Home Explore Help
Sign In
bux
/
muzich
Watch 1
Star 0
Fork 0
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
743 Commits
1 Branches
Tree: 13a40ad5a2
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '13a40ad5a2'
${ noResults }
muzich/vendor/twig/test/Twig/Tests/escapingTest.php

escapingTest.php 11KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321 
  1. <?php

  2. 

  3. /**

  4.  * This class is adapted from code coming from Zend Framework.

  5.  *

  6.  * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)

  7.  * @license   http://framework.zend.com/license/new-bsd New BSD License

  8.  */

  9. 

  10. class Twig_Test_EscapingTest extends PHPUnit_Framework_TestCase

  11. {

  12.     /**

  13.      * All character encodings supported by htmlspecialchars()

  14.      */

  15.     protected $htmlSpecialChars = array(

  16.         '\''    => '&#039;',

  17.         '"'     => '&quot;',

  18.         '<'     => '&lt;',

  19.         '>'     => '&gt;',

  20.         '&'     => '&amp;'

  21.     );

  22. 

  23.     protected $htmlAttrSpecialChars = array(

  24.         '\''    => '&#x27;',

  25.         /* Characters beyond ASCII value 255 to unicode escape */

  26.         'Ā'     => '&#x0100;',

  27.         /* Immune chars excluded */

  28.         ','     => ',',

  29.         '.'     => '.',

  30.         '-'     => '-',

  31.         '_'     => '_',

  32.         /* Basic alnums exluded */

  33.         'a'     => 'a',

  34.         'A'     => 'A',

  35.         'z'     => 'z',

  36.         'Z'     => 'Z',

  37.         '0'     => '0',

  38.         '9'     => '9',

  39.         /* Basic control characters and null */

  40.         "\r"    => '&#x0D;',

  41.         "\n"    => '&#x0A;',

  42.         "\t"    => '&#x09;',

  43.         "\0"    => '&#xFFFD;', // should use Unicode replacement char

  44.         /* Encode chars as named entities where possible */

  45.         '<'     => '&lt;',

  46.         '>'     => '&gt;',

  47.         '&'     => '&amp;',

  48.         '"'     => '&quot;',

  49.         /* Encode spaces for quoteless attribute protection */

  50.         ' '     => '&#x20;',

  51.     );

  52. 

  53.     protected $jsSpecialChars = array(

  54.         /* HTML special chars - escape without exception to hex */

  55.         '<'     => '\\x3C',

  56.         '>'     => '\\x3E',

  57.         '\''    => '\\x27',

  58.         '"'     => '\\x22',

  59.         '&'     => '\\x26',

  60.         /* Characters beyond ASCII value 255 to unicode escape */

  61.         'Ā'     => '\\u0100',

  62.         /* Immune chars excluded */

  63.         ','     => ',',

  64.         '.'     => '.',

  65.         '_'     => '_',

  66.         /* Basic alnums exluded */

  67.         'a'     => 'a',

  68.         'A'     => 'A',

  69.         'z'     => 'z',

  70.         'Z'     => 'Z',

  71.         '0'     => '0',

  72.         '9'     => '9',

  73.         /* Basic control characters and null */

  74.         "\r"    => '\\x0D',

  75.         "\n"    => '\\x0A',

  76.         "\t"    => '\\x09',

  77.         "\0"    => '\\x00',

  78.         /* Encode spaces for quoteless attribute protection */

  79.         ' '     => '\\x20',

  80.     );

  81. 

  82.     protected $urlSpecialChars = array(

  83.         /* HTML special chars - escape without exception to percent encoding */

  84.         '<'     => '%3C',

  85.         '>'     => '%3E',

  86.         '\''    => '%27',

  87.         '"'     => '%22',

  88.         '&'     => '%26',

  89.         /* Characters beyond ASCII value 255 to hex sequence */

  90.         'Ā'     => '%C4%80',

  91.         /* Punctuation and unreserved check */

  92.         ','     => '%2C',

  93.         '.'     => '.',

  94.         '_'     => '_',

  95.         '-'     => '-',

  96.         ':'     => '%3A',

  97.         ';'     => '%3B',

  98.         '!'     => '%21',

  99.         /* Basic alnums excluded */

  100.         'a'     => 'a',

  101.         'A'     => 'A',

  102.         'z'     => 'z',

  103.         'Z'     => 'Z',

  104.         '0'     => '0',

  105.         '9'     => '9',

  106.         /* Basic control characters and null */

  107.         "\r"    => '%0D',

  108.         "\n"    => '%0A',

  109.         "\t"    => '%09',

  110.         "\0"    => '%00',

  111.         /* PHP quirks from the past */

  112.         ' '     => '%20',

  113.         '~'     => '~',

  114.         '+'     => '%2B',

  115.     );

  116. 

  117.     protected $cssSpecialChars = array(

  118.         /* HTML special chars - escape without exception to hex */

  119.         '<'     => '\\3C ',

  120.         '>'     => '\\3E ',

  121.         '\''    => '\\27 ',

  122.         '"'     => '\\22 ',

  123.         '&'     => '\\26 ',

  124.         /* Characters beyond ASCII value 255 to unicode escape */

  125.         'Ā'     => '\\100 ',

  126.         /* Immune chars excluded */

  127.         ','     => '\\2C ',

  128.         '.'     => '\\2E ',

  129.         '_'     => '\\5F ',

  130.         /* Basic alnums exluded */

  131.         'a'     => 'a',

  132.         'A'     => 'A',

  133.         'z'     => 'z',

  134.         'Z'     => 'Z',

  135.         '0'     => '0',

  136.         '9'     => '9',

  137.         /* Basic control characters and null */

  138.         "\r"    => '\\D ',

  139.         "\n"    => '\\A ',

  140.         "\t"    => '\\9 ',

  141.         "\0"    => '\\0 ',

  142.         /* Encode spaces for quoteless attribute protection */

  143.         ' '     => '\\20 ',

  144.     );

  145. 

  146.     protected $env;

  147. 

  148.     public function setUp()

  149.     {

  150.         $this->env = new Twig_Environment();

  151.     }

  152. 

  153.     public function testHtmlEscapingConvertsSpecialChars()

  154.     {

  155.         foreach ($this->htmlSpecialChars as $key => $value) {

  156.             $this->assertEquals($value, twig_escape_filter($this->env, $key, 'html'), 'Failed to escape: '.$key);

  157.         }

  158.     }

  159. 

  160.     public function testHtmlAttributeEscapingConvertsSpecialChars()

  161.     {

  162.         foreach ($this->htmlAttrSpecialChars as $key => $value) {

  163.             $this->assertEquals($value, twig_escape_filter($this->env, $key, 'html_attr'), 'Failed to escape: '.$key);

  164.         }

  165.     }

  166. 

  167.     public function testJavascriptEscapingConvertsSpecialChars()

  168.     {

  169.         foreach ($this->jsSpecialChars as $key => $value) {

  170.             $this->assertEquals($value, twig_escape_filter($this->env, $key, 'js'), 'Failed to escape: '.$key);

  171.         }

  172.     }

  173. 

  174.     public function testJavascriptEscapingReturnsStringIfZeroLength()

  175.     {

  176.         $this->assertEquals('', twig_escape_filter($this->env, '', 'js'));

  177.     }

  178. 

  179.     public function testJavascriptEscapingReturnsStringIfContainsOnlyDigits()

  180.     {

  181.         $this->assertEquals('123', twig_escape_filter($this->env, '123', 'js'));

  182.     }

  183. 

  184.     public function testCssEscapingConvertsSpecialChars()

  185.     {

  186.         foreach ($this->cssSpecialChars as $key => $value) {

  187.             $this->assertEquals($value, twig_escape_filter($this->env, $key, 'css'), 'Failed to escape: '.$key);

  188.         }

  189.     }

  190. 

  191.     public function testCssEscapingReturnsStringIfZeroLength()

  192.     {

  193.         $this->assertEquals('', twig_escape_filter($this->env, '', 'css'));

  194.     }

  195. 

  196.     public function testCssEscapingReturnsStringIfContainsOnlyDigits()

  197.     {

  198.         $this->assertEquals('123', twig_escape_filter($this->env, '123', 'css'));

  199.     }

  200. 

  201.     public function testUrlEscapingConvertsSpecialChars()

  202.     {

  203.         foreach ($this->urlSpecialChars as $key => $value) {

  204.             $this->assertEquals($value, twig_escape_filter($this->env, $key, 'url'), 'Failed to escape: '.$key);

  205.         }

  206.     }

  207. 

  208.     /**

  209.      * Range tests to confirm escaped range of characters is within OWASP recommendation

  210.      */

  211. 

  212.     /**

  213.      * Only testing the first few 2 ranges on this prot. function as that's all these

  214.      * other range tests require

  215.      */

  216.     public function testUnicodeCodepointConversionToUtf8()

  217.     {

  218.         $expected = " ~ޙ";

  219.         $codepoints = array(0x20, 0x7e, 0x799);

  220.         $result = '';

  221.         foreach ($codepoints as $value) {

  222.             $result .= $this->codepointToUtf8($value);

  223.         }

  224.         $this->assertEquals($expected, $result);

  225.     }

  226. 

  227.     /**

  228.      * Convert a Unicode Codepoint to a literal UTF-8 character.

  229.      *

  230.      * @param int Unicode codepoint in hex notation

  231.      * @return string UTF-8 literal string

  232.      */

  233.     protected function codepointToUtf8($codepoint)

  234.     {

  235.         if ($codepoint < 0x80) {

  236.             return chr($codepoint);

  237.         }

  238.         if ($codepoint < 0x800) {

  239.             return chr($codepoint >> 6 & 0x3f | 0xc0)

  240.                 . chr($codepoint & 0x3f | 0x80);

  241.         }

  242.         if ($codepoint < 0x10000) {

  243.             return chr($codepoint >> 12 & 0x0f | 0xe0)

  244.                 . chr($codepoint >> 6 & 0x3f | 0x80)

  245.                 . chr($codepoint & 0x3f | 0x80);

  246.         }

  247.         if ($codepoint < 0x110000) {

  248.             return chr($codepoint >> 18 & 0x07 | 0xf0)

  249.                 . chr($codepoint >> 12 & 0x3f | 0x80)

  250.                 . chr($codepoint >> 6 & 0x3f | 0x80)

  251.                 . chr($codepoint & 0x3f | 0x80);

  252.         }

  253.         throw new Exception('Codepoint requested outside of Unicode range');

  254.     }

  255. 

  256.     public function testJavascriptEscapingEscapesOwaspRecommendedRanges()

  257.     {

  258.         $immune = array(',', '.', '_'); // Exceptions to escaping ranges

  259.         for ($chr=0; $chr < 0xFF; $chr++) {

  260.             if ($chr >= 0x30 && $chr <= 0x39

  261.             || $chr >= 0x41 && $chr <= 0x5A

  262.             || $chr >= 0x61 && $chr <= 0x7A) {

  263.                 $literal = $this->codepointToUtf8($chr);

  264.                 $this->assertEquals($literal, twig_escape_filter($this->env, $literal, 'js'));

  265.             } else {

  266.                 $literal = $this->codepointToUtf8($chr);

  267.                 if (in_array($literal, $immune)) {

  268.                     $this->assertEquals($literal, twig_escape_filter($this->env, $literal, 'js'));

  269.                 } else {

  270.                     $this->assertNotEquals(

  271.                         $literal,

  272.                         twig_escape_filter($this->env, $literal, 'js'),

  273.                         "$literal should be escaped!");

  274.                 }

  275.             }

  276.         }

  277.     }

  278. 

  279.     public function testHtmlAttributeEscapingEscapesOwaspRecommendedRanges()

  280.     {

  281.         $immune = array(',', '.', '-', '_'); // Exceptions to escaping ranges

  282.         for ($chr=0; $chr < 0xFF; $chr++) {

  283.             if ($chr >= 0x30 && $chr <= 0x39

  284.             || $chr >= 0x41 && $chr <= 0x5A

  285.             || $chr >= 0x61 && $chr <= 0x7A) {

  286.                 $literal = $this->codepointToUtf8($chr);

  287.                 $this->assertEquals($literal, twig_escape_filter($this->env, $literal, 'html_attr'));

  288.             } else {

  289.                 $literal = $this->codepointToUtf8($chr);

  290.                 if (in_array($literal, $immune)) {

  291.                     $this->assertEquals($literal, twig_escape_filter($this->env, $literal, 'html_attr'));

  292.                 } else {

  293.                     $this->assertNotEquals(

  294.                         $literal,

  295.                         twig_escape_filter($this->env, $literal, 'html_attr'),

  296.                         "$literal should be escaped!");

  297.                 }

  298.             }

  299.         }

  300.     }

  301. 

  302.     public function testCssEscapingEscapesOwaspRecommendedRanges()

  303.     {

  304.         $immune = array(); // CSS has no exceptions to escaping ranges

  305.         for ($chr=0; $chr < 0xFF; $chr++) {

  306.             if ($chr >= 0x30 && $chr <= 0x39

  307.             || $chr >= 0x41 && $chr <= 0x5A

  308.             || $chr >= 0x61 && $chr <= 0x7A) {

  309.                 $literal = $this->codepointToUtf8($chr);

  310.                 $this->assertEquals($literal, twig_escape_filter($this->env, $literal, 'css'));

  311.             } else {

  312.                 $literal = $this->codepointToUtf8($chr);

  313.                 $this->assertNotEquals(

  314.                     $literal,

  315.                     twig_escape_filter($this->env, $literal, 'css'),

  316.                     "$literal should be escaped!");

  317.             }

  318.         }

  319.     }

  320. }