Source for file XSSFilter.test.php

Documentation is available at XSSFilter.test.php

  1. <?php
  2. /**
  3.  * Tests for XSSFilter
  4.  * LICENSE: LGPLv3+
  5.  *
  6.  * @author Steve 'Ashcrow' Milner
  7.  * @author Lisa Lu
  8.  * @category security
  9.  * @license LGPLv3+
  10.  * @link http://bitbucket.org/ashcrow/php-xssfilter
  11.  * @package XSSFilter
  12.  * @version 1.0.1
  13.  */
  14.  
  15. require_once 'PHPUnit/Framework.php';
  16. require_once 'src/XSSFilter.class.php';
  17.  
  18.  
  19. class XSSFilterTest extends PHPUnit_Framework_TestCase
  20. {
  21.  
  22.     /**
  23.      * Sets up the test case.
  24.      */
  25.     public function setUp()
  26.     {
  27.         $this->unsafe new XSSFilter(FalseFalseFalseFalseFalse);
  28.         $this->all_filters_on new XSSFilter(TrueTrueTrueTrueFalse);
  29.         $this->all_filters_on_extended new XSSFilter(
  30.             TrueTrueTrueTrueTrue);
  31.         $this->example new XSSFilter(TrueTrueFalseTrueTrue);
  32.     }
  33.  
  34.     /**
  35.      * Verifies that the proper types are returned based on what
  36.      * options are enabled.
  37.      */
  38.     public function testTypes()
  39.     {
  40.         $to_filter_str 'start<b>inside</b>end';
  41.         $to_filter_array array('test'=>$to_filter_str);
  42.  
  43.         // Unsafe should not modify types
  44.         $this->assertType('array',
  45.             $this->unsafe->filter($to_filter_array));
  46.         $this->assertType('string',
  47.             $this->unsafe->filter($to_filter_str));
  48.  
  49.         // All filters on should not modify types
  50.         $this->assertType('array',
  51.             $this->all_filters_on->filter($to_filter_array));
  52.         $this->assertType('string',
  53.             $this->all_filters_on->filter($to_filter_str));
  54.  
  55.         // All filters on extended should modify types to ExtendedResponse*
  56.         $this->assertType('ExtendedResponseArray',
  57.             $this->all_filters_on_extended->filter($to_filter_array));
  58.         $this->assertType('ExtendedResponseString',
  59.             $this->all_filters_on_extended->filter($to_filter_str));
  60.  
  61.         // Example should modify types to ExtendedResponse*
  62.         $this->assertType('ExtendedResponseArray',
  63.             $this->example->filter($to_filter_array));
  64.         $this->assertType('ExtendedResponseString',
  65.             $this->example->filter($to_filter_str));
  66.     }
  67.  
  68.     /**
  69.      * Verifies that all conversions from ExtendedResponse* work properly.
  70.      */
  71.     public function testExtendedConversions()
  72.     {
  73.         // Converting an ExtendedResponseArray to string should simply
  74.         // give us the string 'Array' -- just like an array does.
  75.         $this->assertEquals('Array',
  76.             (string) $this->all_filters_on_extended->filter(
  77.                 array('test'=>'test')));
  78.         // Converting ExtendedResponseString to string should be the
  79.         // exact string passed in.
  80.         $this->assertEquals('test',
  81.             (string) $this->all_filters_on_extended->filter('test'));
  82.     }
  83.  
  84.     /**
  85.      * Verifies that all the Extended properties exist and work as expected.
  86.      */
  87.     public function testExtendedProperties()
  88.     {
  89.         $no_changes 'test';
  90.         $no_changes_arr array('test' => $no_changes);
  91.         $changes '<b>test';
  92.         $changes_arr array('test' => $changes);
  93.  
  94.         // Getting changes should always be a bool and reflect if
  95.         // changes to the string or array had to be made
  96.         // array
  97.         $this->assertEquals(False,
  98.             ($this->all_filters_on_extended->filter(
  99.                 $no_changes_arr)->changes));
  100.         $this->assertEquals(True,
  101.             ($this->all_filters_on_extended->filter(
  102.                 $changes_arr)->changes));
  103.         // string
  104.         $this->assertEquals(False,
  105.             $this->all_filters_on_extended->filter($no_changes)->changes);
  106.         $this->assertEquals(True,
  107.             $this->all_filters_on_extended->filter($changes)->changes);
  108.  
  109.         // Requesting the data should give us the same as casting
  110.         // to a string or array
  111.         // array
  112.         $this->assertEquals(
  113.             (array) $this->all_filters_on_extended->filter(
  114.                 $no_changes_arr),
  115.             $this->all_filters_on_extended->filter(
  116.                 $no_changes_arr)->data);
  117.         $this->assertEquals(
  118.             (array) $this->all_filters_on_extended->filter(
  119.                 $changes_arr),
  120.             $this->all_filters_on_extended->filter($changes_arr)->data);
  121.  
  122.         // string
  123.         $this->assertEquals(
  124.             (string) $this->all_filters_on_extended->filter($no_changes),
  125.             $this->all_filters_on_extended->filter($no_changes)->data);
  126.         $this->assertEquals(
  127.             (string) $this->all_filters_on_extended->filter($changes),
  128.             $this->all_filters_on_extended->filter($changes)->data);
  129.  
  130.         // Anything that is not data or changes should return nothing
  131.         // no matter what is passed in
  132.         $this->assertNull(
  133.             $this->all_filters_on_extended->filter($changes)->test);
  134.         $this->assertNull(
  135.             $this->all_filters_on_extended->filter($no_changes)->test);
  136.         $this->assertNull(
  137.             $this->all_filters_on_extended->filter($changes_arr)->test);
  138.         $this->assertNull(
  139.             $this->all_filters_on_extended->filter($no_changes_arr)->test);
  140.  
  141.     }
  142.  
  143.     /**
  144.      * Verifies the type of filtering that is expected is returned.
  145.      */
  146.     public function testFilters()
  147.     {
  148.         // Inputs
  149.         $simple_html 'start<b>inside</b>end';
  150.         $example_xss_double '"><script>alert(1);</script><span "';
  151.         $example_xss_single "'><script>alert(1);</script><span '";
  152.         $combined array(
  153.             'simple_html' => $simple_html,
  154.             'example_xss_double' => $example_xss_double,
  155.             'example_xss_single' => $example_xss_single,
  156.         );
  157.  
  158.         // Everything off should do NOTHING
  159.         $this->assertEquals($simple_html$this->unsafe->filter($simple_html));
  160.         $this->assertEquals($example_xss_double,
  161.             $this->unsafe->filter($example_xss_double));
  162.         $this->assertEquals($example_xss_single,
  163.             $this->unsafe->filter($example_xss_single));
  164.         $this->assertEquals($combined,
  165.             $this->unsafe->filter($combined));
  166.  
  167.         // All filters on should be safe strings
  168.         $results array(
  169.             'simple_html' => 'startend',
  170.             'example_xss_double' => '%26quot%3B%26gt%3B',
  171.             'example_xss_single' => '%27%26gt%3B',
  172.         );
  173.         $this->assertEquals($results['simple_html'],
  174.             $this->all_filters_on->filter($simple_html));
  175.         $this->assertEquals($results['example_xss_double'],
  176.             $this->all_filters_on->filter($example_xss_double));
  177.         $this->assertEquals($results['example_xss_single'],
  178.             $this->all_filters_on->filter($example_xss_single));
  179.         $this->assertEquals($results,
  180.             $this->all_filters_on->filter($combined));
  181.  
  182.         // All filters on extended should be safe strings in extended format
  183.         $results array(
  184.             'simple_html' => 'startend',
  185.             'example_xss_double' => '%26quot%3B%26gt%3B',
  186.             'example_xss_single' => '%27%26gt%3B',
  187.         );
  188.         $this->assertEquals($results['simple_html'],
  189.             (string) $this->all_filters_on_extended->filter($simple_html));
  190.         $this->assertEquals($results['example_xss_double'],
  191.             (string) $this->all_filters_on_extended->filter(
  192.                 $example_xss_double));
  193.         $this->assertEquals($results['example_xss_single'],
  194.             (string) $this->all_filters_on_extended->filter(
  195.                 $example_xss_single));
  196.         $this->assertEquals($results,
  197.             (array) $this->all_filters_on_extended->filter($combined));
  198.  
  199.         // Example should be safe strings in extended format
  200.         $results array(
  201.             'simple_html' => 'startend',
  202.             'example_xss_double' => '%22%3E',
  203.             'example_xss_single' => '%27%3E',
  204.         );
  205.         $this->assertEquals($results['simple_html'],
  206.             (string) $this->example->filter($simple_html));
  207.         $this->assertEquals($results['example_xss_double'],
  208.             (string) $this->example->filter($example_xss_double));
  209.         $this->assertEquals($results['example_xss_single'],
  210.             (string) $this->example->filter($example_xss_single));
  211.         $this->assertEquals($results,
  212.             (array) $this->example->filter($combined));
  213.     }
  214. }

Documentation generated on Mon, 01 Nov 2010 10:59:06 -0400 by phpDocumentor 1.4.3