summaryrefslogtreecommitdiff
path: root/modules/gallery/tests
diff options
context:
space:
mode:
Diffstat (limited to 'modules/gallery/tests')
-rw-r--r--modules/gallery/tests/Html_Helper_Test.php10
-rw-r--r--modules/gallery/tests/SafeString_Test.php14
-rw-r--r--modules/gallery/tests/Xss_Security_Test.php380
3 files changed, 202 insertions, 202 deletions
diff --git a/modules/gallery/tests/Html_Helper_Test.php b/modules/gallery/tests/Html_Helper_Test.php
index f5ce7fa4..3623705e 100644
--- a/modules/gallery/tests/Html_Helper_Test.php
+++ b/modules/gallery/tests/Html_Helper_Test.php
@@ -21,14 +21,14 @@ class Html_Helper_Test extends Unit_Test_Case {
public function clean_test() {
$safe_string = html::clean("hello <p >world</p>");
$this->assert_equal("hello &lt;p &gt;world&lt;/p&gt;",
- $safe_string);
+ $safe_string);
$this->assert_true($safe_string instanceof SafeString);
}
public function purify_test() {
$safe_string = html::purify("hello <p >world</p>");
$this->assert_equal("hello <p>world</p>",
- $safe_string);
+ $safe_string);
$this->assert_true($safe_string instanceof SafeString);
}
@@ -37,19 +37,19 @@ class Html_Helper_Test extends Unit_Test_Case {
$this->assert_true($safe_string instanceof SafeString);
$safe_string_2 = html::clean($safe_string);
$this->assert_equal("hello <p >world</p>",
- $safe_string_2);
+ $safe_string_2);
}
public function js_string_test() {
$string = html::js_string("hello's <p >world</p>");
$this->assert_equal('"hello\'s <p >world<\\/p>"',
- $string);
+ $string);
}
public function clean_attribute_test() {
$safe_string = SafeString::of_safe_html("hello's <p >world</p>");
$safe_string = html::clean_attribute($safe_string);
$this->assert_equal("hello&#039;s <p >world</p>",
- $safe_string);
+ $safe_string);
}
} \ No newline at end of file
diff --git a/modules/gallery/tests/SafeString_Test.php b/modules/gallery/tests/SafeString_Test.php
index ede55240..0895b7dd 100644
--- a/modules/gallery/tests/SafeString_Test.php
+++ b/modules/gallery/tests/SafeString_Test.php
@@ -21,19 +21,19 @@ class SafeString_Test extends Unit_Test_Case {
public function toString_escapes_for_html_test() {
$safe_string = new SafeString("hello <p>world</p>");
$this->assert_equal("hello &lt;p&gt;world&lt;/p&gt;",
- $safe_string);
+ $safe_string);
}
public function toString_for_safe_string_test() {
$safe_string = SafeString::of_safe_html("hello <p>world</p>");
$this->assert_equal("hello <p>world</p>",
- $safe_string);
+ $safe_string);
}
public function for_html_test() {
$safe_string = new SafeString("hello <p>world</p>");
$this->assert_equal("hello &lt;p&gt;world&lt;/p&gt;",
- $safe_string->for_html());
+ $safe_string->for_html());
}
public function safestring_of_safestring_test() {
@@ -50,27 +50,27 @@ class SafeString_Test extends Unit_Test_Case {
$safe_string = new SafeString('"<em>Foo</em>\'s bar"');
$js_string = $safe_string->for_js();
$this->assert_equal('"\\"<em>Foo<\\/em>\'s bar\\""',
- $js_string);
+ $js_string);
}
public function for_html_attr_test() {
$safe_string = new SafeString('"<em>Foo</em>\'s bar"');
$attr_string = $safe_string->for_html_attr();
$this->assert_equal('&quot;&lt;em&gt;Foo&lt;/em&gt;&#039;s bar&quot;',
- $attr_string);
+ $attr_string);
}
public function for_html_attr_with_safe_html_test() {
$safe_string = SafeString::of_safe_html('"<em>Foo</em>\'s bar"');
$attr_string = $safe_string->for_html_attr();
$this->assert_equal('&quot;<em>Foo</em>&#039;s bar&quot;',
- $attr_string);
+ $attr_string);
}
public function string_safestring_equality_test() {
$safe_string = new SafeString("hello <p>world</p>");
$this->assert_equal("hello <p>world</p>",
- $safe_string->unescaped());
+ $safe_string->unescaped());
$escaped_string = "hello &lt;p&gt;world&lt;/p&gt;";
$this->assert_equal($escaped_string, $safe_string);
diff --git a/modules/gallery/tests/Xss_Security_Test.php b/modules/gallery/tests/Xss_Security_Test.php
index 3a22afc1..6c141c52 100644
--- a/modules/gallery/tests/Xss_Security_Test.php
+++ b/modules/gallery/tests/Xss_Security_Test.php
@@ -24,9 +24,9 @@ class Xss_Security_Test extends Unit_Test_Case {
// List of all tokens without whitespace, simplifying parsing.
$tokens = array();
foreach (token_get_all(file_get_contents($view)) as $token) {
- if (!is_array($token) || ($token[0] != T_WHITESPACE)) {
- $tokens[] = $token;
- }
+ if (!is_array($token) || ($token[0] != T_WHITESPACE)) {
+ $tokens[] = $token;
+ }
}
$frame = null;
@@ -34,199 +34,199 @@ class Xss_Security_Test extends Unit_Test_Case {
$in_script_block = false;
for ($token_number = 0; $token_number < count($tokens); $token_number++) {
- $token = $tokens[$token_number];
-
- // Are we in a <script> ... </script> block?
- if (is_array($token) && $token[0] == T_INLINE_HTML) {
- $inline_html = $token[1];
- // T_INLINE_HTML blocks can be split. Need to handle the case
- // where one token has "<scr" and the next has "ipt"
- while (self::_token_matches(array(T_INLINE_HTML), $tokens, $token_number + 1)) {
- $token_number++;
- $token = $tokens[$token_number];
- $inline_html .= $token[1];
- }
-
- if ($frame) {
- $frame->expr_append($inline_html);
- }
-
- // Note: This approach won't catch <script src="..."> blocks if the src
- // URL is generated via < ? = url::site() ? > or some other PHP.
- // Assume that all such script blocks with a src URL have an
- // empty element body.
- // But we'll catch closing tags for such blocks, so don't keep track
- // of opening / closing tag count since it would be meaningless.
-
- // Handle multiple start / end blocks on the same line?
- $opening_script_pos = $closing_script_pos = 0;
- if (preg_match_all('{</script>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) {
- $last_match = array_pop($matches[0]);
- if (is_array($last_match)) {
- $closing_script_pos = $last_match[1];
- } else {
- $closing_script_pos = $last_match;
- }
- }
- if (preg_match('{<script\b[^>]*>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) {
- $last_match = array_pop($matches[0]);
- if (is_array($last_match)) {
- $opening_script_pos = $last_match[1];
- } else {
- $opening_script_pos = $last_match;
- }
- }
- if ($opening_script_pos != $closing_script_pos) {
- $in_script_block = $opening_script_pos > $closing_script_pos;
- }
- }
-
- // Look and report each instance of < ? = ... ? >
- if (!is_array($token)) {
- // A single char token, e.g: ; ( )
- if ($frame) {
- $frame->expr_append($token);
- }
- } else if ($token[0] == T_OPEN_TAG_WITH_ECHO) {
- // No need for a stack here - assume < ? = cannot be nested.
- $frame = self::_create_frame($token, $in_script_block);
+ $token = $tokens[$token_number];
+
+ // Are we in a <script> ... </script> block?
+ if (is_array($token) && $token[0] == T_INLINE_HTML) {
+ $inline_html = $token[1];
+ // T_INLINE_HTML blocks can be split. Need to handle the case
+ // where one token has "<scr" and the next has "ipt"
+ while (self::_token_matches(array(T_INLINE_HTML), $tokens, $token_number + 1)) {
+ $token_number++;
+ $token = $tokens[$token_number];
+ $inline_html .= $token[1];
+ }
+
+ if ($frame) {
+ $frame->expr_append($inline_html);
+ }
+
+ // Note: This approach won't catch <script src="..."> blocks if the src
+ // URL is generated via < ? = url::site() ? > or some other PHP.
+ // Assume that all such script blocks with a src URL have an
+ // empty element body.
+ // But we'll catch closing tags for such blocks, so don't keep track
+ // of opening / closing tag count since it would be meaningless.
+
+ // Handle multiple start / end blocks on the same line?
+ $opening_script_pos = $closing_script_pos = 0;
+ if (preg_match_all('{</script>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) {
+ $last_match = array_pop($matches[0]);
+ if (is_array($last_match)) {
+ $closing_script_pos = $last_match[1];
+ } else {
+ $closing_script_pos = $last_match;
+ }
+ }
+ if (preg_match('{<script\b[^>]*>}i', $inline_html, $matches, PREG_OFFSET_CAPTURE)) {
+ $last_match = array_pop($matches[0]);
+ if (is_array($last_match)) {
+ $opening_script_pos = $last_match[1];
+ } else {
+ $opening_script_pos = $last_match;
+ }
+ }
+ if ($opening_script_pos != $closing_script_pos) {
+ $in_script_block = $opening_script_pos > $closing_script_pos;
+ }
+ }
+
+ // Look and report each instance of < ? = ... ? >
+ if (!is_array($token)) {
+ // A single char token, e.g: ; ( )
+ if ($frame) {
+ $frame->expr_append($token);
+ }
+ } else if ($token[0] == T_OPEN_TAG_WITH_ECHO) {
+ // No need for a stack here - assume < ? = cannot be nested.
+ $frame = self::_create_frame($token, $in_script_block);
} else if ($frame && $token[0] == T_CLOSE_TAG) {
- // Store the < ? = ... ? > block that just ended here.
- $found[$view][] = $frame;
- $frame = null;
+ // Store the < ? = ... ? > block that just ended here.
+ $found[$view][] = $frame;
+ $frame = null;
} else if ($frame && $token[0] == T_VARIABLE) {
- $frame->expr_append($token[1]);
+ $frame->expr_append($token[1]);
if ($token[1] == '$theme') {
- if (self::_token_matches(array(T_OBJECT_OPERATOR, "->"), $tokens, $token_number + 1) &&
- self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
- in_array($tokens[$token_number + 2][1],
- array("thumb_proportion", "site_menu", "album_menu", "tag_menu", "photo_menu",
+ if (self::_token_matches(array(T_OBJECT_OPERATOR, "->"), $tokens, $token_number + 1) &&
+ self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+ in_array($tokens[$token_number + 2][1],
+ array("thumb_proportion", "site_menu", "album_menu", "tag_menu", "photo_menu",
"context_menu", "pager", "site_status", "messages", "album_blocks",
"album_bottom", "album_top", "body_attributes", "credits",
"dynamic_bottom", "dynamic_top", "footer", "head", "header_bottom",
"header_top", "page_bottom", "page_top", "photo_blocks", "photo_bottom",
"photo_top", "resize_bottom", "resize_top", "sidebar_blocks", "sidebar_bottom",
"sidebar_top", "thumb_bottom", "thumb_info", "thumb_top")) &&
- self::_token_matches("(", $tokens, $token_number + 3)) {
+ self::_token_matches("(", $tokens, $token_number + 3)) {
- $method = $tokens[$token_number + 2][1];
- $frame->expr_append("->$method(");
+ $method = $tokens[$token_number + 2][1];
+ $frame->expr_append("->$method(");
- $token_number += 3;
- $token = $tokens[$token_number];
+ $token_number += 3;
+ $token = $tokens[$token_number];
$frame->is_safe_html(true);
- } else if (self::_token_matches(array(T_OBJECT_OPERATOR, "->"), $tokens, $token_number + 1) &&
- self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
- in_array($tokens[$token_number + 2][1],
- array("css", "script", "url")) &&
- self::_token_matches("(", $tokens, $token_number + 3) &&
- // Only allow constant strings here
- self::_token_matches(array(T_CONSTANT_ENCAPSED_STRING), $tokens, $token_number + 4)) {
+ } else if (self::_token_matches(array(T_OBJECT_OPERATOR, "->"), $tokens, $token_number + 1) &&
+ self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+ in_array($tokens[$token_number + 2][1],
+ array("css", "script", "url")) &&
+ self::_token_matches("(", $tokens, $token_number + 3) &&
+ // Only allow constant strings here
+ self::_token_matches(array(T_CONSTANT_ENCAPSED_STRING), $tokens, $token_number + 4)) {
- $method = $tokens[$token_number + 2][1];
- $frame->expr_append("->$method(");
+ $method = $tokens[$token_number + 2][1];
+ $frame->expr_append("->$method(");
- $token_number += 4;
- $token = $tokens[$token_number];
+ $token_number += 4;
+ $token = $tokens[$token_number];
$frame->is_safe_html(true);
- }
+ }
}
- } else if ($frame && $token[0] == T_STRING) {
- $frame->expr_append($token[1]);
- // t() and t2() are special in that they're guaranteed to return a SafeString().
- if (in_array($token[1], array("t", "t2"))) {
- if (self::_token_matches("(", $tokens, $token_number + 1)) {
- $frame->is_safe_html(true);
- $frame->expr_append("(");
-
- $token_number++;
- $token = $tokens[$token_number];
- }
- } else if ($token[1] == "SafeString") {
- // Looking for SafeString::of(...
- if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
- self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
- in_array($tokens[$token_number + 2][1], array("of", "purify")) &&
- self::_token_matches("(", $tokens, $token_number + 3)) {
+ } else if ($frame && $token[0] == T_STRING) {
+ $frame->expr_append($token[1]);
+ // t() and t2() are special in that they're guaranteed to return a SafeString().
+ if (in_array($token[1], array("t", "t2"))) {
+ if (self::_token_matches("(", $tokens, $token_number + 1)) {
+ $frame->is_safe_html(true);
+ $frame->expr_append("(");
+
+ $token_number++;
+ $token = $tokens[$token_number];
+ }
+ } else if ($token[1] == "SafeString") {
+ // Looking for SafeString::of(...
+ if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
+ self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+ in_array($tokens[$token_number + 2][1], array("of", "purify")) &&
+ self::_token_matches("(", $tokens, $token_number + 3)) {
// Not checking for of_safe_html(). We want such calls to be marked dirty (thus reviewed).
- $frame->is_safe_html(true);
-
- $method = $tokens[$token_number + 2][1];
- $frame->expr_append("::$method(");
-
- $token_number += 3;
- $token = $tokens[$token_number];
- }
- } else if ($token[1] == "json_encode") {
- if (self::_token_matches("(", $tokens, $token_number + 1)) {
- $frame->is_safe_js(true);
- $frame->expr_append("(");
-
- $token_number++;
- $token = $tokens[$token_number];
- }
- } else if ($token[1] == "url") {
- // url methods return safe HTML
- if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
- self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
- in_array($tokens[$token_number + 2][1],
- array("site", "current", "base", "file", "abs_site", "abs_current",
- "abs_file", "merge")) &&
- self::_token_matches("(", $tokens, $token_number + 3)) {
- $frame->is_safe_html(true);
-
- $method = $tokens[$token_number + 2][1];
- $frame->expr_append("::$method(");
-
- $token_number += 3;
- $token = $tokens[$token_number];
- }
- } else if ($token[1] == "html") {
- if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
- self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
- in_array($tokens[$token_number + 2][1],
- array("clean", "purify", "js_string", "clean_attribute")) &&
- self::_token_matches("(", $tokens, $token_number + 3)) {
+ $frame->is_safe_html(true);
+
+ $method = $tokens[$token_number + 2][1];
+ $frame->expr_append("::$method(");
+
+ $token_number += 3;
+ $token = $tokens[$token_number];
+ }
+ } else if ($token[1] == "json_encode") {
+ if (self::_token_matches("(", $tokens, $token_number + 1)) {
+ $frame->is_safe_js(true);
+ $frame->expr_append("(");
+
+ $token_number++;
+ $token = $tokens[$token_number];
+ }
+ } else if ($token[1] == "url") {
+ // url methods return safe HTML
+ if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
+ self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+ in_array($tokens[$token_number + 2][1],
+ array("site", "current", "base", "file", "abs_site", "abs_current",
+ "abs_file", "merge")) &&
+ self::_token_matches("(", $tokens, $token_number + 3)) {
+ $frame->is_safe_html(true);
+
+ $method = $tokens[$token_number + 2][1];
+ $frame->expr_append("::$method(");
+
+ $token_number += 3;
+ $token = $tokens[$token_number];
+ }
+ } else if ($token[1] == "html") {
+ if (self::_token_matches(array(T_DOUBLE_COLON, "::"), $tokens, $token_number + 1) &&
+ self::_token_matches(array(T_STRING), $tokens, $token_number + 2) &&
+ in_array($tokens[$token_number + 2][1],
+ array("clean", "purify", "js_string", "clean_attribute")) &&
+ self::_token_matches("(", $tokens, $token_number + 3)) {
// Not checking for mark_safe(). We want such calls to be marked dirty (thus reviewed).
- $method = $tokens[$token_number + 2][1];
- $frame->expr_append("::$method(");
+ $method = $tokens[$token_number + 2][1];
+ $frame->expr_append("::$method(");
- $token_number += 3;
- $token = $tokens[$token_number];
+ $token_number += 3;
+ $token = $tokens[$token_number];
if ("js_string" == $method) {
$frame->is_safe_js(true);
} else {
$frame->is_safe_html(true);
}
- }
- }
- } else if ($frame && $token[0] == T_OBJECT_OPERATOR) {
- $frame->expr_append($token[1]);
-
- if (self::_token_matches(array(T_STRING), $tokens, $token_number + 1) &&
- in_array($tokens[$token_number + 1][1],
- array("for_js", "for_html", "purified_html", "for_html_attr")) &&
- self::_token_matches("(", $tokens, $token_number + 2)) {
- $method = $tokens[$token_number + 1][1];
- $frame->expr_append("$method(");
-
- $token_number += 2;
- $token = $tokens[$token_number];
-
- if ("for_js" == $method) {
- $frame->is_safe_js(true);
- } else {
- $frame->is_safe_html(true);
- }
- }
+ }
+ }
+ } else if ($frame && $token[0] == T_OBJECT_OPERATOR) {
+ $frame->expr_append($token[1]);
+
+ if (self::_token_matches(array(T_STRING), $tokens, $token_number + 1) &&
+ in_array($tokens[$token_number + 1][1],
+ array("for_js", "for_html", "purified_html", "for_html_attr")) &&
+ self::_token_matches("(", $tokens, $token_number + 2)) {
+ $method = $tokens[$token_number + 1][1];
+ $frame->expr_append("$method(");
+
+ $token_number += 2;
+ $token = $tokens[$token_number];
+
+ if ("for_js" == $method) {
+ $frame->is_safe_js(true);
+ } else {
+ $frame->is_safe_html(true);
+ }
+ }
} else if ($frame) {
- $frame->expr_append($token[1]);
- }
+ $frame->expr_append($token[1]);
+ }
}
}
@@ -252,26 +252,26 @@ class Xss_Security_Test extends Unit_Test_Case {
ksort($found);
foreach ($found as $view => $frames) {
foreach ($frames as $frame) {
- $state = "DIRTY";
- if ($frame->in_script_block()) {
- $state = "DIRTY_JS";
- if ($frame->is_safe_js()) {
- $state = "CLEAN";
- }
- } else {
- if ($frame->is_safe_html()) {
- $state = "CLEAN";
- }
- }
-
- if ("CLEAN" == $state) {
- // Don't print CLEAN instances - No need to update the golden
- // file when adding / moving clean instances.
- continue;
- }
-
- fprintf($fd, "%-60s %-3s %-8s %s\n",
- $view, $frame->line(), $state, $frame->expr());
+ $state = "DIRTY";
+ if ($frame->in_script_block()) {
+ $state = "DIRTY_JS";
+ if ($frame->is_safe_js()) {
+ $state = "CLEAN";
+ }
+ } else {
+ if ($frame->is_safe_html()) {
+ $state = "CLEAN";
+ }
+ }
+
+ if ("CLEAN" == $state) {
+ // Don't print CLEAN instances - No need to update the golden
+ // file when adding / moving clean instances.
+ continue;
+ }
+
+ fprintf($fd, "%-60s %-3s %-8s %s\n",
+ $view, $frame->line(), $state, $frame->expr());
}
}
fclose($fd);
@@ -280,7 +280,7 @@ class Xss_Security_Test extends Unit_Test_Case {
$canonical = MODPATH . "gallery/tests/xss_data.txt";
exec("diff $canonical $new", $output, $return_value);
$this->assert_false(
- $return_value, "XSS golden file mismatch. Output:\n" . implode("\n", $output) );
+ $return_value, "XSS golden file mismatch. Output:\n" . implode("\n", $output) );
}
private static function _create_frame($token, $in_script_block) {
@@ -296,9 +296,9 @@ class Xss_Security_Test extends Unit_Test_Case {
if (is_array($expected_token)) {
for ($i = 0; $i < count($expected_token); $i++) {
- if ($expected_token[$i] != $token[$i]) {
- return false;
- }
+ if ($expected_token[$i] != $token[$i]) {
+ return false;
+ }
}
return true;
} else {
generated by cgit v1.2.3 (git 2.46.0) at 2025-10-13 06:30:53 +0000