PHPonTraxTest
[ class tree: PHPonTraxTest ] [ index: PHPonTraxTest ] [ all elements ]

Source for file InputFilterTest.php

Documentation is available at InputFilterTest.php

  1. <?php
  2. /**
  3. * File for the InputFilterTest class
  4. *
  5. * (PHP 5)
  6. *
  7. * @package PHPonTraxTest
  8. * @license http://opensource.org/licenses/gpl-license.php GNU Public License
  9. * @copyright (c) Walter O. Haas 2006
  10. * @version $Id: InputFilterTest.php 192 2006-03-27 22:02:53Z haas $
  11. * @author Walt Haas <haas@xmission.com>
  12. */
  13.  
  14. echo "testing InputFilter\n";
  15. require_once 'testenv.php';
  16.  
  17. // Call InputFilterTest::main() if this source file is executed directly.
  18. if (!defined("PHPUnit2_MAIN_METHOD")) {
  19. define("PHPUnit2_MAIN_METHOD", "InputFilterTest::main");
  20. }
  21.  
  22. require_once "PHPUnit2/Framework/TestCase.php";
  23. require_once "PHPUnit2/Framework/TestSuite.php";
  24.  
  25. // You may remove the following line when all tests have been implemented.
  26. require_once "PHPUnit2/Framework/IncompleteTestError.php";
  27.  
  28. require_once "input_filter.php";
  29.  
  30. /**
  31. * Test class for InputFilter.
  32. * Generated by PHPUnit2_Util_Skeleton on 2006-02-28 at 11:52:31.
  33. */
  34. class InputFilterTest extends PHPUnit2_Framework_TestCase {
  35.  
  36. /**
  37. * Runs the test methods of this class.
  38. *
  39. * @access public
  40. * @static
  41. */
  42. public static function main() {
  43. require_once "PHPUnit2/TextUI/TestRunner.php";
  44.  
  45. $suite = new PHPUnit2_Framework_TestSuite("InputFilterTest");
  46. $result = PHPUnit2_TextUI_TestRunner::run($suite);
  47. }
  48.  
  49. /**
  50. * Sets up the fixture, for example, open a network connection.
  51. * This method is called before a test is executed.
  52. *
  53. * @access protected
  54. */
  55. protected function setUp() {
  56. }
  57.  
  58. /**
  59. * Tears down the fixture, for example, close a network connection.
  60. * This method is called after a test is executed.
  61. *
  62. * @access protected
  63. */
  64. protected function tearDown() {
  65. }
  66.  
  67. /**
  68. * Test the process() method
  69. */
  70. public function testProcess() {
  71. // Trivial case, nothing to clean
  72. @new InputFilter();
  73. $this->assertEquals(InputFilter::process('foo'),'foo');
  74. $this->assertEquals(InputFilter::process(array('foo','bar')),
  75. array('foo','bar'));
  76. // Default constructor removes all tags
  77. $this->assertEquals(InputFilter::process('<ok>foobar</ok>'),
  78. 'foobar');
  79. // Allow all but blacklisted tags and attributes
  80. @new InputFilter(array(),array(),1,1,1);
  81. // Irregular tag names are always filtered out
  82. $this->assertEquals(InputFilter::process('foo<#$>bar</#$>mumble'),
  83. 'foobarmumble');
  84. // $xssAuto=1 filters blacklisted tags and attributes
  85. $this->assertEquals(InputFilter::process('<body>foobar</body>'),
  86. 'foobar');
  87. $this->assertEquals(InputFilter::process('<ok action="yes">foobar</ok>'),
  88. '<ok>foobar</ok>');
  89. // With $xssAuto off, blacklisted tags and attributes are allowed
  90. @new InputFilter(array(),array(),1,1,0);
  91. $this->assertEquals(InputFilter::process('<body>foobar</body>'),
  92. '<body>foobar</body>');
  93. $this->assertEquals(InputFilter::process('<ok action="yes">foobar</ok>'),
  94. '<ok action="yes">foobar</ok>');
  95. // tagMethod=1 permits all but listed tags
  96. @new InputFilter(array('foo'),array(),1,1,0);
  97. $this->assertEquals(
  98. InputFilter::process('<foo>mumble</foo><bar>grumble</bar>'),
  99. 'mumble<bar>grumble</bar>');
  100. // tagMethod=0 permits only listed tags
  101. @new InputFilter(array('foo'),array(),0,1,0);
  102. $this->assertEquals(
  103. InputFilter::process('<foo>mumble</foo><bar>grumble</bar>'),
  104. '<foo>mumble</foo>grumble');
  105. // attrMethod=1 permits all but listed attributes
  106. @new InputFilter(array(),array('dangerous'),1,1,0);
  107. $this->assertEquals(
  108. InputFilter::process('<foo safe="1" dangerous="1">mumble</foo>'),
  109. '<foo safe="1">mumble</foo>');
  110. // attrMethod=0 permits only listed tags
  111. @new InputFilter(array(),array('dangerous'),1,0,0);
  112. $this->assertEquals(
  113. InputFilter::process('<foo safe="1" dangerous="1">mumble</foo>'),
  114. '<foo dangerous="1">mumble</foo>');
  115. // accept only know safe tags
  116. @new InputFilter(array('div','span','strong','em'),
  117. array('id','class'),0,0,0);
  118. $this->assertEquals(
  119. InputFilter::process(
  120. '<body class="full">mumble<span class="error" color="red">'
  121. .'grumble</span>burfl</body>'),
  122. 'mumble<span class="error">grumble</span>burfl');
  123. }
  124.  
  125. /**
  126. * Test process_all() method
  127. */
  128. public function testProcess_all() {
  129. $_GET = array('<tag1>foo</tag1>');
  130. $_POST = array('<tag2>bar</tag2>');
  131. $_REQUEST = array('<tag3>mumble</tag3>');
  132.  
  133. // Default is to remove all tags
  134. InputFilter::process_all();
  135. $this->assertEquals($_GET,array('foo'));
  136. $this->assertEquals($_POST,array('bar'));
  137. $this->assertEquals($_REQUEST,array('mumble'));
  138. }
  139.  
  140. /**
  141. * Test saveSQL()
  142. * @todo Figure out problem w/ mysql_real_escape_string()
  143. * @todo Figure out how to test with magic quotes either on or off
  144. */
  145. public function testSafeSQL() {
  146. $rs = mysql_connect();
  147. if ($rs == false) {
  148. PHPUnit2_Framework_Assert::fail("InputFilterTest:"
  149. ." unable to open a connction to MySQL");
  150. }
  151. // Trivial case, nothing to clean
  152. $this->assertEquals(InputFilter::safeSQL('foo',$rs),'foo');
  153. $this->assertEquals(InputFilter::safeSQL(array('foo','bar'),$rs),
  154. array('foo','bar'));
  155. if (get_magic_quotes_gpc()) {
  156. // verify stripping of magic quotes
  157. // FIXME: figure out how to test this case
  158. $this->assertEquals(
  159. InputFilter::safeSQL('a\\\'b\\"c\\\\d\\\x00e\\\nf\\\rg\\\x1a',$rs),
  160. 'a\\\'b\\"c\\\\d\\\x00e\\\nf\\\rg\\\x1a');
  161. }
  162. else {
  163. // verify magic quotes aren't there
  164. $pattern = "a'b\"c\\d\x00e\nf\rg\x1ah";
  165. $non_zero_pattern = "a'b\"c\\de\nf\rg\x1ah";
  166. $quoted_pattern = "a\\'b\\\"c\\\\de\\\nf\\\rg\\\x1ah";
  167. $quoted_non_zero_pattern = "a\\'b\\\"c\\\\de\\\nf\\\rg\\\x1ah";
  168. // echo "\nIf this fails it means mysql_real_escape_string() is broken: ";
  169. // $this->assertEquals(mysql_real_escape_string($non_zero_pattern),
  170. // $quoted_non_zero_pattern);
  171. // echo "\nIf this fails it means mysql_real_escape_string() is broken: ";
  172. // $this->assertEquals(mysql_real_escape_string($pattern),
  173. // $quoted_pattern);
  174. // $this->assertEquals(
  175. // InputFilter::safeSQL($pattern,$rs),$quoted_pattern);
  176. }
  177. // Remove the following line when you complete this test.
  178. throw new PHPUnit2_Framework_IncompleteTestError;
  179. }
  180. }
  181.  
  182. // Call InputFilterTest::main() if this source file is executed directly.
  183. if (PHPUnit2_MAIN_METHOD == "InputFilterTest::main") {
  184. InputFilterTest::main();
  185. }
  186.  
  187. // -- set Emacs parameters --
  188. // Local variables:
  189. // tab-width: 4
  190. // c-basic-offset: 4
  191. // c-hanging-comment-ender-p: nil
  192. // indent-tabs-mode: nil
  193. // End:
  194. ?>

Documentation generated on Thu, 04 May 2006 19:47:47 -0600 by phpDocumentor 1.3.0RC4