diff --git a/tests/lib/template.php b/tests/lib/template.php
index b4f1a4c405..b3d0975b79 100644
--- a/tests/lib/template.php
+++ b/tests/lib/template.php
@@ -28,13 +28,23 @@ class Test_TemplateFunctions extends PHPUnit_Framework_TestCase {
}
public function testP() {
- // FIXME: do we need more testcases?
- $htmlString = "";
+ $badString = '';
ob_start();
- p($htmlString);
+ p($badString);
$result = ob_get_clean();
+ $this->assertEquals('<img onload="alert(1)" />', $result);
- $this->assertEquals("<script>alert('xss');</script>", $result);
+ $badString = "";
+ ob_start();
+ p($badString);
+ $result = ob_get_clean();
+ $this->assertEquals('<script>alert('Hacked!');</script>', $result);
+
+ $goodString = 'This is a good string without HTML.';
+ ob_start();
+ p($goodString);
+ $result = ob_get_clean();
+ $this->assertEquals('This is a good string without HTML.', $result);
}
public function testPNormalString() {
diff --git a/tests/lib/util.php b/tests/lib/util.php
index ee336aa111..c4780cc5f4 100644
--- a/tests/lib/util.php
+++ b/tests/lib/util.php
@@ -43,15 +43,32 @@ class Test_Util extends PHPUnit_Framework_TestCase {
}
function testSanitizeHTML() {
+ $badArray = array(
+ 'While it is unusual to pass an array',
+ 'this function actually it.',
+ 'And therefore there needs to be a for it!'
+ );
+ $goodArray = array(
+ 'While it is unusual to pass an array',
+ 'this function actually <blink>supports</blink> it.',
+ 'And therefore there needs to be a <script>alert("Unit"+'test')</script> for it!'
+ );
+ $result = OC_Util::sanitizeHTML($badArray);
+ $this->assertEquals($goodArray, $result);
+
+ $badString = '';
+ $result = OC_Util::sanitizeHTML($badString);
+ $this->assertEquals('<img onload="alert(1)" />', $result);
+
$badString = "";
$result = OC_Util::sanitizeHTML($badString);
- $this->assertEquals("<script>alert('Hacked!');</script>", $result);
+ $this->assertEquals('<script>alert('Hacked!');</script>', $result);
- $goodString = "This is an harmless string.";
+ $goodString = 'This is a good string without HTML.';
$result = OC_Util::sanitizeHTML($goodString);
- $this->assertEquals("This is an harmless string.", $result);
+ $this->assertEquals('This is a good string without HTML.', $result);
}
-
+
function testEncodePath(){
$component = '/§#@test%&^ä/-child';
$result = OC_Util::encodePath($component);