Skip navigation
Help

CommonXssUnitTest

  1. drupal
    1. 7 drupal/modules/simpletest/tests/common.test

Tests for the check_plain() and filter_xss() functions.

Hierarchy

Functions & methods

NameDescription
CommonXssUnitTest::getInfo
CommonXssUnitTest::testBadProtocolStrippingCheck that harmful protocols are stripped.
CommonXssUnitTest::testEscapingCheck that special characters are escaped.
CommonXssUnitTest::testInvalidMultiByteCheck that invalid multi-byte sequences are rejected.
DrupalTestCase::assertInternal helper: stores the assert.
DrupalTestCase::assertEqualCheck to see if two values are equal.
DrupalTestCase::assertFalseCheck to see if a value is false (an empty string, 0, NULL, or FALSE).
DrupalTestCase::assertIdenticalCheck to see if two values are identical.
DrupalTestCase::assertNotEqualCheck to see if two values are not equal.
DrupalTestCase::assertNotIdenticalCheck to see if two values are not identical.
DrupalTestCase::assertNotNullCheck to see if a value is not NULL.
DrupalTestCase::assertNullCheck to see if a value is NULL.
DrupalTestCase::assertTrueCheck to see if a value is not false (not an empty string, 0, NULL, or FALSE).
DrupalTestCase::deleteAssertDelete an assertion record by message ID.
DrupalTestCase::errorFire an error assertion.
DrupalTestCase::errorHandlerHandle errors during test runs.
DrupalTestCase::exceptionHandlerHandle exceptions.
DrupalTestCase::failFire an assertion that is always negative.
DrupalTestCase::generatePermutationsConverts a list of possible parameters into a stack of permutations.
DrupalTestCase::getAssertionCallCycles through backtrace until the first non-assertion method is found.
DrupalTestCase::insertAssertStore an assertion from outside the testing context.
DrupalTestCase::passFire an assertion that is always positive.
DrupalTestCase::randomNameGenerates a random string containing letters and numbers.
DrupalTestCase::randomStringGenerates a random string of ASCII characters of codes 32 to 126.
DrupalTestCase::runRun all tests in this class.
DrupalTestCase::verboseLogs verbose message in a text file.
DrupalUnitTestCase::setUpSets up unit test environment.
DrupalUnitTestCase::tearDown
DrupalUnitTestCase::__constructConstructor for DrupalUnitTestCase. Overrides DrupalTestCase::__construct

Properties

NameDescription
DrupalTestCase::$assertionsAssertions thrown in that test case.
DrupalTestCase::$databasePrefixThe database prefix of this test run.
DrupalTestCase::$originalFileDirectoryThe original file directory, before it was changed for testing purposes.
DrupalTestCase::$resultsCurrent results of this test case.
DrupalTestCase::$skipClassesThis class is skipped when looking for the source of an assertion.
DrupalTestCase::$testIdThe test run ID.
DrupalTestCase::$timeLimitTime limit for the test.

File

drupal/modules/simpletest/tests/common.test, line 350
Tests for common.inc functionality.

View source
class CommonXssUnitTest extends DrupalUnitTestCase {

  public static function getInfo() {
    return array(
      'name' => 'String filtering tests', 
      'description' => 'Confirm that check_plain(), filter_xss(), and check_url() work correctly, including invalid multi-byte sequences.', 
      'group' => 'System',
    );
  }

  /**
   * Check that invalid multi-byte sequences are rejected.
   */
  function testInvalidMultiByte() {
    // Ignore PHP 5.3+ invalid multibyte sequence warning.
    $text = @check_plain("Foo\xC0barbaz");
    $this->assertEqual($text, '', 'check_plain() rejects invalid sequence "Foo\xC0barbaz"');
    // Ignore PHP 5.3+ invalid multibyte sequence warning.
    $text = @check_plain("\xc2\"");
    $this->assertEqual($text, '', 'check_plain() rejects invalid sequence "\xc2\""');
    $text = check_plain("Fooÿñ");
    $this->assertEqual($text, "Fooÿñ", 'check_plain() accepts valid sequence "Fooÿñ"');
    $text = filter_xss("Foo\xC0barbaz");
    $this->assertEqual($text, '', 'filter_xss() rejects invalid sequence "Foo\xC0barbaz"');
    $text = filter_xss("Fooÿñ");
    $this->assertEqual($text, "Fooÿñ", 'filter_xss() accepts valid sequence Fooÿñ');
  }

  /**
   * Check that special characters are escaped.
   */
  function testEscaping() {
    $text = check_plain("<script>");
    $this->assertEqual($text, '&lt;script&gt;', 'check_plain() escapes &lt;script&gt;');
    $text = check_plain('<>&"\'');
    $this->assertEqual($text, '&lt;&gt;&amp;&quot;&#039;', 'check_plain() escapes reserved HTML characters.');
  }

  /**
   * Check that harmful protocols are stripped.
   */
  function testBadProtocolStripping() {
    // Ensure that check_url() strips out harmful protocols, and encodes for
    // HTML. Ensure drupal_strip_dangerous_protocols() can be used to return a
    // plain-text string stripped of harmful protocols.
    $url = 'javascript:http://www.example.com/?x=1&y=2';
    $expected_plain = 'http://www.example.com/?x=1&y=2';
    $expected_html = 'http://www.example.com/?x=1&amp;y=2';
    $this->assertIdentical(check_url($url), $expected_html, t('check_url() filters a URL and encodes it for HTML.'));
    $this->assertIdentical(drupal_strip_dangerous_protocols($url), $expected_plain, t('drupal_strip_dangerous_protocols() filters a URL and returns plain text.'));
  }
}