mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Add unit tests for arrays and " 

OC_Util::sanitizeHTML() also supports array but we actually had no unit test for it. Additionally this commit introduces a test for escaping " into "
This commit is contained in:
Lukas Reschke 2014-04-22 20:09:55 +02:00
parent c1c2f2c49e
commit f07180639c
2 changed files with 37 additions and 9 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
tests/lib/template.php
View File

@ -28,13 +28,23 @@ class Test_TemplateFunctions extends PHPUnit_Framework_TestCase {
} }
public function testP() { public function testP() {
// FIXME: do we need more testcases? $badString = '<img onload="alert(1)" />';
$htmlString = "<script>alert('xss');</script>";
ob_start(); ob_start();
p($htmlString); p($badString);
$result = ob_get_clean(); $result = ob_get_clean();
$this->assertEquals('&lt;img onload=&quot;alert(1)&quot; /&gt;', $result);
$this->assertEquals("&lt;script&gt;alert(&#039;xss&#039;);&lt;/script&gt;", $result); $badString = "<script>alert('Hacked!');</script>";
ob_start();
p($badString);
$result = ob_get_clean();
$this->assertEquals('&lt;script&gt;alert(&#039;Hacked!&#039;);&lt;/script&gt;', $result);
$goodString = 'This is a good string without HTML.';
ob_start();
p($goodString);
$result = ob_get_clean();
$this->assertEquals('This is a good string without HTML.', $result);
} }
public function testPNormalString() { public function testPNormalString() {

24
tests/lib/util.php
View File

@ -43,15 +43,33 @@ class Test_Util extends PHPUnit_Framework_TestCase {
} }
function testSanitizeHTML() { function testSanitizeHTML() {
$badArray = array(
'While it is unusual to pass an array',
'this function actually <blink>supports</blink> it.',
'And therefore there needs to be a <script>alert("Unit"+\'test\')</script> for it!'
);
$goodArray = array(
'While it is unusual to pass an array',
'this function actually &lt;blink&gt;supports&lt;/blink&gt; it.',
'And therefore there needs to be a &lt;script&gt;alert(&quot;Unit&quot;+&#039;test&#039;)&lt;/script&gt; for it!'
);
$result = OC_Util::sanitizeHTML($badArray);
$this->assertEquals($goodArray, $result);
$badString = '<img onload="alert(1)" />';
$result = OC_Util::sanitizeHTML($badString);
$this->assertEquals('&lt;img onload=&quot;alert(1)&quot; /&gt;', $result);
$badString = "<script>alert('Hacked!');</script>"; $badString = "<script>alert('Hacked!');</script>";
$result = OC_Util::sanitizeHTML($badString); $result = OC_Util::sanitizeHTML($badString);
$this->assertEquals("&lt;script&gt;alert(&#039;Hacked!&#039;);&lt;/script&gt;", $result); $this->assertEquals('&lt;script&gt;alert(&#039;Hacked!&#039;);&lt;/script&gt;', $result);
$goodString = "This is an harmless string."; $goodString = 'This is a good string without HTML.';
$result = OC_Util::sanitizeHTML($goodString); $result = OC_Util::sanitizeHTML($goodString);
$this->assertEquals("This is an harmless string.", $result); $this->assertEquals('This is a good string without HTML.', $result);
} }
function testEncodePath(){ function testEncodePath(){
$component = '/§#@test%&^ä/-child'; $component = '/§#@test%&^ä/-child';
$result = OC_Util::encodePath($component); $result = OC_Util::encodePath($component);