1 // Copyright (c) 2011, Mike Samuel 2 // All rights reserved. 3 // 4 // Redistribution and use in source and binary forms, with or without 5 // modification, are permitted provided that the following conditions 6 // are met: 7 // 8 // Redistributions of source code must retain the above copyright 9 // notice, this list of conditions and the following disclaimer. 10 // Redistributions in binary form must reproduce the above copyright 11 // notice, this list of conditions and the following disclaimer in the 12 // documentation and/or other materials provided with the distribution. 13 // Neither the name of the OWASP nor the names of its contributors may 14 // be used to endorse or promote products derived from this software 15 // without specific prior written permission. 16 // THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS 17 // "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT 18 // LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS 19 // FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE 20 // COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, 21 // INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, 22 // BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 23 // LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER 24 // CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 25 // LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN 26 // ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE 27 // POSSIBILITY OF SUCH DAMAGE. 28 29 package org.owasp.html; 30 31 import java.io.ByteArrayInputStream; 32 import java.io.ByteArrayOutputStream; 33 import java.io.InputStream; 34 import java.io.PrintStream; 35 import java.lang.reflect.Method; 36 37 import com.google.common.base.Throwables; 38 39 import org.junit.Test; 40 import org.owasp.html.examples.EbayPolicyExample; 41 42 import junit.framework.TestCase; 43 44 public class ExamplesTest extends TestCase { 45 @Test testExamplesRun()46 public static final void testExamplesRun() throws Exception { 47 InputStream stdin = System.in; 48 PrintStream stdout = System.out; 49 PrintStream stderr = System.err; 50 for (Class<?> exampleClass : AllExamples.CLASSES) { 51 InputStream emptyIn = new ByteArrayInputStream(new byte[0]); 52 ByteArrayOutputStream captured = new ByteArrayOutputStream(); 53 PrintStream capturingOut = new PrintStream(captured, true, "UTF-8"); 54 System.setIn(emptyIn); 55 System.setOut(capturingOut); 56 System.setErr(capturingOut); 57 58 Method main; 59 try { 60 main = exampleClass.getDeclaredMethod("main", String[].class); 61 // Invoke with no arguments to sanitize empty input stream to output. 62 main.invoke(null, new Object[] { new String[0] }); 63 } catch (Exception ex) { 64 capturingOut.flush(); 65 System.err.println( 66 "Example " + exampleClass.getSimpleName() + "\n" 67 + captured.toString("UTF-8")); 68 Throwables.propagate(ex); 69 } finally { 70 System.setIn(stdin); 71 System.setOut(stdout); 72 System.setErr(stderr); 73 } 74 } 75 } 76 77 @Test testSanitizeRemovesScripts()78 public static final void testSanitizeRemovesScripts() { 79 String input = 80 "<p>Hello World</p>" 81 + "<script language=\"text/javascript\">alert(\"bad\");</script>"; 82 String sanitized = EbayPolicyExample.POLICY_DEFINITION.sanitize(input); 83 assertEquals("<p>Hello World</p>", sanitized); 84 } 85 86 @Test testSanitizeRemovesOnclick()87 public static final void testSanitizeRemovesOnclick() { 88 String input = "<p onclick=\"alert(\"bad\");\">Hello World</p>"; 89 String sanitized = EbayPolicyExample.POLICY_DEFINITION.sanitize(input); 90 assertEquals("<p>Hello World</p>", sanitized); 91 } 92 93 @Test testTextAllowedInLinks()94 public static final void testTextAllowedInLinks() { 95 String input = "<a href=\"../good.html\">click here</a>"; 96 String sanitized = EbayPolicyExample.POLICY_DEFINITION.sanitize(input); 97 assertEquals("<a href=\"../good.html\" rel=\"nofollow\">click here</a>", 98 sanitized); 99 } 100 } 101