
||||
|
||||
$goodString = "This is an harmless string.";
|
||||
$goodString = 'This is a good string without HTML.';
|
||||
$result = OC_Util::sanitizeHTML($goodString);
|
||||
$this->assertEquals("This is an harmless string.", $result);
|
||||
$this->assertEquals('This is a good string without HTML.', $result);
|
||||
}
|
||||
|
||||
|
||||
function testEncodePath(){
|
||||
$component = '/§#@test%&^ä/-child';
|
||||
$result = OC_Util::encodePath($component);
|
||||
|
|
Loading…
Reference in a new issue