From f07180639c5af149447bc573db58ee130575369e Mon Sep 17 00:00:00 2001
From: Lukas Reschke <lukas@statuscode.ch>
Date: Tue, 22 Apr 2014 20:09:55 +0200
Subject: [PATCH] Add unit tests for arrays and "
OC_Util::sanitizeHTML() also supports array but we actually had no unit test for it. Additionally this commit introduces a test for escaping " into "
---
tests/lib/template.php | 18 ++++++++++++++----
tests/lib/util.php | 28 +++++++++++++++++++++++-----
2 files changed, 37 insertions(+), 9 deletions(-)
diff --git a/tests/lib/template.php b/tests/lib/template.php
index b4f1a4c4053..b3d0975b793 100644
--- a/tests/lib/template.php
+++ b/tests/lib/template.php
@@ -28,13 +28,23 @@ class Test_TemplateFunctions extends PHPUnit_Framework_TestCase {
}
public function testP() {
- // FIXME: do we need more testcases?
- $htmlString = "<script>alert('xss');</script>";
+ $badString = '<img onload="alert(1)" />';
+ ob_start();
+ p($badString);
+ $result = ob_get_clean();
+ $this->assertEquals('<img onload="alert(1)" />', $result);
+
+ $badString = "<script>alert('Hacked!');</script>";
ob_start();
- p($htmlString);
+ p($badString);
$result = ob_get_clean();
+ $this->assertEquals('<script>alert('Hacked!');</script>', $result);
- $this->assertEquals("<script>alert('xss');</script>", $result);
+ $goodString = 'This is a good string without HTML.';
+ ob_start();
+ p($goodString);
+ $result = ob_get_clean();
+ $this->assertEquals('This is a good string without HTML.', $result);
}
public function testPNormalString() {
diff --git a/tests/lib/util.php b/tests/lib/util.php
index ee336aa1118..20f2f7bbeab 100644
--- a/tests/lib/util.php
+++ b/tests/lib/util.php
@@ -43,15 +43,33 @@ class Test_Util extends PHPUnit_Framework_TestCase {
}
function testSanitizeHTML() {
+ $badArray = array(
+ 'While it is unusual to pass an array',
+ 'this function actually <blink>supports</blink> it.',
+ 'And therefore there needs to be a <script>alert("Unit"+\'test\')</script> for it!'
+ );
+ $goodArray = array(
+ 'While it is unusual to pass an array',
+ 'this function actually <blink>supports</blink> it.',
+ 'And therefore there needs to be a <script>alert("Unit"+'test')</script> for it!'
+ );
+ $result = OC_Util::sanitizeHTML($badArray);
+ $this->assertEquals($goodArray, $result);
+
+ $badString = '<img onload="alert(1)" />';
+ $result = OC_Util::sanitizeHTML($badString);
+ $this->assertEquals('<img onload="alert(1)" />', $result);
+
$badString = "<script>alert('Hacked!');</script>";
$result = OC_Util::sanitizeHTML($badString);
- $this->assertEquals("<script>alert('Hacked!');</script>", $result);
+ $this->assertEquals('<script>alert('Hacked!');</script>', $result);
- $goodString = "This is an harmless string.";
+ $goodString = 'This is a good string without HTML.';
$result = OC_Util::sanitizeHTML($goodString);
- $this->assertEquals("This is an harmless string.", $result);
- }
-
+ $this->assertEquals('This is a good string without HTML.', $result);
+}
+
+
function testEncodePath(){
$component = '/§#@test%&^ä/-child';
$result = OC_Util::encodePath($component);
--
GitLab