Home | History | Annotate | Download | only in html 
      1 // Copyright (c) 2011, Mike Samuel
      2 // All rights reserved.
      3 //
      4 // Redistribution and use in source and binary forms, with or without
      5 // modification, are permitted provided that the following conditions
      6 // are met:
      7 //
      8 // Redistributions of source code must retain the above copyright
      9 // notice, this list of conditions and the following disclaimer.
     10 // Redistributions in binary form must reproduce the above copyright
     11 // notice, this list of conditions and the following disclaimer in the
     12 // documentation and/or other materials provided with the distribution.
     13 // Neither the name of the OWASP nor the names of its contributors may
     14 // be used to endorse or promote products derived from this software
     15 // without specific prior written permission.
     16 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
     17 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
     18 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
     19 // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
     20 // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
     21 // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
     22 // BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
     23 // LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
     24 // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
     25 // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
     26 // ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
     27 // POSSIBILITY OF SUCH DAMAGE.
     28 
     29 package org.owasp.html;
     30 
     31 import org.junit.Test;
     32 
     33 import junit.framework.TestCase;
     34 
     35 public class HtmlChangeReporterTest extends TestCase {
     36 
     37   static class Context {
     38     // Opaque test value compared via equality.
     39   }
     40 
     41   @Test
     42   public static final void testChangeReporting() {
     43     final Context testContext = new Context();
     44 
     45     StringBuilder out = new StringBuilder();
     46     final StringBuilder log = new StringBuilder();
     47     HtmlStreamRenderer renderer = HtmlStreamRenderer.create(
     48         out, Handler.DO_NOTHING);
     49     HtmlChangeListener<Context> listener = new HtmlChangeListener<Context>() {
     50       public void discardedTag(Context context, String elementName) {
     51         assertSame(testContext, context);
     52         log.append('<').append(elementName).append("> ");
     53       }
     54 
     55       public void discardedAttributes(
     56           Context context, String tagName, String... attributeNames) {
     57         assertSame(testContext, context);
     58         log.append('<').append(tagName);
     59         for (String attributeName : attributeNames) {
     60           log.append(' ').append(attributeName);
     61         }
     62         log.append("> ");
     63       }
     64     };
     65     HtmlChangeReporter<Context> hcr = new HtmlChangeReporter<Context>(
     66         renderer, listener, testContext);
     67 
     68     hcr.setPolicy(Sanitizers.FORMATTING.apply(hcr.getWrappedRenderer()));
     69     String html =
     70         "<textarea>Hello</textarea>,<b onclick=alert(42)>World</B>!"
     71         + "<Script type=text/javascript>doEvil()</script><PLAINTEXT>";
     72     HtmlSanitizer.sanitize(
     73         html,
     74         hcr.getWrappedPolicy());
     75     assertEquals("Hello,<b>World</b>!", out.toString());
     76     assertEquals(
     77         "<textarea> <b onclick> <script> <plaintext> ", log.toString());
     78   }
     79 }
     80