Add unit tests for removeEmbeddedMedia()

2026-04-23 12:22:15 +09:00 · 2016-03-12 23:24:00 +09:00 · 2016-03-12 23:24:00 +09:00 · 31080ddc04
commit 31080ddc04
parent ef6f0c839f
1 changed files with 78 additions and 63 deletions
--- a/tests/unit/framework/security/HTMLFilterTest.php
+++ b/tests/unit/framework/security/HTMLFilterTest.php
@ -2,67 +2,82 @@

 class HTMLFilterTest extends \Codeception\TestCase\Test
 {
-    public function testRemoveHackTag()
-    {
-        $tests = array(
-            // remove iframe
-            array(
-                '<div class="frame"><iframe src="path/to/file.html"></iframe><p><a href="#iframe">IFrame</a></p></div>',
-                '<div class="frame"><iframe></iframe><p><a href="#iframe">IFrame</a></p></div>'
-            ),
-            // expression
-            array(
-                '<div class="dummy" style="xss:expr/*XSS*/ession(alert(\'XSS\'))">',
-                '<div class="dummy"></div>'
-            ),
-            // no quotes and no semicolon - http://ha.ckers.org/xss.html
-            array(
-                '<img src=javascript:alert(\'xss\')>',
-                ''
-            ),
-            // embedded encoded tab to break up XSS - http://ha.ckers.org/xss.html
-            array(
-                '<IMG SRC="jav&#x09;ascript:alert(\'XSS\');">',
-                '<img src="jav%20ascript%3Aalert(\'XSS\');" alt="" />'
-            ),
-            // issue 178
-            array(
-                '<img src="invalid.jpg"\nonerror="alert(1)" />',
-                '<img src="invalid.jpg" alt="" />'
-            ),
-            // issue 534
-            array(
-                '<img src=\'as"df dummy=\'"1234\'" 4321\' asdf/*/>*/"  onerror="console.log(\'Yet another XSS\')">',
-                '<img src="as" alt="" />*/"  onerror="console.log(\'Yet another XSS\')"&gt;'
-            ),
-            // issue 602
-            array(
-                '<img alt="test" src="(http://static.naver.com/www/u/2010/0611/nmms_215646753.gif" onload="eval(String.fromCharCode(105,61,49,48,48,59,119,104,105,108,101, 40,105,62,48,41,97,108,101,114,116,40,40,105,45,45,41,43,39,48264,47564,32, 45908,32,53364,47533,54616,49464,50836,39,41,59));">',
-                '<img alt="test" src="(http%3A//static.naver.com/www/u/2010/0611/nmms_215646753.gif" />'
-            ),
-            // issue #1813 https://github.com/xpressengine/xe-core/issues/1813
-            array(
-                '<img src="?act=dispLayoutPreview" alt="dummy" />',
-                '<img src="" alt="dummy" />'
-            ),
-            array(
-                '<img src="?act =dispLayoutPreview" alt="dummy" />',
-                '<img src="" alt="dummy" />'
-            ),
-            array(
-                "<img src=\"?act\n=dispLayoutPreview\" alt=\"dummy\" />",
-                '<img src="" alt="dummy" />'
-            ),
-            array(
-                "<img src=\"?pam=act&a\nct  =\r\n\tdispLayoutPreview\" alt=\"dummy\" />",
-                '<img src="" alt="dummy" />'
-            )
-        );
-        
-        foreach ($tests as $test)
-        {
-	        $result = removeHackTag($test[0]);
-	        $this->assertEquals($test[1], $result);
-        }
-    }
+	public function testRemoveHackTag()
+	{
+		$tests = array(
+			// remove iframe
+			array(
+				'<div class="frame"><iframe src="path/to/file.html"></iframe><p><a href="#iframe">IFrame</a></p></div>',
+				'<div class="frame"><iframe></iframe><p><a href="#iframe">IFrame</a></p></div>'
+			),
+			// expression
+			array(
+				'<div class="dummy" style="xss:expr/*XSS*/ession(alert(\'XSS\'))">',
+				'<div class="dummy"></div>'
+			),
+			// no quotes and no semicolon - http://ha.ckers.org/xss.html
+			array(
+				'<img src=javascript:alert(\'xss\')>',
+				''
+			),
+			// embedded encoded tab to break up XSS - http://ha.ckers.org/xss.html
+			array(
+				'<IMG SRC="jav&#x09;ascript:alert(\'XSS\');">',
+				'<img src="jav%20ascript%3Aalert(\'XSS\');" alt="" />'
+			),
+			// issue 178
+			array(
+				'<img src="invalid.jpg"\nonerror="alert(1)" />',
+				'<img src="invalid.jpg" alt="" />'
+			),
+			// issue 534
+			array(
+				'<img src=\'as"df dummy=\'"1234\'" 4321\' asdf/*/>*/"  onerror="console.log(\'Yet another XSS\')">',
+				'<img src="as" alt="" />*/"  onerror="console.log(\'Yet another XSS\')"&gt;'
+			),
+			// issue 602
+			array(
+				'<img alt="test" src="(http://static.naver.com/www/u/2010/0611/nmms_215646753.gif" onload="eval(String.fromCharCode(105,61,49,48,48,59,119,104,105,108,101, 40,105,62,48,41,97,108,101,114,116,40,40,105,45,45,41,43,39,48264,47564,32, 45908,32,53364,47533,54616,49464,50836,39,41,59));">',
+				'<img alt="test" src="(http%3A//static.naver.com/www/u/2010/0611/nmms_215646753.gif" />'
+			),
+			// issue #1813 https://github.com/xpressengine/xe-core/issues/1813
+			array(
+				'<img src="?act=dispLayoutPreview" alt="dummy" />',
+				'<img src="" alt="dummy" />'
+			),
+			array(
+				'<img src="?act =dispLayoutPreview" alt="dummy" />',
+				'<img src="" alt="dummy" />'
+			),
+			array(
+				"<img src=\"?act\n=dispLayoutPreview\" alt=\"dummy\" />",
+				'<img src="" alt="dummy" />'
+			),
+			array(
+				"<img src=\"?pam=act&a\nct  =\r\n\tdispLayoutPreview\" alt=\"dummy\" />",
+				'<img src="" alt="dummy" />'
+			)
+		);
+		
+		foreach ($tests as $test)
+		{
+			$this->assertEquals($test[1], removeHackTag($test[0]));
+		}
+	}
+	
+	public function testRemoveEmbeddedMedia()
+	{
+		$tests = array(
+			'<div><object></object></div>' => '<div></div>',
+			'<div><object><embed></embed></object></div>' => '<div></div>',
+			'<div><object><param /></object></div>' => '<div></div>',
+			'<div><img class="foo" editor_component="multimedia_link" /></div>' => '<div></div>',
+			'<div><img editor_component="multimedia_link"></img></div>' => '<div></div>',
+		);
+		
+		foreach ($tests as $from => $to)
+		{
+			$this->assertEquals($to, Rhymix\Framework\Security\HTMLFilter::removeEmbeddedMedia($from));
+		}
+	}
 }