mbk-lab
/
nextcloud
2
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #8304 from owncloud/add-xss-tests 

Add unit tests for arrays and quotationmark

* owncloud/add-xss-tests:
  Remove uneeded newline
  Fix indentation
  Add unit tests for arrays and "
This commit is contained in:
Andreas Fischer 2014-04-24 15:09:36 +02:00
parent 522d101607 9d3b639ce6
commit f9091a8584
2 changed files with 35 additions and 8 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
tests/lib/template.php
View File

@ -28,13 +28,23 @@ class Test_TemplateFunctions extends PHPUnit_Framework_TestCase {
}
public function testP() {
// FIXME: do we need more testcases?
$htmlString = "<script>alert('xss');</script>";
$badString = '<img onload="alert(1)" />';
ob_start();
p($htmlString);
p($badString);
$result = ob_get_clean();
$this->assertEquals('&lt;img onload=&quot;alert(1)&quot; /&gt;', $result);
$this->assertEquals("&lt;script&gt;alert(&#039;xss&#039;);&lt;/script&gt;", $result);
$badString = "<script>alert('Hacked!');</script>";
ob_start();
p($badString);
$result = ob_get_clean();
$this->assertEquals('&lt;script&gt;alert(&#039;Hacked!&#039;);&lt;/script&gt;', $result);
$goodString = 'This is a good string without HTML.';
ob_start();
p($goodString);
$result = ob_get_clean();
$this->assertEquals('This is a good string without HTML.', $result);
}
public function testPNormalString() {

25
tests/lib/util.php
View File

@ -43,15 +43,32 @@ class Test_Util extends PHPUnit_Framework_TestCase {
}
function testSanitizeHTML() {
$badArray = array(
'While it is unusual to pass an array',
'this function actually <blink>supports</blink> it.',
'And therefore there needs to be a <script>alert("Unit"+\'test\')</script> for it!'
);
$goodArray = array(
'While it is unusual to pass an array',
'this function actually &lt;blink&gt;supports&lt;/blink&gt; it.',
'And therefore there needs to be a &lt;script&gt;alert(&quot;Unit&quot;+&#039;test&#039;)&lt;/script&gt; for it!'
);
$result = OC_Util::sanitizeHTML($badArray);
$this->assertEquals($goodArray, $result);
$badString = '<img onload="alert(1)" />';
$result = OC_Util::sanitizeHTML($badString);
$this->assertEquals('&lt;img onload=&quot;alert(1)&quot; /&gt;', $result);
$badString = "<script>alert('Hacked!');</script>";
$result = OC_Util::sanitizeHTML($badString);
$this->assertEquals("&lt;script&gt;alert(&#039;Hacked!&#039;);&lt;/script&gt;", $result);
$this->assertEquals('&lt;script&gt;alert(&#039;Hacked!&#039;);&lt;/script&gt;', $result);
$goodString = "This is an harmless string.";
$goodString = 'This is a good string without HTML.';
$result = OC_Util::sanitizeHTML($goodString);
$this->assertEquals("This is an harmless string.", $result);
$this->assertEquals('This is a good string without HTML.', $result);
}
function testEncodePath(){
$component = '/§#@test%&^ä/-child';
$result = OC_Util::encodePath($component);