1// Copyright (c) 2011, Mike Samuel 2// All rights reserved. 3// 4// Redistribution and use in source and binary forms, with or without 5// modification, are permitted provided that the following conditions 6// are met: 7// 8// Redistributions of source code must retain the above copyright 9// notice, this list of conditions and the following disclaimer. 10// Redistributions in binary form must reproduce the above copyright 11// notice, this list of conditions and the following disclaimer in the 12// documentation and/or other materials provided with the distribution. 13// Neither the name of the OWASP nor the names of its contributors may 14// be used to endorse or promote products derived from this software 15// without specific prior written permission. 16// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 18// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 19// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 20// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 21// INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 22// BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 24// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 26// ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27// POSSIBILITY OF SUCH DAMAGE. 28 29package org.owasp.html; 30 31import java.io.ByteArrayInputStream; 32import java.io.ByteArrayOutputStream; 33import java.io.InputStream; 34import java.io.PrintStream; 35import java.lang.reflect.Method; 36 37import com.google.common.base.Throwables; 38 39import org.junit.Test; 40import org.owasp.html.examples.EbayPolicyExample; 41 42import junit.framework.TestCase; 43 44public class ExamplesTest extends TestCase { 45 @Test 46 public static final void testExamplesRun() throws Exception { 47 InputStream stdin = System.in; 48 PrintStream stdout = System.out; 49 PrintStream stderr = System.err; 50 for (Class<?> exampleClass : AllExamples.CLASSES) { 51 InputStream emptyIn = new ByteArrayInputStream(new byte[0]); 52 ByteArrayOutputStream captured = new ByteArrayOutputStream(); 53 PrintStream capturingOut = new PrintStream(captured, true, "UTF-8"); 54 System.setIn(emptyIn); 55 System.setOut(capturingOut); 56 System.setErr(capturingOut); 57 58 Method main; 59 try { 60 main = exampleClass.getDeclaredMethod("main", String[].class); 61 // Invoke with no arguments to sanitize empty input stream to output. 62 main.invoke(null, new Object[] { new String[0] }); 63 } catch (Exception ex) { 64 capturingOut.flush(); 65 System.err.println( 66 "Example " + exampleClass.getSimpleName() + "\n" 67 + captured.toString("UTF-8")); 68 Throwables.propagate(ex); 69 } finally { 70 System.setIn(stdin); 71 System.setOut(stdout); 72 System.setErr(stderr); 73 } 74 } 75 } 76 77 @Test 78 public static final void testSanitizeRemovesScripts() { 79 String input = 80 "<p>Hello World</p>" 81 + "<script language=\"text/javascript\">alert(\"bad\");</script>"; 82 String sanitized = EbayPolicyExample.POLICY_DEFINITION.sanitize(input); 83 assertEquals("<p>Hello World</p>", sanitized); 84 } 85 86 @Test 87 public static final void testSanitizeRemovesOnclick() { 88 String input = "<p onclick=\"alert(\"bad\");\">Hello World</p>"; 89 String sanitized = EbayPolicyExample.POLICY_DEFINITION.sanitize(input); 90 assertEquals("<p>Hello World</p>", sanitized); 91 } 92 93 @Test 94 public static final void testTextAllowedInLinks() { 95 String input = "<a href=\"../good.html\">click here</a>"; 96 String sanitized = EbayPolicyExample.POLICY_DEFINITION.sanitize(input); 97 assertEquals("<a href=\"../good.html\" rel=\"nofollow\">click here</a>", 98 sanitized); 99 } 100} 101