root/branches/boomer/t/11-sanitize.t @ 1100

Revision 1100, 4.3 kB (checked in by hachi, 2 years ago)

Merging release-20 to boomer branch: svn merge -r62323:63659 http://svn.sixapart.com/repos/eng/movabletype/branches/release-20 .
  • Property svn:mime-type set to text/plain
  • Property svn:keywords set to Author Date Id Revision
Line 
1#!/usr/bin/perl
2# $Id$
3use strict;
4use warnings;
5use lib 't/lib';
6use lib 'lib';
7use lib 'extlib';
8
9use Test::More tests => 53;
10
11use MT;
12use MT::Sanitize;
13
14my($atts, $str);
15
16$atts = MT::Sanitize->parse_spec('a href');
17isa_ok($atts, 'HASH');
18ok($atts->{ok}, '{ok}');
19ok($atts->{ok}{a}, '{ok}{a}');
20ok($atts->{ok}{a}{href}, '{ok}{a}{href}');
21
22$atts = MT::Sanitize->parse_spec('a href,b');
23isa_ok($atts, 'HASH');
24ok($atts->{ok}, '{ok}');
25ok($atts->{ok}{a}, '{ok}{a}');
26ok($atts->{ok}{a}{href}, '{ok}{a}{href}');
27ok($atts->{ok}{b}, '{ok}{b}');
28
29$atts = MT::Sanitize->parse_spec('br/');
30isa_ok($atts, 'HASH');
31ok($atts->{ok}, '{ok}');
32ok($atts->{ok}{br}, '{ok}{br}');
33is($atts->{tag_attr}{br}, '/', '{tag_attr}{br}=/');
34
35$atts = MT::Sanitize->parse_spec('img/ src');
36isa_ok($atts, 'HASH');
37ok($atts->{ok}, '{ok}');
38ok($atts->{ok}{img}, '{ok}{img}');
39ok($atts->{ok}{img}{src}, '{ok}{img}{src}');
40is($atts->{tag_attr}{img}, '/', '{tag_attr}{img}=/');
41
42$atts = MT::Sanitize->parse_spec('* align');
43isa_ok($atts, 'HASH');
44ok($atts->{ok}, '{ok}');
45ok($atts->{ok}{'*'}, "{ok}{'*'}");
46ok($atts->{ok}{'*'}{align}, "{ok}{'*'}{align}");
47
48$atts = MT::Sanitize->parse_spec('p,* align');
49isa_ok($atts, 'HASH');
50ok($atts->{ok}, '{ok}');
51ok($atts->{ok}{'*'}, "{ok}{'*'}");
52ok($atts->{ok}{'*'}{align}, "{ok}{'*'}{align}");
53ok($atts->{ok}{p}, '{ok}{p}');
54
55is(MT::Sanitize->sanitize('<?php readfile("/etc/passwd") ?>'), '', 'php passwd');
56
57is(MT::Sanitize->sanitize('<? readfile("/etc/passwd") ?>'), '', 'passwd');
58
59is(MT::Sanitize->sanitize('passwords! <? readfile("/etc/passwd") ?>'), 'passwords! ', 'passwords! ');
60
61is(MT::Sanitize->sanitize('<? start some evil PHP'), '', 'evil PHP');
62
63is(MT::Sanitize->sanitize('<% some ASP code %>'), '', 'ASP code');
64
65is(MT::Sanitize->sanitize('<!--#exec cgi="/some/bad.cgi"-->'), '', 'exec cgi');
66
67is(MT::Sanitize->sanitize('<script src="evil.js">'), '', 'evil.js');
68
69is(MT::Sanitize->sanitize('foo'), 'foo', 'foo');
70
71is(MT::Sanitize->sanitize('<a href="foo.html" onclick="runEvilJS()">kittens</a>'), 'kittens', 'kittens');
72
73is(MT::Sanitize->sanitize('<a href="foo.html" onclick="runEvilJS()">kittens</a>', { ok => { a => {} } }), '<a>kittens</a>', '<a>kittens</a>');
74
75is(MT::Sanitize->sanitize('<a href="foo.html" onclick="runEvilJS()">kittens</a>', { ok => { a => { href => 1 } } }), '<a href="foo.html">kittens</a>', '<a href="foo.html">kittens</a>');
76
77is(MT::Sanitize->sanitize('<code>code</code>'), 'code', 'code');
78
79is(MT::Sanitize->sanitize('<b>bold</b>', MT::Sanitize->parse_spec('b')), '<b>bold</b>', '<b>bold</b>');
80
81is(MT::Sanitize->sanitize('Some text<br />with a line break', MT::Sanitize->parse_spec('br/')), 'Some text<br />with a line break', 'Some text<br />with a line break');
82
83is(MT::Sanitize->sanitize('Some text<br>with a line break', MT::Sanitize->parse_spec('br/')), 'Some text<br />with a line break', 'Some text<br />with a line break');
84
85is(MT::Sanitize->sanitize('<img onmouseover="killComputer()" src="foo.jpg">', MT::Sanitize->parse_spec('img/ src')), '<img src="foo.jpg" />', '<img src="foo.jpg" />');
86
87is(MT::Sanitize->sanitize('<img onmouseover="killComputer()" src="foo.jpg">', 'img/ src'), '<img src="foo.jpg" />', '<img src="foo.jpg" />');
88
89is(MT::Sanitize->sanitize('<b>open bold', 'b'), '<b>open bold</b>', '<b>open bold</b>');
90
91is(MT::Sanitize->sanitize('<b><i>open</b> italic', 'b,i'), '<b><i>open</i></b> italic', '<b><i>open</i></b> italic');
92
93is(MT::Sanitize->sanitize('<a><b><blockquote><i>open</b> italic', 'b,i'), '<b><i>open</i></b> italic', '<b><i>open</i></b> italic');
94
95is(MT::Sanitize->sanitize('<a href="javascript:alert(\'xxx\')">boo</a>', 'a href'), '<a>boo</a>', '<a>boo</a>');
96
97is(MT::Sanitize->sanitize('<a href="jav&#x0D;ascript:alert(\'xxx\')">boo</a>', 'a href'), '<a>boo</a>', '<a>boo</a>');
98
99is(MT::Sanitize->sanitize('<a href="java&#x20;script.html">boo</a>', 'a href'), '<a href="java&#x20;script.html">boo</a>', '<a href="java&#x20;script.html">boo</a>');
100
101is(MT::Sanitize->sanitize('<a href="javascript&#5' . chr(0) . '8;alert(\'boo\')">click</a>', 'a href'), '<a>click</a>', '<a href="javascript&5(null)8;alert(\'boo\')">click</a>');
102
103is(MT::Sanitize->sanitize('<p><i style="x:expression:alert(\'xss\')"', 'p,i'), '<p></p>', '<p><i style="x:expression:alert(\'xss\')"');
104
105### this one breaks...
106is(MT::Sanitize->sanitize('<? /* ?> */ readfile("/etc/passwd") ?>'), ' */ readfile("/etc/passwd") ?>', 'php cloaking attempt');
Note: See TracBrowser for help on using the browser.