1 // Copyright (c) 2011, Mike Samuel 2 // All rights reserved. 3 // 4 // Redistribution and use in source and binary forms, with or without 5 // modification, are permitted provided that the following conditions 6 // are met: 7 // 8 // Redistributions of source code must retain the above copyright 9 // notice, this list of conditions and the following disclaimer. 10 // Redistributions in binary form must reproduce the above copyright 11 // notice, this list of conditions and the following disclaimer in the 12 // documentation and/or other materials provided with the distribution. 13 // Neither the name of the OWASP nor the names of its contributors may 14 // be used to endorse or promote products derived from this software 15 // without specific prior written permission. 16 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 18 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 19 // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 20 // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 21 // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 22 // BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 // LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 24 // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 26 // ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 // POSSIBILITY OF SUCH DAMAGE. 28 29 package org.owasp.html; 30 31 import org.junit.Test; 32 33 import junit.framework.TestCase; 34 35 public class HtmlChangeReporterTest extends TestCase { 36 37 static class Context { 38 // Opaque test value compared via equality. 39 } 40 41 @Test 42 public static final void testChangeReporting() { 43 final Context testContext = new Context(); 44 45 StringBuilder out = new StringBuilder(); 46 final StringBuilder log = new StringBuilder(); 47 HtmlStreamRenderer renderer = HtmlStreamRenderer.create( 48 out, Handler.DO_NOTHING); 49 HtmlChangeListener<Context> listener = new HtmlChangeListener<Context>() { 50 public void discardedTag(Context context, String elementName) { 51 assertSame(testContext, context); 52 log.append('<').append(elementName).append("> "); 53 } 54 55 public void discardedAttributes( 56 Context context, String tagName, String... attributeNames) { 57 assertSame(testContext, context); 58 log.append('<').append(tagName); 59 for (String attributeName : attributeNames) { 60 log.append(' ').append(attributeName); 61 } 62 log.append("> "); 63 } 64 }; 65 HtmlChangeReporter<Context> hcr = new HtmlChangeReporter<Context>( 66 renderer, listener, testContext); 67 68 hcr.setPolicy(Sanitizers.FORMATTING.apply(hcr.getWrappedRenderer())); 69 String html = 70 "<textarea>Hello</textarea>,<b onclick=alert(42)>World</B>!" 71 + "<Script type=text/javascript>doEvil()</script><PLAINTEXT>"; 72 HtmlSanitizer.sanitize( 73 html, 74 hcr.getWrappedPolicy()); 75 assertEquals("Hello,<b>World</b>!", out.toString()); 76 assertEquals( 77 "<textarea> <b onclick> <script> <plaintext> ", log.toString()); 78 } 79 } 80