diff options
Diffstat (limited to 'tests')
-rw-r--r-- | tests/codeigniter/core/Common_test.php | 5 | ||||
-rw-r--r-- | tests/codeigniter/core/Config_test.php | 47 | ||||
-rw-r--r-- | tests/codeigniter/core/Security_test.php | 35 |
3 files changed, 42 insertions, 45 deletions
diff --git a/tests/codeigniter/core/Common_test.php b/tests/codeigniter/core/Common_test.php index 999b49cb3..81a185eaf 100644 --- a/tests/codeigniter/core/Common_test.php +++ b/tests/codeigniter/core/Common_test.php @@ -47,6 +47,11 @@ class Common_test extends CI_TestCase { html_escape('Here is a string containing "quoted" text.'), 'Here is a string containing "quoted" text.' ); + + $this->assertEquals( + html_escape(array('associative' => 'and', array('multi' => 'dimentional'))), + array('associative' => 'and', array('multi' => 'dimentional')) + ); } }
\ No newline at end of file diff --git a/tests/codeigniter/core/Config_test.php b/tests/codeigniter/core/Config_test.php index f125fc6e9..26a5f32f5 100644 --- a/tests/codeigniter/core/Config_test.php +++ b/tests/codeigniter/core/Config_test.php @@ -79,46 +79,33 @@ class Config_test extends CI_TestCase { $old_script_name = isset($_SERVER['SCRIPT_NAME']) ? $_SERVER['SCRIPT_NAME'] : NULL; $old_script_filename = $_SERVER['SCRIPT_FILENAME']; $old_https = isset($_SERVER['HTTPS']) ? $_SERVER['HTTPS'] : NULL; + $old_server_addr = isset($_SERVER['SERVER_ADDR']) ? $_SERVER['SERVER_ADDR'] : NULL; - // Setup server vars for detection - $host = 'test.com'; - $path = '/'; - $script = 'base_test.php'; - $_SERVER['HTTP_HOST'] = $host; - $_SERVER['SCRIPT_NAME'] = $path.$script; - $_SERVER['SCRIPT_FILENAME'] = '/foo/bar/'.$script; - - // Rerun constructor + // The 'Host' header is user input and must not be trusted + $_SERVER['HTTP_HOST'] = 'test.com'; $this->config = new $cls; + $this->assertEquals('http://localhost/', $this->config->base_url()); - // Test plain detected (root) - $this->assertEquals('http://'.$host.$path, $this->config->base_url()); - - // Rerun constructor - $path = '/path/'; - $_SERVER['SCRIPT_NAME'] = $path.$script; - $_SERVER['SCRIPT_FILENAME'] = '/foo/bar/'.$path.$script; + // However, we may fallback to the server's IP address + $_SERVER['SERVER_ADDR'] = '127.0.0.1'; + $_SERVER['SCRIPT_NAME'] = '/base_test.php'; + $_SERVER['SCRIPT_FILENAME'] = '/foo/bar/base_test.php'; $this->config = new $cls; + $this->assertEquals('http://127.0.0.1/', $this->config->base_url()); - // Test plain detected (subfolder) - $this->assertEquals('http://'.$host.$path, $this->config->base_url()); - - // Rerun constructor + // Making sure that HTTPS and URI path are also detected $_SERVER['HTTPS'] = 'on'; + $_SERVER['SCRIPT_NAME'] = '/path/base_test.php'; + $_SERVER['SCRIPT_FILENAME'] = '/foo/bar/path/base_test.php'; $this->config = new $cls; - - // Test secure detected - $this->assertEquals('https://'.$host.$path, $this->config->base_url()); + $this->assertEquals('https://127.0.0.1/path/', $this->config->base_url()); // Restore server vars - if ($old_host === NULL) unset($_SERVER['HTTP_HOST']); - else $_SERVER['HTTP_HOST'] = $old_host; - if ($old_script_name === NULL) unset($_SERVER['SCRIPT_NAME']); - else $_SERVER['SCRIPT_NAME'] = $old_script_name; - if ($old_https === NULL) unset($_SERVER['HTTPS']); - else $_SERVER['HTTPS'] = $old_https; - + $_SERVER['HTTP_HOST'] = $old_host; + $_SERVER['SCRIPT_NAME'] = $old_script_name; $_SERVER['SCRIPT_FILENAME'] = $old_script_filename; + $_SERVER['HTTPS'] = $old_https; + $_SERVER['SERVER_ADDR'] = $old_server_addr; } // -------------------------------------------------------------------- diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php index 52967dc2f..2ef822863 100644 --- a/tests/codeigniter/core/Security_test.php +++ b/tests/codeigniter/core/Security_test.php @@ -115,7 +115,7 @@ class Security_test extends CI_TestCase { public function test_xss_clean_entity_double_encoded() { $input = '<a href="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere</a>'; - $this->assertEquals('<a >Clickhere</a>', $this->security->xss_clean($input)); + $this->assertEquals('<a>Clickhere</a>', $this->security->xss_clean($input)); } // -------------------------------------------------------------------- @@ -134,7 +134,7 @@ class Security_test extends CI_TestCase { public function test_xss_clean_js_img_removal() { $input = '<img src="&#106&#97&#118&#97&#115&#99&#114&#105&#112&#116&#58&#99&#111&#110&#102&#105&#114&#109&#40&#49&#41">Clickhere'; - $this->assertEquals('<img >', $this->security->xss_clean($input)); + $this->assertEquals('<img>', $this->security->xss_clean($input)); } // -------------------------------------------------------------------- @@ -146,7 +146,7 @@ class Security_test extends CI_TestCase { $this->assertEquals('<fubar>', $this->security->xss_clean('<fubar>')); $this->assertEquals( - '<img [removed]> src="x">', + '<img svg=""> src="x">', $this->security->xss_clean('<img <svg=""> src="x">') ); @@ -160,21 +160,21 @@ class Security_test extends CI_TestCase { public function test_xss_clean_sanitize_naughty_html_attributes() { - $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttribute="bar">')); - $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo onAttributeNoQuotes=bar>')); - $this->assertEquals('<foo [removed]bar>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>')); + $this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo onAttribute="bar">')); + $this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo onAttributeNoQuotes=bar>')); + $this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo onAttributeWithSpaces = bar>')); $this->assertEquals('<foo prefixOnAttribute="bar">', $this->security->xss_clean('<foo prefixOnAttribute="bar">')); $this->assertEquals('<foo>onOutsideOfTag=test</foo>', $this->security->xss_clean('<foo>onOutsideOfTag=test</foo>')); $this->assertEquals('onNoTagAtAll = true', $this->security->xss_clean('onNoTagAtAll = true')); - $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo fscommand=case-insensitive>')); - $this->assertEquals('<foo [removed]>', $this->security->xss_clean('<foo seekSegmentTime=whatever>')); + $this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo fscommand=case-insensitive>')); + $this->assertEquals('<foo xss=removed>', $this->security->xss_clean('<foo seekSegmentTime=whatever>')); $this->assertEquals( - '<foo bar=">" baz=\'>\' [removed]>', + '<foo bar=">" baz=\'>\' xss=removed>', $this->security->xss_clean('<foo bar=">" baz=\'>\' onAfterGreaterThan="quotes">') ); $this->assertEquals( - '<foo bar=">" baz=\'>\' [removed]>', + '<foo bar=">" baz=\'>\' xss=removed>', $this->security->xss_clean('<foo bar=">" baz=\'>\' onAfterGreaterThan=noQuotes>') ); @@ -194,7 +194,7 @@ class Security_test extends CI_TestCase { ); $this->assertEquals( - '<a [removed]>', + '<a xss=removed>', $this->security->xss_clean('<a< onmouseover="alert(1)">') ); @@ -204,19 +204,24 @@ class Security_test extends CI_TestCase { ); $this->assertEquals( - '<image src="<>" [removed]>', + '<image src="<>" xss=removed>', $this->security->xss_clean('<image src="<>" onerror=\'alert(1)\'>') ); $this->assertEquals( - '<b [removed] [removed]>', + '<b xss=removed>', $this->security->xss_clean('<b "=<= onmouseover=alert(1)>') ); $this->assertEquals( - '<b [removed] [removed]alert(1),1>1">', + '<b xss=removed xss=removed>1">', $this->security->xss_clean('<b a=<=" onmouseover="alert(1),1>1">') ); + + $this->assertEquals( + '<b x=" onmouseover=alert(1)//">', + $this->security->xss_clean('<b "="< x=" onmouseover=alert(1)//">') + ); } // -------------------------------------------------------------------- @@ -228,7 +233,7 @@ class Security_test extends CI_TestCase { public function test_naughty_html_plus_evil_attributes() { $this->assertEquals( - '<svg<img > src="x" [removed]>', + '<svg<img src="x" xss=removed>', $this->security->xss_clean('<svg<img > src="x" onerror="location=/javascript/.source+/:alert/.source+/(1)/.source">') ); } |