test/libraries/PMA_sanitize_test.php

   1 <?php
   2 /* vim: set expandtab sw=4 ts=4 sts=4: */
   3 /**
   4  * tests for PMA_sanitize()
   5  *
   6  * @package phpMyAdmin-test
   7  */
   8
   9 /*
  10  * Include to test
  11  */
  12 require_once 'libraries/sanitizing.lib.php';
  13 require_once 'libraries/url_generating.lib.php';
  14 require_once 'libraries/core.lib.php';
  15
  16 class PMA_sanitize_test extends PHPUnit_Framework_TestCase
  17 {
  18     function setUp()
  19     {
  20         $_SESSION[' PMA_token '] = 'token';
  21     }
  22
  23     /**
  24      * Tests for proper escaping of XSS.
  25      */
  26     public function testXssInHref()
  27     {
  28         $this->assertEquals('[a@javascript:alert(\'XSS\');@target]link</a>',
  29             PMA_sanitize('[a@javascript:alert(\'XSS\');@target]link[/a]'));
  30     }
  31
  32     /**
  33      * Tests correct generating of link redirector.
  34      */
  35     public function testLink()
  36     {
  37         unset($GLOBALS['server']);
  38         unset($GLOBALS['lang']);
  39         $this->assertEquals('<a href="./url.php?url=http%3A%2F%2Fwww.phpmyadmin.net%2F&amp;token=token" target="target">link</a>',
  40             PMA_sanitize('[a@http://www.phpmyadmin.net/@target]link[/a]'));
  41     }
  42
  43     /**
  44      * Tests links to documentation.
  45      */
  46     public function testLinkDoc()
  47     {
  48         $this->assertEquals('<a href="./Documentation.html">doc</a>',
  49             PMA_sanitize('[a@./Documentation.html]doc[/a]'));
  50     }
  51
  52     /**
  53      * Tests link target validation.
  54      */
  55     public function testInvalidTarget()
  56     {
  57         $this->assertEquals('[a@./Documentation.html@INVALID9]doc</a>',
  58             PMA_sanitize('[a@./Documentation.html@INVALID9]doc[/a]'));
  59     }
  60
  61     /**
  62      * Tests XSS escaping after valid link.
  63      */
  64     public function testLinkDocXss()
  65     {
  66         $this->assertEquals('[a@./Documentation.html" onmouseover="alert(foo)"]doc</a>',
  67             PMA_sanitize('[a@./Documentation.html" onmouseover="alert(foo)"]doc[/a]'));
  68     }
  69
  70     /**
  71      * Tests proper handling of multi link code.
  72      */
  73     public function testLinkAndXssInHref()
  74     {
  75         $this->assertEquals('<a href="./Documentation.html">doc</a>[a@javascript:alert(\'XSS\');@target]link</a>',
  76             PMA_sanitize('[a@./Documentation.html]doc[/a][a@javascript:alert(\'XSS\');@target]link[/a]'));
  77     }
  78
  79     /**
  80      * Test escaping of HTML tags
  81      */
  82     public function testHtmlTags()
  83     {
  84         $this->assertEquals('&lt;div onclick=""&gt;',
  85             PMA_sanitize('<div onclick="">'));
  86     }
  87
  88     /**
  89      * Tests basic BB code.
  90      */
  91     public function testBBCode()
  92     {
  93         $this->assertEquals('<strong>strong</strong>',
  94             PMA_sanitize('[b]strong[/b]'));
  95     }
  96
  97     /**
  98      * Tests output escaping.
  99      */
 100     public function testEscape()
 101     {
 102         $this->assertEquals('&lt;strong&gt;strong&lt;/strong&gt;',
 103             PMA_sanitize('[strong]strong[/strong]', true));
 104     }
 105 }
 106 ?>