diff options
Diffstat (limited to 't/008filter.t')
-rw-r--r-- | t/008filter.t | 40 |
1 files changed, 20 insertions, 20 deletions
diff --git a/t/008filter.t b/t/008filter.t index 443fb2b4f..d86e6c7a6 100644 --- a/t/008filter.t +++ b/t/008filter.t @@ -11,7 +11,7 @@ # This test scans all our templates for every directive. Having eliminated # those which cannot possibly cause XSS problems, it then checks the rest -# against the safe list stored in the filterexceptions.pl file. +# against the safe list stored in the filterexceptions.pl file. # Sample exploit code: '>"><script>alert('Oh dear...')</script> @@ -42,17 +42,17 @@ foreach my $path (@Support::Templates::include_paths) { chdir $topdir; # absolute path my @testitems = Support::Templates::find_actual_files($path); chdir $topdir; # absolute path - + next unless @testitems; - + # Some people require this, others don't. No-one knows why. chdir $path; # relative path - + # We load a %safe list of acceptable exceptions. if (-r "filterexceptions.pl") { do "filterexceptions.pl"; if (ON_WINDOWS) { - # filterexceptions.pl uses / separated paths, while + # filterexceptions.pl uses / separated paths, while # find_actual_files returns \ separated ones on Windows. # Here, we convert the filter exception hash to use \. foreach my $file (keys %safe) { @@ -65,16 +65,16 @@ foreach my $path (@Support::Templates::include_paths) { } } } - + # We preprocess the %safe hash of lists into a hash of hashes. This allows - # us to flag which members were not found, and report that as a warning, + # us to flag which members were not found, and report that as a warning, # thereby keeping the lists clean. foreach my $file (keys %safe) { if (ref $safe{$file} eq 'ARRAY') { my $list = $safe{$file}; $safe{$file} = {}; foreach my $directive (@$list) { - $safe{$file}{$directive} = 0; + $safe{$file}{$directive} = 0; } } } @@ -105,14 +105,14 @@ foreach my $path (@Support::Templates::include_paths) { if (!directive_ok($file, $directive)) { # This intentionally makes no effort to eliminate duplicates; to do - # so would merely make it more likely that the user would not + # so would merely make it more likely that the user would not # escape all instances when attempting to correct an error. push(@unfiltered, "$lineno:$directive"); } - } + } my $fullpath = File::Spec->catfile($path, $file); - + if (@unfiltered) { my $uflist = join("\n ", @unfiltered); ok(0, "($lang/$flavor) $fullpath has unfiltered directives:\n $uflist\n--ERROR"); @@ -121,12 +121,12 @@ foreach my $path (@Support::Templates::include_paths) { # Find any members of the exclusion list which were not found my @notfound; foreach my $directive (keys %{$safe{$file}}) { - push(@notfound, $directive) if ($safe{$file}{$directive} == 0); + push(@notfound, $directive) if ($safe{$file}{$directive} == 0); } if (@notfound) { my $nflist = join("\n ", @notfound); - ok(0, "($lang/$flavor) $fullpath - filterexceptions.pl has extra members:\n $nflist\n" . + ok(0, "($lang/$flavor) $fullpath - filterexceptions.pl has extra members:\n $nflist\n" . "--WARNING"); } else { @@ -141,7 +141,7 @@ sub directive_ok { my ($file, $directive) = @_; # Comments - return 1 if $directive =~ /^#/; + return 1 if $directive =~ /^#/; # Remove any leading/trailing whitespace. $directive =~ s/^\s*//; @@ -183,7 +183,7 @@ sub directive_ok { # Simple assignments return 1 if $directive =~ /^[\w\.\$\{\}]+\s+=\s+/; - # Conditional literals with either sort of quotes + # Conditional literals with either sort of quotes # There must be no $ in the string for it to be a literal return 1 if $directive =~ /^(["'])[^\$]*[^\\]\1/; return 1 if $directive =~ /^(["'])\1/; @@ -191,10 +191,10 @@ sub directive_ok { # Special values always used for numbers return 1 if $directive =~ /^[ijkn]$/; return 1 if $directive =~ /^count$/; - + # Params return 1 if $directive =~ /^Param\(/; - + # Hooks return 1 if $directive =~ /^Hook.process\(/; @@ -206,12 +206,12 @@ sub directive_ok { # Special Template Toolkit loop variable return 1 if $directive =~ /^loop\.(index|count)$/; - + # Branding terms return 1 if $directive =~ /^terms\./; - + # Things which are already filtered - # Note: If a single directive prints two things, and only one is + # Note: If a single directive prints two things, and only one is # filtered, we may not catch that case. return 1 if $directive =~ /FILTER\ (html|csv|js|base64|css_class_quote|ics| quoteUrls|time|uri|xml|lower|html_light| |