From 71b1b3f5b2dcc0f4b652e9494e9853b82541ac8c Mon Sep 17 00:00:00 2001 From: Andrey Andreev Date: Tue, 27 Oct 2015 12:30:18 +0200 Subject: Harden xss_clean() --- tests/codeigniter/core/Security_test.php | 35 ++++++++++++++++++-------------- 1 file changed, 20 insertions(+), 15 deletions(-) (limited to 'tests/codeigniter/core/Security_test.php') diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php index 52967dc2f..2ef822863 100644 --- a/tests/codeigniter/core/Security_test.php +++ b/tests/codeigniter/core/Security_test.php @@ -115,7 +115,7 @@ class Security_test extends CI_TestCase { public function test_xss_clean_entity_double_encoded() { $input = 'Clickhere'; - $this->assertEquals('Clickhere', $this->security->xss_clean($input)); + $this->assertEquals('Clickhere', $this->security->xss_clean($input)); } // -------------------------------------------------------------------- @@ -134,7 +134,7 @@ class Security_test extends CI_TestCase { public function test_xss_clean_js_img_removal() { $input = 'Clickhere'; - $this->assertEquals('', $this->security->xss_clean($input)); + $this->assertEquals('', $this->security->xss_clean($input)); } // -------------------------------------------------------------------- @@ -146,7 +146,7 @@ class Security_test extends CI_TestCase { $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals( - ' src="x">', + ' src="x">', $this->security->xss_clean(' src="x">') ); @@ -160,21 +160,21 @@ class Security_test extends CI_TestCase { public function test_xss_clean_sanitize_naughty_html_attributes() { - $this->assertEquals('', $this->security->xss_clean('')); - $this->assertEquals('', $this->security->xss_clean('')); - $this->assertEquals('', $this->security->xss_clean('')); + $this->assertEquals('', $this->security->xss_clean('')); + $this->assertEquals('', $this->security->xss_clean('')); + $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals('onOutsideOfTag=test', $this->security->xss_clean('onOutsideOfTag=test')); $this->assertEquals('onNoTagAtAll = true', $this->security->xss_clean('onNoTagAtAll = true')); - $this->assertEquals('', $this->security->xss_clean('')); - $this->assertEquals('', $this->security->xss_clean('')); + $this->assertEquals('', $this->security->xss_clean('')); + $this->assertEquals('', $this->security->xss_clean('')); $this->assertEquals( - '\' [removed]>', + '\' xss=removed>', $this->security->xss_clean('\' onAfterGreaterThan="quotes">') ); $this->assertEquals( - '\' [removed]>', + '\' xss=removed>', $this->security->xss_clean('\' onAfterGreaterThan=noQuotes>') ); @@ -194,7 +194,7 @@ class Security_test extends CI_TestCase { ); $this->assertEquals( - '', + '', $this->security->xss_clean('') ); @@ -204,19 +204,24 @@ class Security_test extends CI_TestCase { ); $this->assertEquals( - '', + '', $this->security->xss_clean('') ); $this->assertEquals( - '', + '', $this->security->xss_clean('') ); $this->assertEquals( - '1">', + '1">', $this->security->xss_clean('') ); + + $this->assertEquals( + '', + $this->security->xss_clean('') + ); } // -------------------------------------------------------------------- @@ -228,7 +233,7 @@ class Security_test extends CI_TestCase { public function test_naughty_html_plus_evil_attributes() { $this->assertEquals( - '<svg', + '<svg', $this->security->xss_clean(' src="x" onerror="location=/javascript/.source+/:alert/.source+/(1)/.source">') ); } -- cgit v1.2.3-24-g4f1b