forked from habari/tests
-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathtest_inputfilter.php
117 lines (91 loc) · 8.04 KB
/
test_inputfilter.php
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
<?php
/**
* Test for the InputFilter class.
*/
include 'bootstrap.php';
class InputFilterTest extends UnitTestCase
{
function test_strings_with_nulls()
{
$this->assert_equal(InputFilter::strip_nulls( 'This string has NULL char\0act\0ers!' ), 'This string has NULL characters!');
}
function test_valid_entities()
{
$this->assert_equal(InputFilter::strip_illegal_entities( 'Valid:  ' ), 'Valid:  ');
$this->assert_equal(InputFilter::strip_illegal_entities( 'Valid: 
' ), 'Valid: ');
$this->assert_equal(InputFilter::strip_illegal_entities( 'Valid: ®' ), 'Valid: ®');
}
function test_valid_entities_corner_cases()
{
$this->assert_equal(InputFilter::strip_illegal_entities( 'This is valid: ®.' ), 'This is valid: ®.');
$this->assert_equal(InputFilter::strip_illegal_entities( 'This is valid: ®<br />.' ), 'This is valid: ®<br />.');
$this->assert_equal(InputFilter::strip_illegal_entities( 'This is valid: ®\nDee-dum.' ), 'This is valid: ®\nDee-dum.');
}
function test_invalid_entity_name()
{
$this->assert_equal(InputFilter::strip_illegal_entities( 'This entity does not exist: &zomg;.' ), 'This entity does not exist: .');
}
function test_invalid_entity_numeric()
{
$this->assert_equal(InputFilter::strip_illegal_entities( 'This entity is invalid: 󿷩.' ), 'This entity is invalid: .');
}
function test_url_parsing()
{
$this->assert_equal(InputFilter::parse_url( 'http://hey:[email protected]:8137/foo/bar?baz=quux#blah' ), array ( 'scheme' => 'http', 'host' => 'moeffju.net', 'port' => '8137', 'user' => 'hey', 'pass' => 'there', 'path' => '/foo/bar', 'query' => 'baz=quux', 'fragment' => 'blah', 'is_relative' => false, 'is_pseudo' => false, 'is_error' => false, 'pseudo_args' => '', ) );
$this->assert_equal(InputFilter::parse_url( 'http://localhost/blog/' ), array ( 'scheme' => 'http', 'host' => 'localhost', 'port' => '', 'user' => '', 'pass' => '', 'path' => '/blog/', 'query' => '', 'fragment' => '', 'is_relative' => false, 'is_pseudo' => false, 'is_error' => false, 'pseudo_args' => '', ) );
$this->assert_equal(InputFilter::parse_url( 'http:moeffju.net/blog/' ), array ( 'scheme' => 'http', 'host' => 'moeffju.net', 'port' => '', 'user' => '', 'pass' => '', 'path' => '/blog/', 'query' => '', 'fragment' => '', 'is_relative' => false, 'is_pseudo' => false, 'is_error' => false, 'pseudo_args' => '', ) );
//$this->assert_equal(InputFilter::parse_url( 'file://Z:/Habari/User Manual/index.html' ), array ( 'scheme' => 'file', 'host' => '', 'port' => '', 'user' => '', 'pass' => '', 'path' => 'Z:/Habari/User Manual/index.html', 'query' => '', 'fragment' => '', 'is_relative' => false, 'is_pseudo' => false, 'is_error' => false, 'pseudo_args' => '', ) );
$this->assert_equal(InputFilter::parse_url( 'blog/' ), array ( 'scheme' => '', 'host' => '', 'port' => '', 'user' => '', 'pass' => '', 'path' => 'blog/', 'query' => '', 'fragment' => '', 'is_relative' => true, 'is_pseudo' => false, 'is_error' => false, 'pseudo_args' => '', ) );
$this->assert_equal(InputFilter::parse_url( '/furanzen/bla' ), array ( 'scheme' => '', 'host' => '', 'port' => '', 'user' => '', 'pass' => '', 'path' => '/furanzen/bla', 'query' => '', 'fragment' => '', 'is_relative' => true, 'is_pseudo' => false, 'is_error' => false, 'pseudo_args' => '', ) );
$this->assert_equal(InputFilter::parse_url( '?bla=barbaz&foo' ), array ( 'scheme' => '', 'host' => '', 'port' => '', 'user' => '', 'pass' => '', 'path' => '', 'query' => 'bla=barbaz&foo', 'fragment' => '', 'is_relative' => true, 'is_pseudo' => false, 'is_error' => false, 'pseudo_args' => '', ) );
$this->assert_equal(InputFilter::parse_url( '#' ), array ( 'scheme' => '', 'host' => '', 'port' => '', 'user' => '', 'pass' => '', 'path' => '', 'query' => '', 'fragment' => '', 'is_relative' => true, 'is_pseudo' => false, 'is_error' => false, 'pseudo_args' => '', ) );
$this->assert_equal(InputFilter::parse_url( 'about:blank' ), array ( 'scheme' => 'about', 'host' => '', 'port' => '', 'user' => '', 'pass' => '', 'path' => '', 'query' => '', 'fragment' => '', 'is_relative' => false, 'is_pseudo' => true, 'is_error' => false, 'pseudo_args' => 'blank', ) );
$this->assert_equal(InputFilter::parse_url( 'javascript:alert(document.cookie)' ), array ( 'scheme' => 'javascript', 'host' => '', 'port' => '', 'user' => '', 'pass' => '', 'path' => '', 'query' => '', 'fragment' => '', 'is_relative' => false, 'is_pseudo' => true, 'is_error' => false, 'pseudo_args' => 'alert(document.cookie)', ) );
$this->assert_equal(InputFilter::parse_url( 'javascript:alert(\'/hey/there/foo?how=about#bar\')' ), array ( 'scheme' => 'javascript', 'host' => '', 'port' => '', 'user' => '', 'pass' => '', 'path' => '', 'query' => '', 'fragment' => '', 'is_relative' => false, 'is_pseudo' => true, 'is_error' => false, 'pseudo_args' => 'alert(\'/hey/there/foo?how=about#bar\')', ) );
}
function test_filtering_malicious_html()
{
$this->assert_equal(InputFilter::filter_html_elements( '<p onclick=\"window.alert(\'boo\')\">Hey.</p><a href=\"#\" style=\"position: absolute; left: 1px; top: 3px;\">Whee!</a>' ), '<p>Hey.</p><a href=\"#\">Whee!</a>');
$this->assert_equal(InputFilter::filter_html_elements( '<a href=\"javascript:alert(\'yay\')\" style=\"text-decoration: none;\">Whee!</a>' ), '<a>Whee!</a>');
}
function test_complete_filtering_run()
{
$this->assert_equal(InputFilter::filter( '<p>I am <div><script src=\"ohnoes\" /><a>not a paragraph.</a><p CLASS=old><span> Or am I?</span>' ), '<p>I am <div><a>not a paragraph.</a><p><span> Or am I?</span>');
$this->assert_equal(InputFilter::filter( '<p onClick=\"window.alert(\'stole yer cookies!\');\">Do not click here.</p>\n<script>alert(\"See this?\")</script>' ), '<p>Do not click here.</p>\n');
// http://ha.ckers.org/blog/20070124/stopping-xss-but-allowing-html-is-hard/
$this->assert_equal(InputFilter::filter( '<IMG src=\"http://ha.ckers.org/\" style\"=\"style=\"a/onerror=alert(String.fromCharCode(88,83,83))//\" &gt;`>' ), 'onerror=alert(String.fromCharCode(88,83,83))//\" &`>');
$this->assert_equal(InputFilter::filter( '<b>Hello world</b>\n\nThis is a <test>test</test> post.\n\nHere\'s a first XSS attack. <<SCRIPT>alert(\'XSS\');//<</SCRIPT>\n\nHere\'s a second try at a <a href=\"#\">second link</a>.\n\nHere\'s a second XSS attack. <IMG SRC=\"  javascript:alert(\'XSS\');\">\n\nHere\'s a third link hopefully <a href=\"#\">it won\'t get removed</a>.\n\n<em>Thanks!</em>' ), '<b>Hello world</b>\n\nThis is a post.\n\nHere\'s a first XSS attack. ');
$this->assert_equal(InputFilter::filter( '<<test>script>alert(\'boom\');</test>' ), '');
$this->assert_equal(InputFilter::filter( '<<test></test>script>alert(\'boom\');' ), '');
$this->assert_equal(InputFilter::filter( '<<test><</test>script>alert(\'boom\');' ), '');
$this->assert_equal(InputFilter::filter( '<ScRIpT>alert(\'whee\');</SCRiPT>' ), '');
}
public function test_parse_url_sanitization_idn ( ) {
// http://пример.испытание
$url = 'http://пример.испытание';
$url = html_entity_decode( $url, null, 'UTF-8' );
$parsed = InputFilter::parse_url( $url );
$glued = InputFilter::glue_url( $parsed );
// note that glue_url always appends a trailing /
$this->assert_identical( $glued, $url . '/' );
}
public function test_parse_url_sanitization_javascript ( ) {
$urls = array(
'javascript:alert(0);',
'javascript:alert(0);',
'java	script:alert(0);',
'	javascript:alert(0);',
'java
script:alert(0);',
'
javascript:alert(0);',
'java
script:alert(0);',
'
javascript:alert(0);',
);
foreach ( $urls as $url ) {
$url = html_entity_decode( $url, null, 'UTF-8' );
$parsed = InputFilter::parse_url( $url );
$this->assert_equal( $parsed['scheme'], 'javascript', $url . ' != ' . $parsed['scheme'] );
}
}
}
InputFilterTest::run_one('InputFilterTest');
?>