1// Copyright (c) 2011, Mike Samuel
2// All rights reserved.
3//
4// Redistribution and use in source and binary forms, with or without
5// modification, are permitted provided that the following conditions
6// are met:
7//
8// Redistributions of source code must retain the above copyright
9// notice, this list of conditions and the following disclaimer.
10// Redistributions in binary form must reproduce the above copyright
11// notice, this list of conditions and the following disclaimer in the
12// documentation and/or other materials provided with the distribution.
13// Neither the name of the OWASP nor the names of its contributors may
14// be used to endorse or promote products derived from this software
15// without specific prior written permission.
16// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
17// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
18// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
19// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
20// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
21// INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
22// BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
23// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
24// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
26// ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
27// POSSIBILITY OF SUCH DAMAGE.
28
29package org.owasp.html;
30
31import org.junit.Test;
32
33import junit.framework.TestCase;
34
35public class HtmlChangeReporterTest extends TestCase {
36
37  static class Context {
38    // Opaque test value compared via equality.
39  }
40
41  @Test
42  public static final void testChangeReporting() {
43    final Context testContext = new Context();
44
45    StringBuilder out = new StringBuilder();
46    final StringBuilder log = new StringBuilder();
47    HtmlStreamRenderer renderer = HtmlStreamRenderer.create(
48        out, Handler.DO_NOTHING);
49    HtmlChangeListener<Context> listener = new HtmlChangeListener<Context>() {
50      public void discardedTag(Context context, String elementName) {
51        assertSame(testContext, context);
52        log.append('<').append(elementName).append("> ");
53      }
54
55      public void discardedAttributes(
56          Context context, String tagName, String... attributeNames) {
57        assertSame(testContext, context);
58        log.append('<').append(tagName);
59        for (String attributeName : attributeNames) {
60          log.append(' ').append(attributeName);
61        }
62        log.append("> ");
63      }
64    };
65    HtmlChangeReporter<Context> hcr = new HtmlChangeReporter<Context>(
66        renderer, listener, testContext);
67
68    hcr.setPolicy(Sanitizers.FORMATTING.apply(hcr.getWrappedRenderer()));
69    String html =
70        "<textarea>Hello</textarea>,<b onclick=alert(42)>World</B>!"
71        + "<Script type=text/javascript>doEvil()</script><PLAINTEXT>";
72    HtmlSanitizer.sanitize(
73        html,
74        hcr.getWrappedPolicy());
75    assertEquals("Hello,<b>World</b>!", out.toString());
76    assertEquals(
77        "<textarea> <b onclick> <script> <plaintext> ", log.toString());
78  }
79}
80