1// Copyright (c) 2011, Mike Samuel 2// All rights reserved. 3// 4// Redistribution and use in source and binary forms, with or without 5// modification, are permitted provided that the following conditions 6// are met: 7// 8// Redistributions of source code must retain the above copyright 9// notice, this list of conditions and the following disclaimer. 10// Redistributions in binary form must reproduce the above copyright 11// notice, this list of conditions and the following disclaimer in the 12// documentation and/or other materials provided with the distribution. 13// Neither the name of the OWASP nor the names of its contributors may 14// be used to endorse or promote products derived from this software 15// without specific prior written permission. 16// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 18// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 19// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 20// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 21// INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 22// BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 24// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 26// ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27// POSSIBILITY OF SUCH DAMAGE. 28 29package org.owasp.html; 30 31import org.junit.Test; 32 33import junit.framework.TestCase; 34 35public class HtmlChangeReporterTest extends TestCase { 36 37 static class Context { 38 // Opaque test value compared via equality. 39 } 40 41 @Test 42 public static final void testChangeReporting() { 43 final Context testContext = new Context(); 44 45 StringBuilder out = new StringBuilder(); 46 final StringBuilder log = new StringBuilder(); 47 HtmlStreamRenderer renderer = HtmlStreamRenderer.create( 48 out, Handler.DO_NOTHING); 49 HtmlChangeListener<Context> listener = new HtmlChangeListener<Context>() { 50 public void discardedTag(Context context, String elementName) { 51 assertSame(testContext, context); 52 log.append('<').append(elementName).append("> "); 53 } 54 55 public void discardedAttributes( 56 Context context, String tagName, String... attributeNames) { 57 assertSame(testContext, context); 58 log.append('<').append(tagName); 59 for (String attributeName : attributeNames) { 60 log.append(' ').append(attributeName); 61 } 62 log.append("> "); 63 } 64 }; 65 HtmlChangeReporter<Context> hcr = new HtmlChangeReporter<Context>( 66 renderer, listener, testContext); 67 68 hcr.setPolicy(Sanitizers.FORMATTING.apply(hcr.getWrappedRenderer())); 69 String html = 70 "<textarea>Hello</textarea>,<b onclick=alert(42)>World</B>!" 71 + "<Script type=text/javascript>doEvil()</script><PLAINTEXT>"; 72 HtmlSanitizer.sanitize( 73 html, 74 hcr.getWrappedPolicy()); 75 assertEquals("Hello,<b>World</b>!", out.toString()); 76 assertEquals( 77 "<textarea> <b onclick> <script> <plaintext> ", log.toString()); 78 } 79} 80