class CommonXssUnitTest

Tests for check_plain(), filter_xss(), format_string(), and check_url().

Hierarchy

Expanded class hierarchy of CommonXssUnitTest

File

drupal/modules/simpletest/tests/common.test, line 437
Tests for common.inc functionality.

View source
class CommonXssUnitTest extends DrupalUnitTestCase {
  public static function getInfo() {
    return array(
      'name' => 'String filtering tests',
      'description' => 'Confirm that check_plain(), filter_xss(), format_string() and check_url() work correctly, including invalid multi-byte sequences.',
      'group' => 'System',
    );
  }

  /**
   * Check that invalid multi-byte sequences are rejected.
   */
  function testInvalidMultiByte() {

    // Ignore PHP 5.3+ invalid multibyte sequence warning.
    $text = @check_plain("");
    $this
      ->assertEqual($text, '', 'check_plain() rejects invalid sequence "Foo\\xC0barbaz"');

    // Ignore PHP 5.3+ invalid multibyte sequence warning.
    $text = @check_plain("");
    $this
      ->assertEqual($text, '', 'check_plain() rejects invalid sequence "\\xc2\\""');
    $text = check_plain("Fooÿñ");
    $this
      ->assertEqual($text, "Fooÿñ", 'check_plain() accepts valid sequence "Fooÿñ"');
    $text = filter_xss("");
    $this
      ->assertEqual($text, '', 'filter_xss() rejects invalid sequence "Foo\\xC0barbaz"');
    $text = filter_xss("Fooÿñ");
    $this
      ->assertEqual($text, "Fooÿñ", 'filter_xss() accepts valid sequence Fooÿñ');
  }

  /**
   * Check that special characters are escaped.
   */
  function testEscaping() {
    $text = check_plain("<script>");
    $this
      ->assertEqual($text, '&lt;script&gt;', 'check_plain() escapes &lt;script&gt;');
    $text = check_plain('<>&"\'');
    $this
      ->assertEqual($text, '&lt;&gt;&amp;&quot;&#039;', 'check_plain() escapes reserved HTML characters.');
  }

  /**
   * Test t() and format_string() replacement functionality.
   */
  function testFormatStringAndT() {
    foreach (array(
      'format_string',
      't',
    ) as $function) {
      $text = $function('Simple text');
      $this
        ->assertEqual($text, 'Simple text', $function . ' leaves simple text alone.');
      $text = $function('Escaped text: @value', array(
        '@value' => '<script>',
      ));
      $this
        ->assertEqual($text, 'Escaped text: &lt;script&gt;', $function . ' replaces and escapes string.');
      $text = $function('Placeholder text: %value', array(
        '%value' => '<script>',
      ));
      $this
        ->assertEqual($text, 'Placeholder text: <em class="placeholder">&lt;script&gt;</em>', $function . ' replaces, escapes and themes string.');
      $text = $function('Verbatim text: !value', array(
        '!value' => '<script>',
      ));
      $this
        ->assertEqual($text, 'Verbatim text: <script>', $function . ' replaces verbatim string as-is.');
    }
  }

  /**
   * Check that harmful protocols are stripped.
   */
  function testBadProtocolStripping() {

    // Ensure that check_url() strips out harmful protocols, and encodes for
    // HTML. Ensure drupal_strip_dangerous_protocols() can be used to return a
    // plain-text string stripped of harmful protocols.
    $url = 'javascript:http://www.example.com/?x=1&y=2';
    $expected_plain = 'http://www.example.com/?x=1&y=2';
    $expected_html = 'http://www.example.com/?x=1&amp;y=2';
    $this
      ->assertIdentical(check_url($url), $expected_html, 'check_url() filters a URL and encodes it for HTML.');
    $this
      ->assertIdentical(drupal_strip_dangerous_protocols($url), $expected_plain, 'drupal_strip_dangerous_protocols() filters a URL and returns plain text.');
  }

}

Members

Namesort descending Modifiers Type Description Overrides
CommonXssUnitTest::getInfo public static function
CommonXssUnitTest::testBadProtocolStripping function Check that harmful protocols are stripped.
CommonXssUnitTest::testEscaping function Check that special characters are escaped.
CommonXssUnitTest::testFormatStringAndT function Test t() and format_string() replacement functionality.
CommonXssUnitTest::testInvalidMultiByte function Check that invalid multi-byte sequences are rejected.
DrupalTestCase::$assertions protected property Assertions thrown in that test case.
DrupalTestCase::$databasePrefix protected property The database prefix of this test run.
DrupalTestCase::$originalFileDirectory protected property The original file directory, before it was changed for testing purposes.
DrupalTestCase::$results public property Current results of this test case.
DrupalTestCase::$setup protected property Flag to indicate whether the test has been set up.
DrupalTestCase::$setupDatabasePrefix protected property
DrupalTestCase::$setupEnvironment protected property
DrupalTestCase::$skipClasses protected property This class is skipped when looking for the source of an assertion.
DrupalTestCase::$testId protected property The test run ID.
DrupalTestCase::$timeLimit protected property Time limit for the test.
DrupalTestCase::$verboseDirectoryUrl protected property URL to the verbose output file directory.
DrupalTestCase::assert protected function Internal helper: stores the assert.
DrupalTestCase::assertEqual protected function Check to see if two values are equal.
DrupalTestCase::assertFalse protected function Check to see if a value is false (an empty string, 0, NULL, or FALSE).
DrupalTestCase::assertIdentical protected function Check to see if two values are identical.
DrupalTestCase::assertNotEqual protected function Check to see if two values are not equal.
DrupalTestCase::assertNotIdentical protected function Check to see if two values are not identical.
DrupalTestCase::assertNotNull protected function Check to see if a value is not NULL.
DrupalTestCase::assertNull protected function Check to see if a value is NULL.
DrupalTestCase::assertTrue protected function Check to see if a value is not false (not an empty string, 0, NULL, or FALSE).
DrupalTestCase::deleteAssert public static function Delete an assertion record by message ID.
DrupalTestCase::error protected function Fire an error assertion. 1
DrupalTestCase::errorHandler public function Handle errors during test runs. 1
DrupalTestCase::exceptionHandler protected function Handle exceptions.
DrupalTestCase::fail protected function Fire an assertion that is always negative.
DrupalTestCase::generatePermutations public static function Converts a list of possible parameters into a stack of permutations.
DrupalTestCase::getAssertionCall protected function Cycles through backtrace until the first non-assertion method is found.
DrupalTestCase::getDatabaseConnection public static function Returns the database connection to the site running Simpletest.
DrupalTestCase::insertAssert public static function Store an assertion from outside the testing context.
DrupalTestCase::pass protected function Fire an assertion that is always positive.
DrupalTestCase::randomName public static function Generates a random string containing letters and numbers.
DrupalTestCase::randomString public static function Generates a random string of ASCII characters of codes 32 to 126.
DrupalTestCase::run public function Run all tests in this class.
DrupalTestCase::verbose protected function Logs a verbose message in a text file.
DrupalUnitTestCase::setUp protected function Sets up unit test environment. 8
DrupalUnitTestCase::tearDown protected function 1
DrupalUnitTestCase::__construct function Constructor for DrupalUnitTestCase. Overrides DrupalTestCase::__construct