// Copyright (c) 2011, Mike Samuel // All rights reserved. // // Redistribution and use in source and binary forms, with or without // modification, are permitted provided that the following conditions // are met: // // Redistributions of source code must retain the above copyright // notice, this list of conditions and the following disclaimer. // Redistributions in binary form must reproduce the above copyright // notice, this list of conditions and the following disclaimer in the // documentation and/or other materials provided with the distribution. // Neither the name of the OWASP nor the names of its contributors may // be used to endorse or promote products derived from this software // without specific prior written permission. // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, // BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; // LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN // ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE // POSSIBILITY OF SUCH DAMAGE. package org.owasp.html; import org.junit.Test; import junit.framework.TestCase; public class SanitizersTest extends TestCase { @Test public static final void testFormatting() { assertEquals("", Sanitizers.FORMATTING.sanitize(null)); assertEquals("", Sanitizers.FORMATTING.sanitize("")); assertEquals( "Hello, World!", Sanitizers.FORMATTING.sanitize("Hello, World!")); assertEquals( "Hello, World!", Sanitizers.FORMATTING.sanitize("Hello, World!")); assertEquals( "Hello, World!", Sanitizers.FORMATTING.sanitize( "
Hello, World!
")); } @Test public static final void testBlockElements() { assertEquals("", Sanitizers.BLOCKS.sanitize(null)); assertEquals( "Hello, World!", Sanitizers.BLOCKS.sanitize("Hello, World!")); assertEquals( "Hello, World!", Sanitizers.BLOCKS.sanitize("Hello, World!")); assertEquals( "Hello, World!
", Sanitizers.BLOCKS.sanitize( "Hello, World!
")); } @Test public static final void testBlockAndFormattingElements() { PolicyFactory s = Sanitizers.BLOCKS.and(Sanitizers.FORMATTING); PolicyFactory r1 = Sanitizers.BLOCKS.and(Sanitizers.FORMATTING) .and(Sanitizers.BLOCKS); PolicyFactory r2 = Sanitizers.BLOCKS.and(Sanitizers.FORMATTING) .and(Sanitizers.FORMATTING); for (PolicyFactory f : new PolicyFactory[] { s, r1, r2 }) { assertEquals("", f.sanitize(null)); assertEquals("Hello, World!", f.sanitize("Hello, World!")); assertEquals("Hello, World!", f.sanitize("Hello, World!")); assertEquals( "Hello, World!
", f.sanitize("Hello, World!
")); } } @Test public static final void testStylesAndFormatting() { PolicyFactory sanitizer = Sanitizers.FORMATTING .and(Sanitizers.BLOCKS).and(Sanitizers.STYLES).and(Sanitizers.LINKS); String input = "aaaaaaaaaaaaaaaaaaaaaaa"; String got = sanitizer.sanitize(input); String want = input; assertEquals(want, got); } @Test public static final void testAndIntersects() { PolicyFactory restrictedLink = new HtmlPolicyBuilder() .allowElements("a") .allowUrlProtocols("https") .allowAttributes("href", "title").onElements("a") .toFactory(); PolicyFactory inline = Sanitizers.FORMATTING.and(Sanitizers.LINKS); String inputHtml = "Hello, World" + "!"; PolicyFactory and1 = restrictedLink.and(inline); PolicyFactory and2 = inline.and(restrictedLink); assertEquals( "https-only links", "Hello, World!", restrictedLink.sanitize(inputHtml)); assertEquals( "inline els", "Hello, World" + "!", inline.sanitize(inputHtml)); assertEquals( "https-only links and inline els", "Hello, World" + "!", and1.sanitize(inputHtml)); assertEquals( "inline els and https-only links", "Hello, World" + "!", and2.sanitize(inputHtml)); } @Test public static final void testImages() { PolicyFactory s = Sanitizers.IMAGES; assertEquals( "foo", s.sanitize("foo")); assertEquals( "", s.sanitize("")); assertEquals( "", s.sanitize("")); assertEquals( "", s.sanitize( "")); assertEquals( "", s.sanitize( "") ); } @Test public static final void testLinks() { PolicyFactory s = Sanitizers.LINKS; assertEquals( "Link text", s.sanitize("Link text")); assertEquals( "Link text", s.sanitize( "Link text")); assertEquals( "Link text", s.sanitize( "Link text")); assertEquals( "Link text", s.sanitize( "Link text")); assertEquals( "Link text", s.sanitize( "Link text")); assertEquals( "Link text", s.sanitize( "Link text")); assertEquals( "Link text", s.sanitize( "Link text")); // Not a link. Instead, an attempt to intercept URL references that has // not been explicitly allowed. assertEquals( "Header text", s.sanitize("Header text")); } @Test public static final void testExplicitlyAllowedProtocolsAreCaseInsensitive() { // Issue 24. PolicyFactory s = new HtmlPolicyBuilder() .allowElements("a") .allowAttributes("href").onElements("a") .allowStandardUrlProtocols() .allowUrlProtocols("file") // Don't try this at home .toFactory(); String input = ( "Copy and paste this into email" + "Or this one" + "not with Turkish dotted I's" + "The fail protocol needs to happen"); String want = ( "Copy and paste this into email" + "Or this one" + "not with Turkish dotted I's" + "The fail protocol needs to happen"); assertEquals(want, s.sanitize(input)); } @Test public static final void testIssue9StylesInTables() { String input = "" + "Column One | Column Two | " + "
---|---|
" + "Size 2 | " + "" + "Size 7 | " + "
Column One | Column Two | " + "
---|---|
" + "Size 2 | " + "" + "Size 7 | " + "