16f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// Copyright (c) 2011, Mike Samuel 26f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// All rights reserved. 36f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// 46f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// Redistribution and use in source and binary forms, with or without 56f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// modification, are permitted provided that the following conditions 66f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// are met: 76f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// 86f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// Redistributions of source code must retain the above copyright 96f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// notice, this list of conditions and the following disclaimer. 106f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// Redistributions in binary form must reproduce the above copyright 116f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// notice, this list of conditions and the following disclaimer in the 126f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// documentation and/or other materials provided with the distribution. 136f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// Neither the name of the OWASP nor the names of its contributors may 146f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// be used to endorse or promote products derived from this software 156f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// without specific prior written permission. 166f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 176f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 186f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 196f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 206f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 216f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 226f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 236f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 246f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 256f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 266f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 276f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel// POSSIBILITY OF SUCH DAMAGE. 286f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel 296f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuelpackage org.owasp.html; 306f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel 31be666032a113a8af92bc557add8e83579cf0ef5cmikesamuelimport org.junit.Test; 32be666032a113a8af92bc557add8e83579cf0ef5cmikesamuel 336f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuelimport junit.framework.TestCase; 346f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel 356f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuelpublic class HtmlChangeReporterTest extends TestCase { 366f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel 37489a0ec7301a86af8497d24748336db09ca278damikesamuel static class Context { 38489a0ec7301a86af8497d24748336db09ca278damikesamuel // Opaque test value compared via equality. 39489a0ec7301a86af8497d24748336db09ca278damikesamuel } 40489a0ec7301a86af8497d24748336db09ca278damikesamuel 41be666032a113a8af92bc557add8e83579cf0ef5cmikesamuel @Test 42be666032a113a8af92bc557add8e83579cf0ef5cmikesamuel public static final void testChangeReporting() { 43489a0ec7301a86af8497d24748336db09ca278damikesamuel final Context testContext = new Context(); 446f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel 456f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel StringBuilder out = new StringBuilder(); 466f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel final StringBuilder log = new StringBuilder(); 476f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel HtmlStreamRenderer renderer = HtmlStreamRenderer.create( 486f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel out, Handler.DO_NOTHING); 49489a0ec7301a86af8497d24748336db09ca278damikesamuel HtmlChangeListener<Context> listener = new HtmlChangeListener<Context>() { 50489a0ec7301a86af8497d24748336db09ca278damikesamuel public void discardedTag(Context context, String elementName) { 516f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel assertSame(testContext, context); 526f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel log.append('<').append(elementName).append("> "); 536f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel } 546f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel 5568c898cc07aad9e4c616522afdd13a0cc4534117mikesamuel public void discardedAttributes( 56489a0ec7301a86af8497d24748336db09ca278damikesamuel Context context, String tagName, String... attributeNames) { 576f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel assertSame(testContext, context); 5868c898cc07aad9e4c616522afdd13a0cc4534117mikesamuel log.append('<').append(tagName); 5968c898cc07aad9e4c616522afdd13a0cc4534117mikesamuel for (String attributeName : attributeNames) { 6068c898cc07aad9e4c616522afdd13a0cc4534117mikesamuel log.append(' ').append(attributeName); 6168c898cc07aad9e4c616522afdd13a0cc4534117mikesamuel } 6268c898cc07aad9e4c616522afdd13a0cc4534117mikesamuel log.append("> "); 636f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel } 646f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel }; 65489a0ec7301a86af8497d24748336db09ca278damikesamuel HtmlChangeReporter<Context> hcr = new HtmlChangeReporter<Context>( 666f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel renderer, listener, testContext); 676f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel 686f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel hcr.setPolicy(Sanitizers.FORMATTING.apply(hcr.getWrappedRenderer())); 6968c898cc07aad9e4c616522afdd13a0cc4534117mikesamuel String html = 7068c898cc07aad9e4c616522afdd13a0cc4534117mikesamuel "<textarea>Hello</textarea>,<b onclick=alert(42)>World</B>!" 7168c898cc07aad9e4c616522afdd13a0cc4534117mikesamuel + "<Script type=text/javascript>doEvil()</script><PLAINTEXT>"; 726f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel HtmlSanitizer.sanitize( 7368c898cc07aad9e4c616522afdd13a0cc4534117mikesamuel html, 7468c898cc07aad9e4c616522afdd13a0cc4534117mikesamuel hcr.getWrappedPolicy()); 756f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel assertEquals("Hello,<b>World</b>!", out.toString()); 7668c898cc07aad9e4c616522afdd13a0cc4534117mikesamuel assertEquals( 7768c898cc07aad9e4c616522afdd13a0cc4534117mikesamuel "<textarea> <b onclick> <script> <plaintext> ", log.toString()); 786f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel } 796f2fc048ffc4ada68fabb389eb3f409229625b90mikesamuel} 80