1// Copyright (c) 2013, Mike Samuel 2// All rights reserved. 3// 4// Redistribution and use in source and binary forms, with or without 5// modification, are permitted provided that the following conditions 6// are met: 7// 8// Redistributions of source code must retain the above copyright 9// notice, this list of conditions and the following disclaimer. 10// Redistributions in binary form must reproduce the above copyright 11// notice, this list of conditions and the following disclaimer in the 12// documentation and/or other materials provided with the distribution. 13// Neither the name of the OWASP nor the names of its contributors may 14// be used to endorse or promote products derived from this software 15// without specific prior written permission. 16// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 18// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 19// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 20// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 21// INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 22// BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 24// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 26// ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27// POSSIBILITY OF SUCH DAMAGE. 28 29package org.owasp.html; 30 31import java.util.Collections; 32 33import org.junit.Test; 34 35import junit.framework.TestCase; 36 37public final class CssSchemaTest extends TestCase { 38 39 @Test 40 public static final void testDangerousProperties() { 41 for (String key : new String[] { 42 // May allow escaping informal visual containment when embedders are 43 // not particular about establishing a clipping region. 44 "display", 45 "float", 46 "clear", 47 "left", 48 "right", 49 // May ease trusted path violations by allowing links to impersonate 50 // controls in the embedding page. 51 "cursor", 52 // Allows code execution. 53 "-moz-binding", 54 }) { 55 assertSame(key, CssSchema.DISALLOWED, CssSchema.DEFAULT.forKey(key)); 56 } 57 } 58 59 @Test 60 public static final void testDangerousTokens() { 61 for (String propName : CssSchema.DEFAULT_WHITELIST) { 62 CssSchema.Property property = CssSchema.DEFAULT.forKey(propName); 63 assertFalse( 64 propName, 65 property.literals.contains("expression")); 66 assertFalse( 67 propName, 68 property.fnKeys.containsKey("expression(")); 69 assertFalse( 70 propName, 71 property.literals.contains("url")); 72 assertFalse( 73 propName, 74 property.fnKeys.containsKey("url(")); 75 } 76 } 77 78 @Test 79 public static final void testCustom() { 80 CssSchema custom = CssSchema.union( 81 CssSchema.DEFAULT, 82 CssSchema.withProperties(Collections.singleton("float")) 83 ); 84 for (String key : CssSchema.DEFINITIONS.keySet()) { 85 if (!key.equals("float")) { 86 assertSame(key, custom.forKey(key), CssSchema.DEFAULT.forKey(key)); 87 } 88 } 89 CssSchema.Property cssFloat = custom.forKey("float"); 90 assertTrue("left in float", cssFloat.literals.contains("left")); 91 } 92 93} 94