Gitiles
Code Review Sign In
www.giggi.me / code-igniter-v3-giggi / 50c58a6dde3c0b099625b50b3588b0976b307a9c^1..50c58a6dde3c0b099625b50b3588b0976b307a9c / .
commit50c58a6dde3c0b099625b50b3588b0976b307a9c[log] [tgz]
authorAndrey Andreev <narf@devilix.net>Tue Mar 10 15:42:17 2015 +0200
committerAndrey Andreev <narf@devilix.net>Tue Mar 10 15:42:17 2015 +0200
tree8dc74556d40ce2288c274a7dbdb198d0c21a7fbe
parentafc20169146e4a6431f5aba9c980072964807721 [diff]
parenta1525136a25404c40dff8383ec7ff1b4f5d3e68b [diff]
Merge pull request #3655 from ahnh/CI_Security_Unit_Test

Improve CI_Security unit tests coverage
diff --git a/tests/codeigniter/core/Security_test.php b/tests/codeigniter/core/Security_test.php
index c96eecf..7f467fb 100644
--- a/tests/codeigniter/core/Security_test.php
+++ b/tests/codeigniter/core/Security_test.php

@@ -71,6 +71,47 @@
 		$this->assertEquals("Hello, i try to [removed]alert&#40;'Hack'&#41;;[removed] your site", $harmless_string);
 	}
 
+        // --------------------------------------------------------------------
+
+	public function test_xss_clean_string_array()
+	{
+		$harm_strings = array(
+			"Hello, i try to <script>alert('Hack');</script> your site",
+			"Simple clean string",
+			"Hello, i try to <script>alert('Hack');</script> your site"
+		);
+
+		$harmless_strings = $this->security->xss_clean($harm_strings);
+
+		$this->assertEquals("Hello, i try to [removed]alert&#40;'Hack'&#41;;[removed] your site", $harmless_strings[0]);
+		$this->assertEquals("Simple clean string", $harmless_strings[1]);
+		$this->assertEquals("Hello, i try to [removed]alert&#40;'Hack'&#41;;[removed] your site", $harmless_strings[2]);
+	}
+
+	// --------------------------------------------------------------------
+
+	public function test_xss_clean_image_valid()
+	{
+		$harm_string = '<img src="test.png">';
+
+		$xss_clean_return = $this->security->xss_clean($harm_string, TRUE);
+
+		$this->assertTrue($xss_clean_return);
+	}
+
+	// --------------------------------------------------------------------
+
+	public function test_xss_clean_image_invalid()
+	{
+		$harm_string = '<img src=javascript:alert(String.fromCharCode(88,83,83))>';
+
+		$xss_clean_return = $this->security->xss_clean($harm_string, TRUE);
+
+		$this->assertFalse($xss_clean_return);
+	}
+
+	// --------------------------------------------------------------------
+
 	public function test_xss_clean_entity_double_encoded()
 	{
 		$input = '<a href="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere</a>';
@@ -79,6 +120,22 @@
 
 	// --------------------------------------------------------------------
 
+	public function test_xss_clean_js_img_removal()
+	{
+		$input = '<img src="&#38&#35&#49&#48&#54&#38&#35&#57&#55&#38&#35&#49&#49&#56&#38&#35&#57&#55&#38&#35&#49&#49&#53&#38&#35&#57&#57&#38&#35&#49&#49&#52&#38&#35&#49&#48&#53&#38&#35&#49&#49&#50&#38&#35&#49&#49&#54&#38&#35&#53&#56&#38&#35&#57&#57&#38&#35&#49&#49&#49&#38&#35&#49&#49&#48&#38&#35&#49&#48&#50&#38&#35&#49&#48&#53&#38&#35&#49&#49&#52&#38&#35&#49&#48&#57&#38&#35&#52&#48&#38&#35&#52&#57&#38&#35&#52&#49">Clickhere';
+		$this->assertEquals('<img >', $this->security->xss_clean($input));
+	}
+
+	// --------------------------------------------------------------------
+
+	public function test_xss_clean_sanitize_naughty_html()
+	{
+		$input = '<blink>';
+		$this->assertEquals('&lt;blink&gt;', $this->security->xss_clean($input));
+	}
+
+	// --------------------------------------------------------------------
+
 	public function test_remove_evil_attributes()
 	{
 		$this->assertEquals('<foo [removed]>', $this->security->remove_evil_attributes('<foo onAttribute="bar">', false));
@@ -103,6 +160,17 @@
 
 	// --------------------------------------------------------------------
 
+	public function test_get_random_bytes()
+	{
+		$length = "invalid";
+		$this->assertFalse($this->security->get_random_bytes($length));
+
+		$length = 10;
+		$this->assertNotEmpty($this->security->get_random_bytes($length));
+	}
+
+	// --------------------------------------------------------------------
+
 	public function test_entity_decode()
 	{
 		$encoded = '&lt;div&gt;Hello &lt;b&gt;Booya&lt;/b&gt;&lt;/div&gt;';
@@ -126,36 +194,55 @@
 
 		$this->assertEquals('foo', $safe_filename);
 	}
-        
-        // --------------------------------------------------------------------
+
+	// --------------------------------------------------------------------
 
 	public function test_strip_image_tags()
 	{
-                $imgtags = Array(
-                    '<img src="smiley.gif" alt="Smiley face" height="42" width="42">',
-                    '<img alt="Smiley face" height="42" width="42" src="smiley.gif">',
-                    '<img src="http://www.w3schools.com/images/w3schools_green.jpg">',
-                    '<img src="/img/sunset.gif" height="100%" width="100%">',
-                    '<img src="mdn-logo-sm.png" alt="MD Logo" srcset="mdn-logo-HD.png 2x, mdn-logo-small.png 15w, mdn-banner-HD.png 100w 2x" />',
-                    '<img sqrc="/img/sunset.gif" height="100%" width="100%">',
-                    '<img srqc="/img/sunset.gif" height="100%" width="100%">',
-                    '<img srcq="/img/sunset.gif" height="100%" width="100%">'
-                );
-                
-                $urls = Array(
-                    'smiley.gif',
-                    'smiley.gif',
-                    'http://www.w3schools.com/images/w3schools_green.jpg',
-                    '/img/sunset.gif',
-                    'mdn-logo-sm.png',
-                    '<img sqrc="/img/sunset.gif" height="100%" width="100%">',
-                    '<img srqc="/img/sunset.gif" height="100%" width="100%">',
-                    '<img srcq="/img/sunset.gif" height="100%" width="100%">'
-                );
-                
-                for($i = 0; $i < count($imgtags); $i++) 
-                {
-                    $this->assertEquals($urls[$i], $this->security->strip_image_tags($imgtags[$i]));
-                }
+		$imgtags = Array(
+			'<img src="smiley.gif" alt="Smiley face" height="42" width="42">',
+			'<img alt="Smiley face" height="42" width="42" src="smiley.gif">',
+			'<img src="http://www.w3schools.com/images/w3schools_green.jpg">',
+			'<img src="/img/sunset.gif" height="100%" width="100%">',
+			'<img src="mdn-logo-sm.png" alt="MD Logo" srcset="mdn-logo-HD.png 2x, mdn-logo-small.png 15w, mdn-banner-HD.png 100w 2x" />',
+			'<img sqrc="/img/sunset.gif" height="100%" width="100%">',
+			'<img srqc="/img/sunset.gif" height="100%" width="100%">',
+			'<img srcq="/img/sunset.gif" height="100%" width="100%">'
+		);
+
+		$urls = Array(
+			'smiley.gif',
+			'smiley.gif',
+			'http://www.w3schools.com/images/w3schools_green.jpg',
+			'/img/sunset.gif',
+			'mdn-logo-sm.png',
+			'<img sqrc="/img/sunset.gif" height="100%" width="100%">',
+			'<img srqc="/img/sunset.gif" height="100%" width="100%">',
+			'<img srcq="/img/sunset.gif" height="100%" width="100%">'
+		);
+
+		for($i = 0; $i < count($imgtags); $i++) 
+		{
+			$this->assertEquals($urls[$i], $this->security->strip_image_tags($imgtags[$i]));
+		}
+	}
+
+	// --------------------------------------------------------------------
+
+	public function test_csrf_set_hash()
+	{
+		// Set cookie for security test
+		$_COOKIE['ci_csrf_cookie'] = md5(uniqid(mt_rand(), TRUE));
+
+		// Set config for Security class
+		$this->ci_set_config('csrf_protection', TRUE);
+		$this->ci_set_config('csrf_token_name', 'ci_csrf_token');
+
+		// leave csrf_cookie_name as blank to test _csrf_set_hash function
+		$this->ci_set_config('csrf_cookie_name', '');
+
+		$this->security = new Mock_Core_Security();
+
+		$this->assertNotEmpty($this->security->get_csrf_hash());
 	}
 }
\ No newline at end of file