fanbinit/rhymix
1
0
Fork 0
mirror of https://github.com/Lastorder-DC/rhymix.git synced 2026-04-27 22:33:10 +09:00
Code Issues Projects Releases Packages Wiki Activity

Perform more thorough unit test of HTMLFilter

Browse source
This commit is contained in:
Kijin Sung 2016-03-14 15:33:07 +09:00
parent 804fd0515b
commit 26138c25da
2 changed files with 89 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

1
common/defaults/whitelist.php
View file

@ -68,6 +68,7 @@ return array(
'maps.google.co.kr/',
// Daum TV Pot
'flvs.daum.net/',
'videofarm.daum.net/',
// NAVER TVCAST
'serviceapi.rmcnmv.naver.com/',
// SBS

88
tests/unit/framework/security/HTMLFilterTest.php
View file

@ -64,4 +64,92 @@ class HTMLFilterTest extends \Codeception\TestCase\Test
$this->assertEquals($test[1], Rhymix\Framework\Security\HTMLFilter::clean($test[0]));
}
}
public function testHTMLFilterHTML5()
{
$source = '<div><audio autoplay="autoplay" src="./foo/bar.mp3"></audio></div>';
$target = '<div><audio src="./foo/bar.mp3"></audio></div>';
$this->assertEquals($target, Rhymix\Framework\Security\HTMLFilter::clean($source));
$source = '<video autoplay="autoplay" width="320" height="240"><source src="./foo/bar.mp4" type="video/mp4" /></video>';
$target = '<video width="320" height="240"><source src="./foo/bar.mp4" type="video/mp4" /></video>';
$this->assertEquals($target, Rhymix\Framework\Security\HTMLFilter::clean($source));
$source = '<nav>123</nav><section>456</section><article>789</article><aside>0</aside>';
$target = '<nav>123</nav><section>456</section><article>789</article><aside>0</aside>';
$this->assertEquals($target, Rhymix\Framework\Security\HTMLFilter::clean($source));
}
public function testHTMLFilterCSS3()
{
$source = '<div style="display:flex;border-radius:1px 2px 3px 4px;"></div>';
$target = '<div style="display:flex;border-radius:1px 2px 3px 4px;"></div>';
$this->assertEquals($target, Rhymix\Framework\Security\HTMLFilter::clean($source));
$source = '<div style="box-sizing:border-box;box-shadow:5px 5px 2px #123456;"></div>';
$target = '<div style="box-sizing:border-box;box-shadow:5px 5px 2px #123456;"></div>';
$this->assertEquals($target, Rhymix\Framework\Security\HTMLFilter::clean($source));
$source = '<div style="overflow-x:auto;overflow-y:scroll;left:-500px;"></div>';
$target = '<div style="overflow-x:auto;overflow-y:scroll;"></div>';
$this->assertEquals($target, Rhymix\Framework\Security\HTMLFilter::clean($source));
}
public function testHTMLFilterEmbeddedMedia()
{
$source = '<iframe title="Video Test" width="640" height="360" src="http://videofarm.daum.net/controller/video/viewer/Video.html?vid=s474b7BR2zzREo0g7OT7EKo&amp;play_loc=undefined&amp;alert=true" frameborder="0" scrolling="no"></iframe>';
$target = '<iframe title="Video Test" width="640" height="360" src="http://videofarm.daum.net/controller/video/viewer/Video.html?vid=s474b7BR2zzREo0g7OT7EKo&amp;play_loc=undefined&amp;alert=true" frameborder="0" scrolling="no"></iframe>';
$this->assertEquals($target, Rhymix\Framework\Security\HTMLFilter::clean($source));
$source = '<iframe title="Video Test" width="640" height="360" src="http://not-allowed.com/whatever-video.mp4" frameborder="0" scrolling="no"></iframe>';
$target = '<iframe title="Video Test" width="640" height="360" frameborder="0" scrolling="no"></iframe>';
$this->assertEquals($target, Rhymix\Framework\Security\HTMLFilter::clean($source));
$source = '<object type="application/x-shockwave-flash" id="DaumVodPlayer_s474b7BR2zzREo0g7OT7EKo" width="640px" height="360px" align="middle" classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000" codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=10,3,0,0">' .
'<param name="movie" value="http://videofarm.daum.net/controller/player/VodPlayer.swf" />' .
'<param name="allowScriptAccess" value="always" />' .
'<param name="allowFullScreen" value="true" />' .
'<param name="bgcolor" value="#000000" />' .
'<param name="wmode" value="window" />' .
'<param name="flashvars" value="vid=s474b7BR2zzREo0g7OT7EKo&playLoc=undefined&alert=true" />' .
'<embed src="http://videofarm.daum.net/controller/player/VodPlayer.swf" width="640px" height="360px" allowScriptAccess="always" type="application/x-shockwave-flash" allowFullScreen="true" bgcolor="#000000" flashvars="vid=s474b7BR2zzREo0g7OT7EKo&playLoc=undefined&alert=true"></embed>' .
'</object>';
$target = '<object type="application/x-shockwave-flash" width="640" height="360" data="http://videofarm.daum.net/controller/player/VodPlayer.swf">' .
'<param name="allowScriptAccess" value="never" />' .
'<param name="allowNetworking" value="internal" />' .
'<param name="movie" value="http://videofarm.daum.net/controller/player/VodPlayer.swf" />' .
'<param name="allowFullScreen" value="true" />' .
'<param name="wmode" value="window" />' .
'<param name="flashvars" value="vid=s474b7BR2zzREo0g7OT7EKo&amp;playLoc=undefined&amp;alert=true" />' .
'<embed src="http://videofarm.daum.net/controller/player/VodPlayer.swf" width="640" height="360" type="application/x-shockwave-flash" flashvars="vid=s474b7BR2zzREo0g7OT7EKo&amp;playLoc=undefined&amp;alert=true" allowscriptaccess="never" allownetworking="internal" />' .
'</object>';
$this->assertEquals($target, Rhymix\Framework\Security\HTMLFilter::clean($source));
$source = '<audio src="https://www.youtube.com/whatever"></audio>';
$target = '<audio src="https://www.youtube.com/whatever"></audio>';
$this->assertEquals($target, Rhymix\Framework\Security\HTMLFilter::clean($source));
$source = '<audio src="https://www-youtube.com/whatever"></audio>';
$target = '<audio src=""></audio>';
$this->assertEquals($target, Rhymix\Framework\Security\HTMLFilter::clean($source));
$source = '<video width="320" height="240"><source src="http://api.v.daum.net/something" type="video/mp4" /></video>';
$target = '<video width="320" height="240"><source src="http://api.v.daum.net/something" type="video/mp4" /></video>';
$this->assertEquals($target, Rhymix\Framework\Security\HTMLFilter::clean($source));
$source = '<video width="320" height="240"><source src="http://wrong-site.net/" type="video/mp4" /></video>';
$target = '<video width="320" height="240"><source src="" type="video/mp4" /></video>';
$this->assertEquals($target, Rhymix\Framework\Security\HTMLFilter::clean($source));
}
public function testHTMLFilterEditorComponent()
{
$source = '<img somekey="somevalue" otherkey="othervalue" onmouseover="alert(\'xss\');" editor_component="component_name" src="./foo/bar.jpg" alt="My Picture" style="width:320px;height:240px;" width="320" height="240" />';
$target = '<img somekey="somevalue" otherkey="othervalue" editor_component="component_name" src="./foo/bar.jpg" alt="My Picture" style="width:320px;height:240px;" width="320" height="240" />';
$this->assertEquals($target, Rhymix\Framework\Security\HTMLFilter::clean($source));
$source = '<img somekey="somevalue" otherkey="othervalue" onkeypress="alert(\'xss\');" editor_component="component_name" />';
$target = '<img somekey="somevalue" otherkey="othervalue" src="" editor_component="component_name" alt="" />';
$this->assertEquals($target, Rhymix\Framework\Security\HTMLFilter::clean($source));
}
}