ci_set_config('csrf_protection', TRUE);
$this->ci_set_config('csrf_token_name', 'ci_csrf_token');
$this->ci_set_config('csrf_cookie_name', 'ci_csrf_cookie');
$this->security = new Mock_Core_Security();
}
// --------------------------------------------------------------------
public function test_csrf_verify()
{
$_SERVER['REQUEST_METHOD'] = 'GET';
$this->assertInstanceOf('CI_Security', $this->security->csrf_verify());
}
// --------------------------------------------------------------------
public function test_csrf_verify_invalid()
{
// Without issuing $_POST[csrf_token_name], this request will triggering CSRF error
$_SERVER['REQUEST_METHOD'] = 'POST';
$this->setExpectedException('RuntimeException', 'CI Error: The action you have requested is not allowed');
$this->security->csrf_verify();
}
// --------------------------------------------------------------------
public function test_csrf_verify_valid()
{
$_SERVER['REQUEST_METHOD'] = 'POST';
$_POST[$this->security->csrf_token_name] = $this->security->csrf_hash;
$this->assertInstanceOf('CI_Security', $this->security->csrf_verify());
}
// --------------------------------------------------------------------
public function test_get_csrf_hash()
{
$this->assertEquals($this->security->csrf_hash, $this->security->get_csrf_hash());
}
// --------------------------------------------------------------------
public function test_get_csrf_token_name()
{
$this->assertEquals('ci_csrf_token', $this->security->get_csrf_token_name());
}
// --------------------------------------------------------------------
public function test_xss_clean()
{
$harm_string = "Hello, i try to your site";
$harmless_string = $this->security->xss_clean($harm_string);
$this->assertEquals("Hello, i try to [removed]alert('Hack');[removed] your site", $harmless_string);
}
public function test_xss_clean_entity_double_encoded()
{
$input = 'Clickhere';
$this->assertEquals('Clickhere', $this->security->xss_clean($input));
}
// --------------------------------------------------------------------
public function test_remove_evil_attributes()
{
$this->assertEquals('', $this->security->remove_evil_attributes('', false));
$this->assertEquals('', $this->security->remove_evil_attributes('', false));
$this->assertEquals('', $this->security->remove_evil_attributes('', false));
$this->assertEquals('', $this->security->remove_evil_attributes('', false));
$this->assertEquals('onOutsideOfTag=test', $this->security->remove_evil_attributes('onOutsideOfTag=test', false));
$this->assertEquals('onNoTagAtAll = true', $this->security->remove_evil_attributes('onNoTagAtAll = true', false));
}
// --------------------------------------------------------------------
public function test_xss_hash()
{
$this->assertEmpty($this->security->xss_hash);
// Perform hash
$this->security->xss_hash();
$this->assertTrue(preg_match('#^[0-9a-f]{32}$#iS', $this->security->xss_hash) === 1);
}
// --------------------------------------------------------------------
public function test_entity_decode()
{
$encoded = '<div>Hello <b>Booya</b></div>';
$decoded = $this->security->entity_decode($encoded);
$this->assertEquals('Hello Booya
', $decoded);
// Issue #3057 (https://github.com/bcit-ci/CodeIgniter/issues/3057)
$this->assertEquals(
'&foo should not include a semicolon',
$this->security->entity_decode('&foo should not include a semicolon')
);
}
// --------------------------------------------------------------------
public function test_sanitize_filename()
{
$filename = './';
$safe_filename = $this->security->sanitize_filename($filename);
$this->assertEquals('foo', $safe_filename);
}
// --------------------------------------------------------------------
public function test_strip_image_tags()
{
$imgtags = Array(
'',
'',
'',
'',
'',
'',
'',
''
);
$urls = Array(
'smiley.gif',
'smiley.gif',
'http://www.w3schools.com/images/w3schools_green.jpg',
'/img/sunset.gif',
'mdn-logo-sm.png',
'',
'',
''
);
for($i = 0; $i < count($imgtags); $i++)
{
$this->assertEquals($urls[$i], $this->security->strip_image_tags($imgtags[$i]));
}
}
}