1// Copyright (c) 2013, Mike Samuel
2// All rights reserved.
3//
4// Redistribution and use in source and binary forms, with or without
5// modification, are permitted provided that the following conditions
6// are met:
7//
8// Redistributions of source code must retain the above copyright
9// notice, this list of conditions and the following disclaimer.
10// Redistributions in binary form must reproduce the above copyright
11// notice, this list of conditions and the following disclaimer in the
12// documentation and/or other materials provided with the distribution.
13// Neither the name of the OWASP nor the names of its contributors may
14// be used to endorse or promote products derived from this software
15// without specific prior written permission.
16// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21// INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
22// BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26// ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27// POSSIBILITY OF SUCH DAMAGE.
28
29package org.owasp.html;
30
31import java.util.Collections;
32
33import org.junit.Test;
34
35import junit.framework.TestCase;
36
37public final class CssSchemaTest extends TestCase {
38
39  @Test
40  public static final void testDangerousProperties() {
41    for (String key : new String[] {
42          // May allow escaping informal visual containment when embedders are
43          // not particular about establishing a clipping region.
44          "display",
45          "float",
46          "clear",
47          "left",
48          "right",
49          // May ease trusted path violations by allowing links to impersonate
50          // controls in the embedding page.
51          "cursor",
52          // Allows code execution.
53          "-moz-binding",
54        }) {
55      assertSame(key, CssSchema.DISALLOWED, CssSchema.DEFAULT.forKey(key));
56    }
57  }
58
59  @Test
60  public static final void testDangerousTokens() {
61    for (String propName : CssSchema.DEFAULT_WHITELIST) {
62      CssSchema.Property property = CssSchema.DEFAULT.forKey(propName);
63      assertFalse(
64          propName,
65          property.literals.contains("expression"));
66      assertFalse(
67          propName,
68          property.fnKeys.containsKey("expression("));
69      assertFalse(
70          propName,
71          property.literals.contains("url"));
72      assertFalse(
73          propName,
74          property.fnKeys.containsKey("url("));
75    }
76  }
77
78  @Test
79  public static final void testCustom() {
80    CssSchema custom = CssSchema.union(
81        CssSchema.DEFAULT,
82        CssSchema.withProperties(Collections.singleton("float"))
83    );
84    for (String key : CssSchema.DEFINITIONS.keySet()) {
85      if (!key.equals("float")) {
86        assertSame(key, custom.forKey(key), CssSchema.DEFAULT.forKey(key));
87      }
88    }
89    CssSchema.Property cssFloat = custom.forKey("float");
90    assertTrue("left in float", cssFloat.literals.contains("left"));
91  }
92
93}
94