xref: /external/owasp/sanitizer/src/tests/org/owasp/html/HtmlChangeReporterTest.java

// Copyright (c) 2011, Mike Samuel
// All rights reserved.
//
// Redistribution and use in source and binary forms, with or without
// modification, are permitted provided that the following conditions
// are met:
//
// Redistributions of source code must retain the above copyright
// notice, this list of conditions and the following disclaimer.
// Redistributions in binary form must reproduce the above copyright
// notice, this list of conditions and the following disclaimer in the
// documentation and/or other materials provided with the distribution.
// Neither the name of the OWASP nor the names of its contributors may
// be used to endorse or promote products derived from this software
// without specific prior written permission.
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
// FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
// COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
// INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
// BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
// LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
// CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
// LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
// ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
// POSSIBILITY OF SUCH DAMAGE.

package org.owasp.html;

import org.junit.Test;

import junit.framework.TestCase;

public class HtmlChangeReporterTest extends TestCase {

  static class Context {
    // Opaque test value compared via equality.
  }

  @Test
  public static final void testChangeReporting() {
    final Context testContext = new Context();

    StringBuilder out = new StringBuilder();
    final StringBuilder log = new StringBuilder();
    HtmlStreamRenderer renderer = HtmlStreamRenderer.create(
        out, Handler.DO_NOTHING);
    HtmlChangeListener<Context> listener = new HtmlChangeListener<Context>() {
      public void discardedTag(Context context, String elementName) {
        assertSame(testContext, context);
        log.append('<').append(elementName).append("> ");
      }

      public void discardedAttributes(
          Context context, String tagName, String... attributeNames) {
        assertSame(testContext, context);
        log.append('<').append(tagName);
        for (String attributeName : attributeNames) {
          log.append(' ').append(attributeName);
        }
        log.append("> ");
      }
    };
    HtmlChangeReporter<Context> hcr = new HtmlChangeReporter<Context>(
        renderer, listener, testContext);

    hcr.setPolicy(Sanitizers.FORMATTING.apply(hcr.getWrappedRenderer()));
    String html =
        "<textarea>Hello</textarea>,<b onclick=alert(42)>World</B>!"
        + "<Script type=text/javascript>doEvil()</script><PLAINTEXT>";
    HtmlSanitizer.sanitize(
        html,
        hcr.getWrappedPolicy());
    assertEquals("Hello,<b>World</b>!", out.toString());
    assertEquals(
        "<textarea> <b onclick> <script> <plaintext> ", log.toString());
  }
}