Update unit tests

tests/unit/framework/DebugTest.php

@@ -45,10 +45,11 @@ class DebugTest extends \Codeception\TestCase\Test
 			'backtrace' => array(),
 		));
 		$queries = Rhymix\Framework\Debug::getQueries();
-		$this->assertEquals(1, count($queries));
-		$this->assertEquals('SELECT foo FROM bar', $queries[0]->query_string);
-		$this->assertEquals('This is a unit test', $queries[0]->message);
-		$this->assertEquals(1234, $queries[0]->error_code);
+		$this->assertGreaterThanOrEqual(1, count($queries));
+		$query = array_pop($queries);
+		$this->assertEquals('SELECT foo FROM bar', $query->query_string);
+		$this->assertEquals('This is a unit test', $query->message);
+		$this->assertEquals(1234, $query->error_code);
 	}
 	
 	public function testDebugTranslateFilename()

tests/unit/framework/security/HTMLFilterTest.php

@@ -0,0 +1,68 @@
+<?php
+
+class HTMLFilterTest extends \Codeception\TestCase\Test
+{
+    public function testRemoveHackTag()
+    {
+        $tests = array(
+            // remove iframe
+            array(
+                '<div class="frame"><iframe src="path/to/file.html"></iframe><p><a href="#iframe">IFrame</a></p></div>',
+                '<div class="frame"><iframe></iframe><p><a href="#iframe">IFrame</a></p></div>'
+            ),
+            // expression
+            array(
+                '<div class="dummy" style="xss:expr/*XSS*/ession(alert(\'XSS\'))">',
+                '<div class="dummy"></div>'
+            ),
+            // no quotes and no semicolon - http://ha.ckers.org/xss.html
+            array(
+                '<img src=javascript:alert(\'xss\')>',
+                ''
+            ),
+            // embedded encoded tab to break up XSS - http://ha.ckers.org/xss.html
+            array(
+                '<IMG SRC="jav&#x09;ascript:alert(\'XSS\');">',
+                '<img src="jav%20ascript%3Aalert(\'XSS\');" alt="" />'
+            ),
+            // issue 178
+            array(
+                '<img src="invalid.jpg"\nonerror="alert(1)" />',
+                '<img src="invalid.jpg" alt="" />'
+            ),
+            // issue 534
+            array(
+                '<img src=\'as"df dummy=\'"1234\'" 4321\' asdf/*/>*/"  onerror="console.log(\'Yet another XSS\')">',
+                '<img src="as" alt="" />*/"  onerror="console.log(\'Yet another XSS\')"&gt;'
+            ),
+            // issue 602
+            array(
+                '<img alt="test" src="(http://static.naver.com/www/u/2010/0611/nmms_215646753.gif" onload="eval(String.fromCharCode(105,61,49,48,48,59,119,104,105,108,101, 40,105,62,48,41,97,108,101,114,116,40,40,105,45,45,41,43,39,48264,47564,32, 45908,32,53364,47533,54616,49464,50836,39,41,59));">',
+                '<img alt="test" src="(http%3A//static.naver.com/www/u/2010/0611/nmms_215646753.gif" />'
+            ),
+            // issue #1813 https://github.com/xpressengine/xe-core/issues/1813
+            array(
+                '<img src="?act=dispLayoutPreview" alt="dummy" />',
+                '<img alt="dummy" />'
+            ),
+            array(
+                '<img src="?act =dispLayoutPreview" alt="dummy" />',
+                '<img alt="dummy" />'
+            ),
+            array(
+                "<img src=\"?act\n=dispLayoutPreview\" alt=\"dummy\" />",
+                '<img alt="dummy" />'
+            ),
+            array(
+                "<img src=\"?pam=act&a\nct  =\r\n\tdispLayoutPreview\" alt=\"dummy\" />",
+                '<img alt="dummy" />'
+            )
+        );
+        
+        foreach ($tests as $test)
+        {
+	        $result = removeHackTag($test[0]);
+	        $this->assertEquals($test[1], $result);
+        }
+    }
+}