root/branches/release-40/t/11-sanitize.t @ 2562

Revision 2562, 4.3 kB (checked in by bchoate, 18 months ago)

Test suite cleanup. Use MT::Test to force t/ based configuration file for all tests. Fixed several tests that had incorrect expected values.
  • Property svn:mime-type set to text/plain
  • Property svn:keywords set to Author Date Id Revision
Line 
1#!/usr/bin/perl
2# $Id$
3use strict;
4use warnings;
5use lib 't/lib';
6use lib 'lib';
7use lib 'extlib';
8
9use Test::More tests => 53;
10
11use MT;
12use MT::Test;
13use MT::Sanitize;
14
15my($atts, $str);
16
17$atts = MT::Sanitize->parse_spec('a href');
18isa_ok($atts, 'HASH');
19ok($atts->{ok}, '{ok}');
20ok($atts->{ok}{a}, '{ok}{a}');
21ok($atts->{ok}{a}{href}, '{ok}{a}{href}');
22
23$atts = MT::Sanitize->parse_spec('a href,b');
24isa_ok($atts, 'HASH');
25ok($atts->{ok}, '{ok}');
26ok($atts->{ok}{a}, '{ok}{a}');
27ok($atts->{ok}{a}{href}, '{ok}{a}{href}');
28ok($atts->{ok}{b}, '{ok}{b}');
29
30$atts = MT::Sanitize->parse_spec('br/');
31isa_ok($atts, 'HASH');
32ok($atts->{ok}, '{ok}');
33ok($atts->{ok}{br}, '{ok}{br}');
34is($atts->{tag_attr}{br}, '/', '{tag_attr}{br}=/');
35
36$atts = MT::Sanitize->parse_spec('img/ src');
37isa_ok($atts, 'HASH');
38ok($atts->{ok}, '{ok}');
39ok($atts->{ok}{img}, '{ok}{img}');
40ok($atts->{ok}{img}{src}, '{ok}{img}{src}');
41is($atts->{tag_attr}{img}, '/', '{tag_attr}{img}=/');
42
43$atts = MT::Sanitize->parse_spec('* align');
44isa_ok($atts, 'HASH');
45ok($atts->{ok}, '{ok}');
46ok($atts->{ok}{'*'}, "{ok}{'*'}");
47ok($atts->{ok}{'*'}{align}, "{ok}{'*'}{align}");
48
49$atts = MT::Sanitize->parse_spec('p,* align');
50isa_ok($atts, 'HASH');
51ok($atts->{ok}, '{ok}');
52ok($atts->{ok}{'*'}, "{ok}{'*'}");
53ok($atts->{ok}{'*'}{align}, "{ok}{'*'}{align}");
54ok($atts->{ok}{p}, '{ok}{p}');
55
56is(MT::Sanitize->sanitize('<?php readfile("/etc/passwd") ?>'), '', 'php passwd');
57
58is(MT::Sanitize->sanitize('<? readfile("/etc/passwd") ?>'), '', 'passwd');
59
60is(MT::Sanitize->sanitize('passwords! <? readfile("/etc/passwd") ?>'), 'passwords! ', 'passwords! ');
61
62is(MT::Sanitize->sanitize('<? start some evil PHP'), '', 'evil PHP');
63
64is(MT::Sanitize->sanitize('<% some ASP code %>'), '', 'ASP code');
65
66is(MT::Sanitize->sanitize('<!--#exec cgi="/some/bad.cgi"-->'), '', 'exec cgi');
67
68is(MT::Sanitize->sanitize('<script src="evil.js">'), '', 'evil.js');
69
70is(MT::Sanitize->sanitize('foo'), 'foo', 'foo');
71
72is(MT::Sanitize->sanitize('<a href="foo.html" onclick="runEvilJS()">kittens</a>'), 'kittens', 'kittens');
73
74is(MT::Sanitize->sanitize('<a href="foo.html" onclick="runEvilJS()">kittens</a>', { ok => { a => {} } }), '<a>kittens</a>', '<a>kittens</a>');
75
76is(MT::Sanitize->sanitize('<a href="foo.html" onclick="runEvilJS()">kittens</a>', { ok => { a => { href => 1 } } }), '<a href="foo.html">kittens</a>', '<a href="foo.html">kittens</a>');
77
78is(MT::Sanitize->sanitize('<code>code</code>'), 'code', 'code');
79
80is(MT::Sanitize->sanitize('<b>bold</b>', MT::Sanitize->parse_spec('b')), '<b>bold</b>', '<b>bold</b>');
81
82is(MT::Sanitize->sanitize('Some text<br />with a line break', MT::Sanitize->parse_spec('br/')), 'Some text<br />with a line break', 'Some text<br />with a line break');
83
84is(MT::Sanitize->sanitize('Some text<br>with a line break', MT::Sanitize->parse_spec('br/')), 'Some text<br />with a line break', 'Some text<br />with a line break');
85
86is(MT::Sanitize->sanitize('<img onmouseover="killComputer()" src="foo.jpg">', MT::Sanitize->parse_spec('img/ src')), '<img src="foo.jpg" />', '<img src="foo.jpg" />');
87
88is(MT::Sanitize->sanitize('<img onmouseover="killComputer()" src="foo.jpg">', 'img/ src'), '<img src="foo.jpg" />', '<img src="foo.jpg" />');
89
90is(MT::Sanitize->sanitize('<b>open bold', 'b'), '<b>open bold</b>', '<b>open bold</b>');
91
92is(MT::Sanitize->sanitize('<b><i>open</b> italic', 'b,i'), '<b><i>open</i></b> italic', '<b><i>open</i></b> italic');
93
94is(MT::Sanitize->sanitize('<a><b><blockquote><i>open</b> italic', 'b,i'), '<b><i>open</i></b> italic', '<b><i>open</i></b> italic');
95
96is(MT::Sanitize->sanitize('<a href="javascript:alert(\'xxx\')">boo</a>', 'a href'), '<a>boo</a>', '<a>boo</a>');
97
98is(MT::Sanitize->sanitize('<a href="jav&#x0D;ascript:alert(\'xxx\')">boo</a>', 'a href'), '<a>boo</a>', '<a>boo</a>');
99
100is(MT::Sanitize->sanitize('<a href="java&#x20;script.html">boo</a>', 'a href'), '<a href="java&#x20;script.html">boo</a>', '<a href="java&#x20;script.html">boo</a>');
101
102is(MT::Sanitize->sanitize('<a href="javascript&#5' . chr(0) . '8;alert(\'boo\')">click</a>', 'a href'), '<a>click</a>', '<a href="javascript&5(null)8;alert(\'boo\')">click</a>');
103
104is(MT::Sanitize->sanitize('<p><i style="x:expression:alert(\'xss\')"', 'p,i'), '<p></p>', '<p><i style="x:expression:alert(\'xss\')"');
105
106### this one breaks...
107is(MT::Sanitize->sanitize('<? /* ?> */ readfile("/etc/passwd") ?>'), ' */ readfile("/etc/passwd") ?>', 'php cloaking attempt');
Note: See TracBrowser for help on using the browser.