|
1
|
|
|
<?php |
|
|
|
|
|
|
2
|
|
|
|
|
3
|
|
|
namespace Scelus\Escaper; |
|
4
|
|
|
|
|
5
|
|
|
/* |
|
6
|
|
|
* All functions are based on the recommendations in the |
|
7
|
|
|
* XSS (Cross Site Scripting) Prevention Cheat Sheet: |
|
8
|
|
|
* https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet |
|
9
|
|
|
* |
|
10
|
|
|
*/ |
|
11
|
|
|
|
|
12
|
|
|
class CEscaperTest extends \PHPUnit_Framework_TestCase |
|
13
|
|
|
{ |
|
14
|
|
|
/** |
|
15
|
|
|
* Test |
|
16
|
|
|
* |
|
17
|
|
|
* @return void |
|
18
|
|
|
* |
|
19
|
|
|
*/ |
|
20
|
|
|
public function testConstructorSuccess() |
|
21
|
|
|
{ |
|
22
|
|
|
$el = new \Scelus\Escaper\CEscaper(); |
|
23
|
|
|
|
|
24
|
|
|
$res = $el->getEncoding(); |
|
25
|
|
|
$exp = 'UTF-8'; |
|
26
|
|
|
$this->assertEquals($res, $exp, "Created element name missmatch."); |
|
27
|
|
|
} |
|
28
|
|
|
|
|
29
|
|
|
public function testSetAndGetEncoding() |
|
30
|
|
|
{ |
|
31
|
|
|
$el = new \Scelus\Escaper\CEscaper('ASCII'); |
|
32
|
|
|
|
|
33
|
|
|
$res = $el->getEncoding(); |
|
34
|
|
|
$exp = 'ASCII'; |
|
35
|
|
|
$this->assertEquals($res, $exp, "Created element argument missmatch"); |
|
36
|
|
|
|
|
37
|
|
|
$el->setEncoding('UTF-8'); |
|
38
|
|
|
$res = $el->getEncoding(); |
|
39
|
|
|
$exp = 'UTF-8'; |
|
40
|
|
|
$this->assertEquals($res, $exp, "setEncoding() produced missmatch"); |
|
41
|
|
|
} |
|
42
|
|
|
|
|
43
|
|
View Code Duplication |
public function testEscapeHTML() |
|
|
|
|
|
|
44
|
|
|
{ |
|
45
|
|
|
$el = new \Scelus\Escaper\CEscaper(); |
|
46
|
|
|
|
|
47
|
|
|
$argument = '></div><h1>myattack</h1>'; |
|
48
|
|
|
$res = $el->escapeHTML($argument); |
|
49
|
|
|
$exp = '></div><h1>myattack</h1>'; |
|
50
|
|
|
$this->assertEquals($res, $exp, "escapeHTML() produced missmatch"); |
|
51
|
|
|
} |
|
52
|
|
|
|
|
53
|
|
View Code Duplication |
public function testEscapeHTMLattr() |
|
|
|
|
|
|
54
|
|
|
{ |
|
55
|
|
|
$el = new \Scelus\Escaper\CEscaper(); |
|
56
|
|
|
|
|
57
|
|
|
$argument = '"><h1>Hello</table'; |
|
58
|
|
|
$res = $el->escapeHTMLattr($argument); |
|
59
|
|
|
$exp = ""><h1>Hello</table"; |
|
60
|
|
|
$this->assertEquals($res, $exp, "escapeHTMLattr() produced missmatch"); |
|
61
|
|
|
} |
|
62
|
|
|
|
|
63
|
|
View Code Duplication |
public function testEscapeUrl() |
|
|
|
|
|
|
64
|
|
|
{ |
|
65
|
|
|
$el = new \Scelus\Escaper\CEscaper(); |
|
66
|
|
|
|
|
67
|
|
|
$argument = '"><script>alert(1)</script><a href="#'; |
|
68
|
|
|
$res = $el->escapeUrl($argument); |
|
69
|
|
|
$exp = "%22%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E%3Ca%20href%3D%22%23"; |
|
70
|
|
|
$this->assertEquals($res, $exp, "escapeUrl() produced missmatch"); |
|
71
|
|
|
} |
|
72
|
|
|
|
|
73
|
|
View Code Duplication |
public function testEscapeCSS() |
|
|
|
|
|
|
74
|
|
|
{ |
|
75
|
|
|
$el = new \Scelus\Escaper\CEscaper(); |
|
76
|
|
|
|
|
77
|
|
|
$argument = '"><script>alert(1)</script><a href="#'; |
|
78
|
|
|
$res = $el->escapeCSS($argument); |
|
79
|
|
|
$exp = '\22 \3e \3c script\3e alert\28 1\29 \3c \2f script\3e \3c a\20 href\3d \22 \23 '; |
|
80
|
|
|
$this->assertEquals($res, $exp, "escapeCSS() produced missmatch"); |
|
81
|
|
|
} |
|
82
|
|
|
|
|
83
|
|
View Code Duplication |
public function testEscapeJs() |
|
|
|
|
|
|
84
|
|
|
{ |
|
85
|
|
|
$el = new \Scelus\Escaper\CEscaper(); |
|
86
|
|
|
|
|
87
|
|
|
$argument = "'; alert(100); var x='"; |
|
88
|
|
|
$res = $el->escapeJs($argument); |
|
89
|
|
|
$exp = '\x27\x3b\x20alert\x28100\x29\x3b\x20var\x20x\x3d\x27'; |
|
90
|
|
|
$this->assertEquals($res, $exp, "escapeJs() produced missmatch"); |
|
91
|
|
|
} |
|
92
|
|
|
|
|
93
|
|
View Code Duplication |
public function testEscapeXML() |
|
|
|
|
|
|
94
|
|
|
{ |
|
95
|
|
|
$el = new \Scelus\Escaper\CEscaper(); |
|
96
|
|
|
|
|
97
|
|
|
$argument = '></div><h1>myattack</h1>'; |
|
98
|
|
|
$res = $el->escapeXml($argument); |
|
99
|
|
|
$exp = '></div><h1>myattack</h1>'; |
|
100
|
|
|
$this->assertEquals($res, $exp, "escapeHTML() produced missmatch"); |
|
101
|
|
|
} |
|
102
|
|
|
|
|
103
|
|
View Code Duplication |
public function testEscapeXmlattr() |
|
|
|
|
|
|
104
|
|
|
{ |
|
105
|
|
|
$el = new \Scelus\Escaper\CEscaper(); |
|
106
|
|
|
|
|
107
|
|
|
$argument = '"><h1>Hello</table'; |
|
108
|
|
|
$res = $el->escapeXmlattr($argument); |
|
109
|
|
|
$exp = ""><h1>Hello</table"; |
|
110
|
|
|
$this->assertEquals($res, $exp, "escapeHTMLattr() produced missmatch"); |
|
111
|
|
|
} |
|
112
|
|
|
}; |
Sceluswe /
XSS-Escaper
Loading history...
The PSR-1: Basic Coding Standard recommends that a file should either introduce new symbols, that is classes, functions, constants or similar, or have side effects. Side effects are anything that executes logic, like for example printing output, changing ini settings or writing to a file.
The idea behind this recommendation is that merely auto-loading a class should not change the state of an application. It also promotes a cleaner style of programming and makes your code less prone to errors, because the logic is not spread out all over the place.
To learn more about the PSR-1, please see the PHP-FIG site on the PSR-1.