aboutsummaryrefslogtreecommitdiffstats
path: root/tests/unit/AntiXSSTest.php
blob: 642224f6039832027cdd4a61683f99e41d9f3503 (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
<?php
/**
 * Tests several functions which are used to prevent xss attacks
 *
 * @package test.util
 */

use PHPUnit\Framework\TestCase;

class AntiXSSTest extends TestCase {

	/**
	 * Test, that tags are escaped
	 */
	public function testEscapeTags() {
		$invalidstring='<submit type="button" onclick="alert(\'failed!\');" />';

		$validstring=notags($invalidstring);
		$escapedString=escape_tags($invalidstring);

		$this->assertEquals('[submit type="button" onclick="alert(\'failed!\');" /]', $validstring);
		$this->assertEquals("&lt;submit type=&quot;button&quot; onclick=&quot;alert('failed!');&quot; /&gt;", $escapedString);
	}

	/**
	 * Test escaping URL's to make them safe for use in html and attributes.
	 *
	 * @dataProvider urlTestProvider
	 */
	public function testEscapeURL($url, $expected) : void {
		$this->assertEquals($expected, escape_url($url));
	}

	public static function urlTestProvider() : array {
		return [
			[
				"https://example.com/settings/calendar/?f=&rpath=https://example.com/cdav/calendar'><script>alert('boom')</script>",
				"https://example.com/settings/calendar/?f=&amp;rpath=https://example.com/cdav/calendar&apos;&gt;&lt;script&gt;alert(&apos;boom&apos;)&lt;/script&gt;"
			],
			[
				"settings/calendar/?f=&rpath=https://example.com'+accesskey=x+onclick=alert(/boom/);a='",
				"settings/calendar/?f=&amp;rpath=https://example.com&apos;+accesskey=x+onclick=alert(/boom/);a=&apos;"
			],
		];
	}

	/**
	 * Test xmlify and unxmlify
	 */
	public function testXmlify() {
		$text="<tag>I want to break\n this!11!<?hard?></tag>";
		$xml=xmlify($text);
		$retext=unxmlify($text);

		$this->assertEquals($text, $retext);
	}

	/**
	 * Test xmlify and put in a document
	 */
	public function testXmlifyDocument() {
		$tag="<tag>I want to break</tag>";
		$xml=xmlify($tag);
		$text='<text>'.$xml.'</text>';

		$xml_parser=xml_parser_create();
		//should be possible to parse it
		$values=array();
		$index=array();

		$this->assertEquals(1, xml_parse_into_struct($xml_parser, $text, $values, $index));

		$this->assertEquals(array('TEXT'=>array(0)),
				$index);
		$this->assertEquals(array(array('tag'=>'TEXT', 'type'=>'complete', 'level'=>1, 'value'=>$tag)),
				$values);

		xml_parser_free($xml_parser);
	}

	//function qp, quick and dirty??
	//get_mentions
	//get_contact_block, bis Zeile 538
}
?>