diff options
| author | Andy Staudacher <andy.st@gmail.com> | 2009-08-29 11:31:00 -0700 |
|---|---|---|
| committer | Andy Staudacher <andy.st@gmail.com> | 2009-08-29 11:31:00 -0700 |
| commit | 1d633457c4482ab96bf936e9951ded2d5ebc8c74 (patch) | |
| tree | c07b01cd21c327a98a851f45a00b4c4014470a94 /modules/gallery/tests | |
| parent | 020281d932c566476222e6c825ada3affff239a6 (diff) | |
Have url::site() and other methods return a SafeString, just as t() and t2().
Benefits:
- url::site() is often used in views and we can ensure in the url class that returned strings are indeed safe for use in HTML. Makes the list of vars of unknown safety status shorter.
- url::site() is often used as message parameter to t() and t2(). The parameter would be HTML-escaped if it wasn't marked as safe HTML already. Makes the usage simpler / shorter.
Diffstat (limited to 'modules/gallery/tests')
| -rw-r--r-- | modules/gallery/tests/Xss_Security_Test.php | 24 |
1 files changed, 20 insertions, 4 deletions
diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php index 1d52237c..e0e5bb86 100644 --- a/modules/gallery/tests/Xss_Security_Test.php +++ b/modules/gallery/tests/Xss_Security_Test.php @@ -126,7 +126,23 @@ class Xss_Security_Test extends Unit_Test_Case { $token_number++; $token = $tokens[$token_number]; } - } + } else if ($token[1] == "url") { + // url methods return a SafeString + if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) && + self::_token_matches(array(T_STRING), $tokens, $token_number + 2) && + in_array($tokens[$token_number + 2][1], + array("site", "current", "base", "file", "abs_site", "abs_current", + "abs_file", "merge")) && + self::_token_matches("(", $tokens, $token_number + 3)) { + $frame->is_safestring(true); + + $method = $tokens[$token_number + 2][1]; + $frame->expr_append("::$method("); + + $token_number += 3; + $token = $tokens[$token_number]; + } + } } else if ($frame && $token[0] == T_OBJECT_OPERATOR) { $frame->expr_append($token[1]); @@ -155,8 +171,9 @@ class Xss_Security_Test extends Unit_Test_Case { } } - // Generate the report. /* + * Generate the report + * * States for uses of < ? = X ? >: * JS_XSS: * In <script> block @@ -166,7 +183,7 @@ class Xss_Security_Test extends Unit_Test_Case { * X can be anything without a call to ->for_html() or ->purified_html() * CLEAN: * Outside <script> block: - * X = t() or t2() + * X = is SafeString (t(), t2(), url::site()) * X = * and for_html() or purified_html() is called * Inside <script> block: * X = * with ->for_js() or json_encode(...) @@ -192,7 +209,6 @@ class Xss_Security_Test extends Unit_Test_Case { } } fclose($fd); - exit; // Compare with the expected report from our golden file. $canonical = MODPATH . "gallery/tests/xss_data.txt"; |