7
* CakePHP(tm) Tests <http://book.cakephp.org/view/1196/Testing>
8
* Copyright 2005-2010, Cake Software Foundation, Inc. (http://cakefoundation.org)
10
* Licensed under The Open Group Test Suite License
11
* Redistributions of files must retain the above copyright notice.
13
* @copyright Copyright 2005-2010, Cake Software Foundation, Inc. (http://cakefoundation.org)
14
* @link http://book.cakephp.org/view/1196/Testing CakePHP(tm) Tests
16
* @subpackage cake.tests.cases.libs
17
* @since CakePHP(tm) v 1.2.0.5428
18
* @license http://www.opensource.org/licenses/opengroup.php The Open Group Test Suite License
20
App::import('Core', 'Sanitize');
26
* @subpackage cake.tests.cases.libs
28
class SanitizeDataTest extends CakeTestModel {
33
* @var string 'SanitizeDataTest'
36
var $name = 'SanitizeDataTest';
41
* @var string 'data_tests'
44
var $useTable = 'data_tests';
51
* @subpackage cake.tests.cases.libs
53
class SanitizeArticle extends CakeTestModel {
58
* @var string 'Article'
61
var $name = 'SanitizeArticle';
66
* @var string 'articles'
69
var $useTable = 'articles';
76
* @subpackage cake.tests.cases.libs
78
class SanitizeTest extends CakeTestCase {
81
* autoFixtures property
86
var $autoFixtures = false;
94
var $fixtures = array('core.data_test', 'core.article');
99
* @param mixed $method
103
function startTest($method) {
104
parent::startTest($method);
109
* testEscapeAlphaNumeric method
114
function testEscapeAlphaNumeric() {
115
$resultAlpha = Sanitize::escape('abc', 'test_suite');
116
$this->assertEqual($resultAlpha, 'abc');
118
$resultNumeric = Sanitize::escape('123', 'test_suite');
119
$this->assertEqual($resultNumeric, '123');
121
$resultNumeric = Sanitize::escape(1234, 'test_suite');
122
$this->assertEqual($resultNumeric, 1234);
124
$resultNumeric = Sanitize::escape(1234.23, 'test_suite');
125
$this->assertEqual($resultNumeric, 1234.23);
127
$resultNumeric = Sanitize::escape('#1234.23', 'test_suite');
128
$this->assertEqual($resultNumeric, '#1234.23');
130
$resultNull = Sanitize::escape(null, 'test_suite');
131
$this->assertEqual($resultNull, null);
133
$resultNull = Sanitize::escape(false, 'test_suite');
134
$this->assertEqual($resultNull, false);
136
$resultNull = Sanitize::escape(true, 'test_suite');
137
$this->assertEqual($resultNull, true);
146
function testClean() {
147
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
148
$expected = 'test & "quote" 'other' ;.$ symbol.another line';
149
$result = Sanitize::clean($string, array('connection' => 'test_suite'));
150
$this->assertEqual($result, $expected);
152
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
153
$expected = 'test & ' . Sanitize::escape('"quote"', 'test_suite') . ' ' . Sanitize::escape('\'other\'', 'test_suite') . ' ;.$ symbol.another line';
154
$result = Sanitize::clean($string, array('encode' => false, 'connection' => 'test_suite'));
155
$this->assertEqual($result, $expected);
157
$string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line';
158
$expected = 'test & "quote" \'other\' ;.$ $ symbol.another line';
159
$result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'connection' => 'test_suite'));
160
$this->assertEqual($result, $expected);
162
$string = 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line';
163
$expected = 'test & "quote" \'other\' ;.$ \\$ symbol.another line';
164
$result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'dollar' => false, 'connection' => 'test_suite'));
165
$this->assertEqual($result, $expected);
167
$string = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
168
$expected = 'test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line';
169
$result = Sanitize::clean($string, array('encode' => false, 'escape' => false, 'carriage' => false, 'connection' => 'test_suite'));
170
$this->assertEqual($result, $expected);
172
$array = array(array('test & "quote" \'other\' ;.$ symbol.' . "\r" . 'another line'));
173
$expected = array(array('test & "quote" 'other' ;.$ symbol.another line'));
174
$result = Sanitize::clean($array, array('connection' => 'test_suite'));
175
$this->assertEqual($result, $expected);
177
$array = array(array('test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line'));
178
$expected = array(array('test & "quote" \'other\' ;.$ $ symbol.another line'));
179
$result = Sanitize::clean($array, array('encode' => false, 'escape' => false, 'connection' => 'test_suite'));
180
$this->assertEqual($result, $expected);
182
$array = array(array('test odd Ä spacesé'));
183
$expected = array(array('test odd Ä spacesé'));
184
$result = Sanitize::clean($array, array('odd_spaces' => false, 'escape' => false, 'connection' => 'test_suite'));
185
$this->assertEqual($result, $expected);
187
$array = array(array('\\$', array('key' => 'test & "quote" \'other\' ;.$ \\$ symbol.' . "\r" . 'another line')));
188
$expected = array(array('$', array('key' => 'test & "quote" \'other\' ;.$ $ symbol.another line')));
189
$result = Sanitize::clean($array, array('encode' => false, 'escape' => false));
190
$this->assertEqual($result, $expected);
194
$result = Sanitize::clean($string);
195
$this->assertEqual($string, $expected);
199
'title' => '2 o clock grant',
200
'grant_peer_review_id' => 3,
201
'institution_id' => 5,
204
'created' => '2010-07-15 14:11:00',
205
'modified' => '2010-07-19 10:45:41'
207
'GrantsMember' => array(
213
'pi_percent_commitment' => 1
217
$result = Sanitize::clean($data);
218
$this->assertEqual($result, $data);
227
function testHtml() {
228
$string = '<p>This is a <em>test string</em> & so is this</p>';
229
$expected = 'This is a test string & so is this';
230
$result = Sanitize::html($string, array('remove' => true));
231
$this->assertEqual($result, $expected);
233
$string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true';
234
$expected = 'The "lazy" dog 'jumped' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true';
235
$result = Sanitize::html($string);
236
$this->assertEqual($result, $expected);
238
$string = 'The "lazy" dog \'jumped\'';
239
$expected = 'The "lazy" dog \'jumped\'';
240
$result = Sanitize::html($string, array('quotes' => ENT_COMPAT));
241
$this->assertEqual($result, $expected);
243
$string = 'The "lazy" dog \'jumped\'';
244
$result = Sanitize::html($string, array('quotes' => ENT_NOQUOTES));
245
$this->assertEqual($result, $string);
247
$string = 'The "lazy" dog \'jumped\' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true';
248
$expected = 'The "lazy" dog 'jumped' & flew over the moon. If (1+1) = 2 <em>is</em> true, (2-1) = 1 is also true';
249
$result = Sanitize::html($string);
250
$this->assertEqual($result, $expected);
254
* testStripWhitespace method
259
function testStripWhitespace() {
260
$string = "This sentence \t\t\t has lots of \n\n white\nspace \rthat \r\n needs to be \t \n trimmed.";
261
$expected = "This sentence has lots of whitespace that needs to be trimmed.";
262
$result = Sanitize::stripWhitespace($string);
263
$this->assertEqual($result, $expected);
267
* testParanoid method
272
function testParanoid() {
273
$string = 'I would like to !%@#% & dance & sing ^$&*()-+';
274
$expected = 'Iwouldliketodancesing';
275
$result = Sanitize::paranoid($string);
276
$this->assertEqual($result, $expected);
278
$string = array('This |s th% s0ng that never ends it g*es',
279
'on and on my friends, b^ca#use it is the',
280
'so&g th===t never ends.');
281
$expected = array('This s th% s0ng that never ends it g*es',
282
'on and on my friends bcause it is the',
283
'sog tht never ends.');
284
$result = Sanitize::paranoid($string, array('%', '*', '.', ' '));
285
$this->assertEqual($result, $expected);
287
$string = "anything' OR 1 = 1";
288
$expected = 'anythingOR11';
289
$result = Sanitize::paranoid($string);
290
$this->assertEqual($result, $expected);
292
$string = "x' AND email IS NULL; --";
293
$expected = 'xANDemailISNULL';
294
$result = Sanitize::paranoid($string);
295
$this->assertEqual($result, $expected);
297
$string = "x' AND 1=(SELECT COUNT(*) FROM users); --";
298
$expected = "xAND1SELECTCOUNTFROMusers";
299
$result = Sanitize::paranoid($string);
300
$this->assertEqual($result, $expected);
302
$string = "x'; DROP TABLE members; --";
303
$expected = "xDROPTABLEmembers";
304
$result = Sanitize::paranoid($string);
305
$this->assertEqual($result, $expected);
309
* testStripImages method
314
function testStripImages() {
315
$string = '<img src="/img/test.jpg" alt="my image" />';
316
$expected = 'my image<br />';
317
$result = Sanitize::stripImages($string);
318
$this->assertEqual($result, $expected);
320
$string = '<img src="javascript:alert(\'XSS\');" />';
322
$result = Sanitize::stripImages($string);
323
$this->assertEqual($result, $expected);
325
$string = '<a href="http://www.badsite.com/phising"><img src="/img/test.jpg" alt="test image alt" title="test image title" id="myImage" class="image-left"/></a>';
326
$expected = '<a href="http://www.badsite.com/phising">test image alt</a><br />';
327
$result = Sanitize::stripImages($string);
328
$this->assertEqual($result, $expected);
330
$string = '<a onclick="medium()" href="http://example.com"><img src="foobar.png" onclick="evilFunction(); return false;"/></a>';
331
$expected = '<a onclick="medium()" href="http://example.com"></a>';
332
$result = Sanitize::stripImages($string);
333
$this->assertEqual($result, $expected);
337
* testStripScripts method
342
function testStripScripts() {
343
$string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />';
345
$result = Sanitize::stripScripts($string);
346
$this->assertEqual($result, $expected);
348
$string = '<link href="/css/styles.css" media="screen" rel="stylesheet" />' . "\n" . '<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . '<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . '<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />';
349
$expected = "\n" . '<link rel="icon" href="/favicon.ico" type="image/x-icon" />' . "\n" . '<link rel="shortcut icon" href="/favicon.ico" type="image/x-icon" />'."\n".'<link rel="alternate" href="/feed.xml" title="RSS Feed" type="application/rss+xml" />';
350
$result = Sanitize::stripScripts($string);
351
$this->assertEqual($result, $expected);
353
$string = '<script type="text/javascript"> alert("hacked!");</script>';
355
$result = Sanitize::stripScripts($string);
356
$this->assertEqual($result, $expected);
358
$string = '<script> alert("hacked!");</script>';
360
$result = Sanitize::stripScripts($string);
361
$this->assertEqual($result, $expected);
363
$string = '<style>#content { display:none; }</style>';
365
$result = Sanitize::stripScripts($string);
366
$this->assertEqual($result, $expected);
368
$string = '<style type="text/css"><!-- #content { display:none; } --></style>';
370
$result = Sanitize::stripScripts($string);
371
$this->assertEqual($result, $expected);
375
<style type="text/css">
377
#content { display:none; }
382
$expected = "text\n\ntext";
383
$result = Sanitize::stripScripts($string);
384
$this->assertEqual($result, $expected);
388
<script type="text/javascript">
395
$expected = "text\n\ntext";
396
$result = Sanitize::stripScripts($string);
397
$this->assertEqual($result, $expected);
401
* testStripAll method
406
function testStripAll() {
407
$string = '<img """><script>alert("xss")</script>"/>';
409
$result = Sanitize::stripAll($string);
410
$this->assertEqual($result, $expected);
412
$string = '<IMG SRC=javascript:alert('XSS')>';
414
$result = Sanitize::stripAll($string);
415
$this->assertEqual($result, $expected);
417
$string = '<<script>alert("XSS");//<</script>';
419
$result = Sanitize::stripAll($string);
420
$this->assertEqual($result, $expected);
422
$string = '<img src="http://google.com/images/logo.gif" onload="window.location=\'http://sam.com/\'" />'."\n".
423
"<p>This is ok \t\n text</p>\n".
424
'<link rel="stylesheet" href="/css/master.css" type="text/css" media="screen" title="my sheet" charset="utf-8">'."\n".
425
'<script src="xss.js" type="text/javascript" charset="utf-8"></script>';
426
$expected = '<p>This is ok text</p>';
427
$result = Sanitize::stripAll($string);
428
$this->assertEqual($result, $expected);
433
* testStripTags method
438
function testStripTags() {
439
$string = '<h2>Headline</h2><p><a href="http://example.com">My Link</a> could go to a bad site</p>';
440
$expected = 'Headline<p>My Link could go to a bad site</p>';
441
$result = Sanitize::stripTags($string, 'h2', 'a');
442
$this->assertEqual($result, $expected);
444
$string = '<script type="text/javascript" src="http://evildomain.com"> </script>';
446
$result = Sanitize::stripTags($string, 'script');
447
$this->assertEqual($result, $expected);
449
$string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>';
450
$expected = 'Important<p>Additional information here <img src="/img/test.png" />. Read even more here</p>';
451
$result = Sanitize::stripTags($string, 'h2', 'a');
452
$this->assertEqual($result, $expected);
454
$string = '<h2>Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>';
455
$expected = 'Important<p>Additional information here . Read even more here</p>';
456
$result = Sanitize::stripTags($string, 'h2', 'a', 'img');
457
$this->assertEqual($result, $expected);
459
$string = '<b>Important message!</b><br>This message will self destruct!';
460
$expected = 'Important message!<br>This message will self destruct!';
461
$result = Sanitize::stripTags($string, 'b');
462
$this->assertEqual($result, $expected);
464
$string = '<b>Important message!</b><br />This message will self destruct!';
465
$expected = 'Important message!<br />This message will self destruct!';
466
$result = Sanitize::stripTags($string, 'b');
467
$this->assertEqual($result, $expected);
469
$string = '<h2 onclick="alert(\'evil\'); onmouseover="badness()">Important</h2><p>Additional information here <a href="/about"><img src="/img/test.png" /></a>. Read even more here</p>';
470
$expected = 'Important<p>Additional information here . Read even more here</p>';
471
$result = Sanitize::stripTags($string, 'h2', 'a', 'img');
472
$this->assertEqual($result, $expected);
476
* testFormatColumns method
481
function testFormatColumns() {
482
$this->loadFixtures('DataTest', 'Article');
484
$this->DataTest =& new SanitizeDataTest(array('alias' => 'DataTest'));
485
$data = array('DataTest' => array(
488
'float' => '2.31456',
489
'updated' => '2008-01-01'
492
$this->DataTest->set($data);
493
$expected = array('DataTest' => array(
497
'updated' => '2008-01-01 00:00:00',
499
Sanitize::formatColumns($this->DataTest);
500
$result = $this->DataTest->data;
501
$this->assertEqual($result, $expected);
503
$this->Article =& new SanitizeArticle(array('alias' => 'Article'));
504
$data = array('Article' => array(
507
'title' => 'title of article',
508
'body' => 'body text',
509
'published' => 'QQQQQQQ',
511
$this->Article->set($data);
512
$expected = array('Article' => array(
515
'title' => 'title of article',
516
'body' => 'body text',
517
'published' => 'QQQQQQQ',
519
Sanitize::formatColumns($this->Article);
520
$result = $this->Article->data;
521
$this->assertEqual($result, $expected);