PageRenderTime 67ms CodeModel.GetById 30ms RepoModel.GetById 0ms app.codeStats 0ms

/test/reference/EncoderTest.php

http://owasp-esapi-php.googlecode.com/
PHP | 1327 lines | 1224 code | 39 blank | 64 comment | 1 complexity | d8da166d0f51295ed4ce5a1f58c1a0ff MD5 | raw file
Possible License(s): BSD-3-Clause, Apache-2.0

Large files files are truncated, but you can click here to view the full file

  1. <?php
  2. /**
  3. * OWASP Enterprise Security API (ESAPI)
  4. *
  5. * This file is part of the Open Web Application Security Project (OWASP)
  6. * Enterprise Security API (ESAPI) project. For details, please see
  7. * <a href="http://www.owasp.org/index.php/ESAPI">http://www.owasp.org/index.php/ESAPI</a>.
  8. *
  9. * Copyright (c) 2007 - 2009 The OWASP Foundation
  10. *
  11. * The ESAPI is published by OWASP under the BSD license. You should read and accept the
  12. * LICENSE before you use, modify, and/or redistribute this software.
  13. *
  14. * @author Andrew van der Stock (vanderaj @ owasp.org)
  15. * @created 2009
  16. */
  17. /**
  18. *
  19. */
  20. require_once dirname(__FILE__).'/../../src/ESAPI.php';
  21. require_once dirname(__FILE__).'/../../src/reference/DefaultEncoder.php';
  22. require_once dirname(__FILE__).'/../../src/codecs/MySQLCodec.php';
  23. require_once dirname(__FILE__).'/../../src/codecs/OracleCodec.php';
  24. require_once dirname(__FILE__).'/../../src/codecs/UnixCodec.php';
  25. require_once dirname(__FILE__).'/../../src/codecs/WindowsCodec.php';
  26. /**
  27. * Tests of DefaultEncoder methods.
  28. *
  29. * @author jah (at jaboite.co.uk)
  30. * @since 1.6
  31. */
  32. class EncoderTest extends PHPUnit_Framework_TestCase
  33. {
  34. private $encoderInstance = null;
  35. function setUp()
  36. {
  37. global $ESAPI;
  38. if ( !isset($ESAPI))
  39. {
  40. $ESAPI = new ESAPI(dirname(__FILE__).'/../testresources/ESAPI.xml');
  41. }
  42. $codecArray = array();
  43. array_push( $codecArray, new HTMLEntityCodec() );
  44. array_push( $codecArray, new PercentCodec() );
  45. $this->encoderInstance = new DefaultEncoder( $codecArray );
  46. }
  47. function tearDown()
  48. {
  49. // NoOp
  50. }
  51. /*
  52. * Test for exception thrown when DefaultEncoder is constructed with an array
  53. * containing an object other than a Codec instance.
  54. */
  55. function testDefaultEncoderException() {
  56. $codecList = array();
  57. array_push( $codecList, new HTMLEntityCodec() );
  58. array_push( $codecList, new Exception() ); // any class except a codec will suffice.
  59. $this->setExpectedException('InvalidArgumentException');
  60. $instance = new DefaultEncoder( $codecList );
  61. }
  62. /*
  63. * Test of canonicalize method of class Encoder.
  64. *
  65. * @throws EncodingException
  66. */
  67. function testCanonicalize_001() {
  68. // This block sets-up the encoder for subsequent canonicalize tests
  69. $codecArray = array();
  70. array_push( $codecArray, new HTMLEntityCodec() );
  71. array_push( $codecArray, new PercentCodec() );
  72. $this->encoderInstance = new DefaultEncoder( $codecArray );
  73. $this->assertEquals( null, $this->encoderInstance->canonicalize(null));
  74. }
  75. function testCanonicalize_002() {
  76. $this->assertEquals( null, $this->encoderInstance->canonicalize(null, true));
  77. }
  78. function testCanonicalize_003() {
  79. $this->assertEquals( null, $this->encoderInstance->canonicalize(null, false));
  80. }
  81. function testCanonicalize_004() {
  82. $this->assertEquals( "%", $this->encoderInstance->canonicalize("%25", true));
  83. }
  84. function testCanonicalize_005() {
  85. $this->assertEquals( "%", $this->encoderInstance->canonicalize("%25", false));
  86. }
  87. function testCanonicalize_006() {
  88. $this->assertEquals( "%", $this->encoderInstance->canonicalize("%25"));
  89. }
  90. function testCanonicalize_007() {
  91. $this->assertEquals( "%F", $this->encoderInstance->canonicalize("%25F"));
  92. }
  93. function testCanonicalize_008() {
  94. $this->assertEquals( "<", $this->encoderInstance->canonicalize("%3c"));
  95. }
  96. function testCanonicalize_009() {
  97. $this->assertEquals( "<", $this->encoderInstance->canonicalize("%3C"));
  98. }
  99. function testCanonicalize_010() {
  100. $this->assertEquals( "%X1", $this->encoderInstance->canonicalize("%X1"));
  101. }
  102. function testCanonicalize_011() {
  103. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&lt"));
  104. }
  105. function testCanonicalize_012() {
  106. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&LT"));
  107. }
  108. function testCanonicalize_013() {
  109. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&lt;"));
  110. }
  111. function testCanonicalize_014() {
  112. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&LT;"));
  113. }
  114. function testCanonicalize_015() {
  115. $this->assertEquals( "%", $this->encoderInstance->canonicalize("&#37;"));
  116. }
  117. function testCanonicalize_016() {
  118. $this->assertEquals( "%", $this->encoderInstance->canonicalize("&#37"));
  119. }
  120. function testCanonicalize_017() {
  121. $this->assertEquals( "%b", $this->encoderInstance->canonicalize("&#37b"));
  122. }
  123. function testCanonicalize_018() {
  124. $this->assertEquals( "%b", $this->encoderInstance->canonicalize("&#37;b"));
  125. }
  126. function testCanonicalize_019() {
  127. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x3c"));
  128. }
  129. function testCanonicalize_020() {
  130. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x3c;"));
  131. }
  132. function testCanonicalize_021() {
  133. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x3C"));
  134. }
  135. function testCanonicalize_022() {
  136. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X3c"));
  137. }
  138. function testCanonicalize_023() {
  139. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X3C"));
  140. }
  141. function testCanonicalize_024() {
  142. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X3C;"));
  143. }
  144. // percent encoding
  145. function testCanonicalize_025() {
  146. $this->assertEquals( "<", $this->encoderInstance->canonicalize("%3c"));
  147. }
  148. function testCanonicalize_026() {
  149. $this->assertEquals( "<", $this->encoderInstance->canonicalize("%3C"));
  150. }
  151. // html entity encoding
  152. function testCanonicalize_027() {
  153. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#60"));
  154. }
  155. function testCanonicalize_028() {
  156. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#060"));
  157. }
  158. function testCanonicalize_029() {
  159. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#0060"));
  160. }
  161. function testCanonicalize_030() {
  162. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#00060"));
  163. }
  164. function testCanonicalize_031() {
  165. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#000060"));
  166. }
  167. function testCanonicalize_032() {
  168. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#0000060"));
  169. }
  170. function testCanonicalize_033() {
  171. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#60;"));
  172. }
  173. function testCanonicalize_034() {
  174. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#060;"));
  175. }
  176. function testCanonicalize_035() {
  177. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#0060;"));
  178. }
  179. function testCanonicalize_036() {
  180. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#00060;"));
  181. }
  182. function testCanonicalize_037() {
  183. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#000060;"));
  184. }
  185. function testCanonicalize_038() {
  186. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#0000060;"));
  187. }
  188. function testCanonicalize_039() {
  189. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x3c"));
  190. }
  191. function testCanonicalize_040() {
  192. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x03c"));
  193. }
  194. function testCanonicalize_041() {
  195. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x003c"));
  196. }
  197. function testCanonicalize_042() {
  198. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x0003c"));
  199. }
  200. function testCanonicalize_043() {
  201. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x00003c"));
  202. }
  203. function testCanonicalize_044() {
  204. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x000003c"));
  205. }
  206. function testCanonicalize_045() {
  207. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x3c;"));
  208. }
  209. function testCanonicalize_046() {
  210. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x03c;"));
  211. }
  212. function testCanonicalize_047() {
  213. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x003c;"));
  214. }
  215. function testCanonicalize_048() {
  216. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x0003c;"));
  217. }
  218. function testCanonicalize_049() {
  219. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x00003c;"));
  220. }
  221. function testCanonicalize_050() {
  222. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x000003c;"));
  223. }
  224. function testCanonicalize_051() {
  225. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X3c"));
  226. }
  227. function testCanonicalize_052() {
  228. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X03c"));
  229. }
  230. function testCanonicalize_053() {
  231. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X003c"));
  232. }
  233. function testCanonicalize_054() {
  234. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X0003c"));
  235. }
  236. function testCanonicalize_055() {
  237. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X00003c"));
  238. }
  239. function testCanonicalize_056() {
  240. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X000003c"));
  241. }
  242. function testCanonicalize_057() {
  243. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X3c;"));
  244. }
  245. function testCanonicalize_058() {
  246. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X03c;"));
  247. }
  248. function testCanonicalize_059() {
  249. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X003c;"));
  250. }
  251. function testCanonicalize_060() {
  252. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X0003c;"));
  253. }
  254. function testCanonicalize_061() {
  255. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X00003c;"));
  256. }
  257. function testCanonicalize_062() {
  258. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X000003c;"));
  259. }
  260. function testCanonicalize_063() {
  261. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x3C"));
  262. }
  263. function testCanonicalize_064() {
  264. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x03C"));
  265. }
  266. function testCanonicalize_065() {
  267. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x003C"));
  268. }
  269. function testCanonicalize_066() {
  270. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x0003C"));
  271. }
  272. function testCanonicalize_067() {
  273. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x00003C"));
  274. }
  275. function testCanonicalize_068() {
  276. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x000003C"));
  277. }
  278. function testCanonicalize_069() {
  279. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x3C;"));
  280. }
  281. function testCanonicalize_070() {
  282. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x03C;"));
  283. }
  284. function testCanonicalize_071() {
  285. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x003C;"));
  286. }
  287. function testCanonicalize_072() {
  288. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x0003C;"));
  289. }
  290. function testCanonicalize_073() {
  291. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x00003C;"));
  292. }
  293. function testCanonicalize_074() {
  294. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x000003C;"));
  295. }
  296. function testCanonicalize_075() {
  297. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X3C"));
  298. }
  299. function testCanonicalize_076() {
  300. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X03C"));
  301. }
  302. function testCanonicalize_077() {
  303. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X003C"));
  304. }
  305. function testCanonicalize_078() {
  306. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X0003C"));
  307. }
  308. function testCanonicalize_079() {
  309. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X00003C"));
  310. }
  311. function testCanonicalize_080() {
  312. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X000003C"));
  313. }
  314. function testCanonicalize_081() {
  315. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X3C;"));
  316. }
  317. function testCanonicalize_082() {
  318. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X03C;"));
  319. }
  320. function testCanonicalize_083() {
  321. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X003C;"));
  322. }
  323. function testCanonicalize_084() {
  324. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X0003C;"));
  325. }
  326. function testCanonicalize_085() {
  327. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X00003C;"));
  328. }
  329. function testCanonicalize_086() {
  330. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#X000003C;"));
  331. }
  332. function testCanonicalize_087() {
  333. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&lt"));
  334. }
  335. function testCanonicalize_088() {
  336. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&lT"));
  337. }
  338. function testCanonicalize_089() {
  339. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&Lt"));
  340. }
  341. function testCanonicalize_090() {
  342. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&LT"));
  343. }
  344. function testCanonicalize_091() {
  345. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&lt;"));
  346. }
  347. function testCanonicalize_092() {
  348. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&lT;"));
  349. }
  350. function testCanonicalize_093() {
  351. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&Lt;"));
  352. }
  353. function testCanonicalize_094() {
  354. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&LT;"));
  355. }
  356. function testCanonicalize_095() {
  357. $this->assertEquals( "<script>alert(\"hello\");</script>",
  358. $this->encoderInstance->canonicalize("%3Cscript%3Ealert%28%22hello%22%29%3B%3C%2Fscript%3E") );
  359. }
  360. function testCanonicalize_096() {
  361. $this->assertEquals( "<script>alert(\"hello\");</script>",
  362. $this->encoderInstance->canonicalize("%3Cscript&#x3E;alert%28%22hello&#34%29%3B%3C%2Fscript%3E", false) );
  363. }
  364. // javascript escape syntax
  365. function testCanonicalize_097() {
  366. $this->encoderInstance = null;
  367. $this->encoderInstance = new DefaultEncoder( array(new JavaScriptCodec()) );
  368. $this->assertEquals( "\0", $this->encoderInstance->canonicalize("\\0"));
  369. }
  370. function testCanonicalize_098() {
  371. $this->assertEquals( "".chr(0x08), $this->encoderInstance->canonicalize("\\b"));
  372. }
  373. function testCanonicalize_099() {
  374. $this->assertEquals( "\t", $this->encoderInstance->canonicalize("\\t"));
  375. }
  376. function testCanonicalize_100() {
  377. $this->assertEquals( "\n", $this->encoderInstance->canonicalize("\\n"));
  378. }
  379. function testCanonicalize_101() {
  380. $this->assertEquals( "".chr(0x0b), $this->encoderInstance->canonicalize("\\v"));
  381. }
  382. function testCanonicalize_102() {
  383. $this->assertEquals( "".chr(0x0c), $this->encoderInstance->canonicalize("\\f"));
  384. }
  385. function testCanonicalize_103() {
  386. $this->assertEquals( "\r", $this->encoderInstance->canonicalize("\\r"));
  387. }
  388. function testCanonicalize_104() {
  389. $this->assertEquals( "'", $this->encoderInstance->canonicalize("\\'"));
  390. }
  391. function testCanonicalize_105() {
  392. $this->assertEquals( "\"", $this->encoderInstance->canonicalize("\\\""));
  393. }
  394. function testCanonicalize_106() {
  395. $this->assertEquals( "\\", $this->encoderInstance->canonicalize("\\\\"));
  396. }
  397. function testCanonicalize_107() {
  398. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\<"));
  399. }
  400. function testCanonicalize_108() {
  401. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\u003c"));
  402. }
  403. function testCanonicalize_109() {
  404. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\U003c"));
  405. }
  406. function testCanonicalize_110() {
  407. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\u003C"));
  408. }
  409. function testCanonicalize_111() {
  410. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\U003C"));
  411. }
  412. function testCanonicalize_112() {
  413. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\x3c"));
  414. }
  415. function testCanonicalize_113() {
  416. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\X3c"));
  417. }
  418. function testCanonicalize_114() {
  419. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\x3C"));
  420. }
  421. function testCanonicalize_115() {
  422. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\X3C"));
  423. }
  424. // css escape syntax
  425. function testCanonicalize_116() {
  426. $this->encoderInstance = null;
  427. $this->encoderInstance = new DefaultEncoder( array(new CSSCodec()) );
  428. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\3c"));
  429. }
  430. function testCanonicalize_117() {
  431. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\03c"));
  432. }
  433. function testCanonicalize_118() {
  434. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\003c"));
  435. }
  436. function testCanonicalize_119() {
  437. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\0003c"));
  438. }
  439. function testCanonicalize_120() {
  440. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\00003c"));
  441. }
  442. function testCanonicalize_121() {
  443. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\3C"));
  444. }
  445. function testCanonicalize_122() {
  446. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\03C"));
  447. }
  448. function testCanonicalize_123() {
  449. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\003C"));
  450. }
  451. function testCanonicalize_124() {
  452. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\0003C"));
  453. }
  454. function testCanonicalize_125() {
  455. $this->assertEquals( "<", $this->encoderInstance->canonicalize("\\00003C"));
  456. }
  457. // note these examples use the strict=false flag on canonicalize to allow
  458. // full decoding without throwing an IntrusionException. Generally, you
  459. // should use strict mode as allowing double-encoding is an abomination.
  460. // double encoding examples
  461. function testDoubleEncodingCanonicalization_01()
  462. {
  463. $this->encoderInstance = ESAPI::getEncoder();
  464. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&#x26;lt&#59", false )); //double entity
  465. }
  466. function testDoubleEncodingCanonicalization_02()
  467. {
  468. $this->assertEquals( "\\", $this->encoderInstance->canonicalize("%255c", false)); //double percent
  469. }
  470. function testDoubleEncodingCanonicalization_03()
  471. {
  472. $this->assertEquals( "%", $this->encoderInstance->canonicalize("%2525", false)); //double percent
  473. }
  474. // double encoding with multiple schemes example
  475. function testDoubleEncodingCanonicalization_04()
  476. {
  477. $this->assertEquals( "<", $this->encoderInstance->canonicalize("%26lt%3b", false)); //first entity, then percent
  478. }
  479. function testDoubleEncodingCanonicalization_05()
  480. {
  481. $this->assertEquals( "&", $this->encoderInstance->canonicalize("&#x25;26", false)); //first percent, then entity
  482. }
  483. // nested encoding examples
  484. function testDoubleEncodingCanonicalization_06()
  485. {
  486. $this->assertEquals( "<", $this->encoderInstance->canonicalize("%253c", false)); //nested encode % with percent
  487. }
  488. function testDoubleEncodingCanonicalization_07()
  489. {
  490. $this->assertEquals( "<", $this->encoderInstance->canonicalize("%%33%63", false)); //nested encode both nibbles with percent
  491. }
  492. function testDoubleEncodingCanonicalization_08()
  493. {
  494. $this->assertEquals( "<", $this->encoderInstance->canonicalize("%%33c", false)); // nested encode first nibble with percent
  495. }
  496. function testDoubleEncodingCanonicalization_09()
  497. {
  498. $this->assertEquals( "<", $this->encoderInstance->canonicalize("%3%63", false)); //nested encode second nibble with percent
  499. }
  500. function testDoubleEncodingCanonicalization_10()
  501. {
  502. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&&#108;t;", false)); //nested encode l with entity
  503. }
  504. function testDoubleEncodingCanonicalization_11()
  505. {
  506. $this->assertEquals( "<", $this->encoderInstance->canonicalize("%2&#x35;3c", false)); //triple percent, percent, 5 with entity
  507. }
  508. // nested encoding with multiple schemes examples
  509. function testDoubleEncodingCanonicalization_12()
  510. {
  511. $this->assertEquals( "<", $this->encoderInstance->canonicalize("&%6ct;", false)); // nested encode l with percent
  512. }
  513. function testDoubleEncodingCanonicalization_13()
  514. {
  515. $this->assertEquals( "<", $this->encoderInstance->canonicalize("%&#x33;c", false)); //nested encode 3 with entity
  516. }
  517. // multiple encoding tests
  518. function testDoubleEncodingCanonicalization_14()
  519. {
  520. $this->assertEquals( "% & <script> <script>", $this->encoderInstance->canonicalize( "%25 %2526 %26#X3c;script&#x3e; &#37;3Cscript%25252525253e", false ) );
  521. }
  522. function testDoubleEncodingCanonicalization_15()
  523. {
  524. $this->assertEquals( "< < < < < < <", $this->encoderInstance->canonicalize( "%26lt; %26lt; &#X25;3c &#x25;3c %2526lt%253B %2526lt%253B %2526lt%253B", false ) );
  525. }
  526. // test strict mode with both mixed and multiple encoding
  527. function testDoubleEncodingCanonicalization_16()
  528. {
  529. $this->setExpectedException('IntrusionException');
  530. $this->encoderInstance->canonicalize('%26lt; %26lt; &#X25;3c &#x25;3c %2526lt%253B %2526lt%253B %2526lt%253B');
  531. }
  532. function testDoubleEncodingCanonicalization_17()
  533. {
  534. $this->setExpectedException('IntrusionException');
  535. $this->encoderInstance->canonicalize('%253Cscript');
  536. }
  537. function testDoubleEncodingCanonicalization_18()
  538. {
  539. $this->setExpectedException('IntrusionException');
  540. $this->encoderInstance->canonicalize('&#37;3Cscript');
  541. }
  542. /*
  543. * Test of encodeForHTML method of class Encoder.
  544. *
  545. * @throws Exception
  546. */
  547. function testEncodeForHTML_01() {
  548. $instance = ESAPI::getEncoder();
  549. $this->assertEquals(null, $instance->encodeForHTML(null));
  550. }
  551. function testEncodeForHTML_02() {
  552. $instance = ESAPI::getEncoder();
  553. // test invalid characters are replaced with spaces
  554. $this->assertEquals("a b c d e f&#x9;g", $instance->encodeForHTML("a".(chr(0))."b".(chr(4))."c".(chr(128))."d".(chr(150))."e".(chr(159))."f".(chr(9))."g"));
  555. }
  556. function testEncodeForHTML_03() {
  557. $instance = ESAPI::getEncoder();
  558. $this->assertEquals("a b c d e f&#x9;g h i j&nbsp;k&iexcl;l&cent;m", $instance->encodeForHTML("a".(chr(0))."b".(chr(4))."c".(chr(128))."d".(chr(150))."e".(chr(159))."f".(chr(9))."g".(chr(127))."h".(chr(129))."i".(chr(159))."j".(chr(160))."k".(chr(161))."l".(chr(162))."m"));
  559. }
  560. function testEncodeForHTML_04() {
  561. $instance = ESAPI::getEncoder();
  562. $this->assertEquals("&lt;script&gt;", $instance->encodeForHTML("<script>"));
  563. }
  564. function testEncodeForHTML_05() {
  565. $instance = ESAPI::getEncoder();
  566. $this->assertEquals("&amp;lt&#x3b;script&amp;gt&#x3b;", $instance->encodeForHTML("&lt;script&gt;"));
  567. }
  568. function testEncodeForHTML_06() {
  569. $instance = ESAPI::getEncoder();
  570. $this->assertEquals("&#x21;&#x40;&#x24;&#x25;&#x28;&#x29;&#x3d;&#x2b;&#x7b;&#x7d;&#x5b;&#x5d;", $instance->encodeForHTML("!@$%()=+{}[]"));
  571. }
  572. function testEncodeForHTML_07() {
  573. $instance = ESAPI::getEncoder();
  574. $this->assertEquals("&#x21;&#x40;&#x24;&#x25;&#x28;&#x29;&#x3d;&#x2b;&#x7b;&#x7d;&#x5b;&#x5d;", $instance->encodeForHTML($instance->canonicalize("&#33;&#64;&#36;&#37;&#40;&#41;&#61;&#43;&#123;&#125;&#91;&#93;", false)));
  575. }
  576. function testEncodeForHTML_08() {
  577. $instance = ESAPI::getEncoder();
  578. $this->assertEquals(",.-_ ", $instance->encodeForHTML(",.-_ "));
  579. }
  580. function testEncodeForHTML_09() {
  581. $instance = ESAPI::getEncoder();
  582. $this->assertEquals("dir&amp;", $instance->encodeForHTML("dir&"));
  583. }
  584. function testEncodeForHTML_10() {
  585. $instance = ESAPI::getEncoder();
  586. $this->assertEquals("one&amp;two", $instance->encodeForHTML("one&two"));
  587. }
  588. function testEncodeForHTML_11() {
  589. $instance = ESAPI::getEncoder();
  590. $this->assertEquals("".(chr(12345)).(chr(65533)).(chr(1244)), "".(chr(12345)).(chr(65533)).(chr(1244)) );
  591. }
  592. /*
  593. * Test of encodeForHTMLAttribute method of class Encoder.
  594. */
  595. function testEncodeForHTMLAttribute_01() {
  596. $instance = ESAPI::getEncoder();
  597. $this->assertEquals(null, $instance->encodeForHTMLAttribute(null));
  598. }
  599. function testEncodeForHTMLAttribute_02() {
  600. $instance = ESAPI::getEncoder();
  601. $this->assertEquals("&lt;script&gt;", $instance->encodeForHTMLAttribute("<script>"));
  602. }
  603. function testEncodeForHTMLAttribute_03() {
  604. $instance = ESAPI::getEncoder();
  605. $this->assertEquals(",.-_", $instance->encodeForHTMLAttribute(",.-_"));
  606. }
  607. function testEncodeForHTMLAttribute_04() {
  608. $instance = ESAPI::getEncoder();
  609. $this->assertEquals("&#x20;&#x21;&#x40;&#x24;&#x25;&#x28;&#x29;&#x3d;&#x2b;&#x7b;&#x7d;&#x5b;&#x5d;", $instance->encodeForHTMLAttribute(" !@$%()=+{}[]"));
  610. }
  611. /*
  612. * Test of encodeForCSS method of class Encoder.
  613. */
  614. function testEncodeForCSS_01() {
  615. $instance = ESAPI::getEncoder();
  616. $this->assertEquals(null, $instance->encodeForCSS(null));
  617. }
  618. function testEncodeForCSS_02() {
  619. $instance = ESAPI::getEncoder();
  620. $this->assertEquals("\\3c script\\3e ", $instance->encodeForCSS("<script>"));
  621. }
  622. function testEncodeForCSS_03() {
  623. $instance = ESAPI::getEncoder();
  624. $this->assertEquals("\\21 \\40 \\24 \\25 \\28 \\29 \\3d \\2b \\7b \\7d \\5b \\5d ", $instance->encodeForCSS("!@$%()=+{}[]"));
  625. }
  626. /*
  627. * Test of encodeForJavaScript method of class Encoder.
  628. * Note that JavaScriptCodec is closer to ESAPI 2 for Java and so these
  629. * tests are taken from that version.
  630. */
  631. function testEncodeForJavascript_01() {
  632. $instance = ESAPI::getEncoder();
  633. $this->assertEquals(null, $instance->encodeForJavaScript(null));
  634. }
  635. function testEncodeForJavascript_02() {
  636. $instance = ESAPI::getEncoder();
  637. $this->assertEquals("\\x3Cscript\\x3E", $instance->encodeForJavaScript("<script>"));
  638. }
  639. function testEncodeForJavascript_03() {
  640. $instance = ESAPI::getEncoder();
  641. $this->assertEquals(",.\\x2D_\\x20", $instance->encodeForJavaScript(",.-_ "));
  642. }
  643. function testEncodeForJavascript_04() {
  644. $instance = ESAPI::getEncoder();
  645. $this->assertEquals("\\x21\\x40\\x24\\x25\\x28\\x29\\x3D\\x2B\\x7B\\x7D\\x5B\\x5D", $instance->encodeForJavaScript("!@$%()=+{}[]"));
  646. }
  647. function testEncodeForJavascript_05() {
  648. $instance = ESAPI::getEncoder();
  649. $this->assertEquals( "\\x00", $instance->encodeForJavaScript("\0"));
  650. }
  651. function testEncodeForJavascript_06() {
  652. $instance = ESAPI::getEncoder();
  653. $this->assertEquals( "\\x5C", $instance->encodeForJavaScript("\\"));
  654. }
  655. /*
  656. * Test of encodeForVBScript method of class Encoder.
  657. */
  658. function testEncodeForVBScript_01() {
  659. $instance = ESAPI::getEncoder();
  660. $this->assertEquals(null, $instance->encodeForVBScript(null));
  661. }
  662. function testEncodeForVBScript_02() {
  663. $instance = ESAPI::getEncoder();
  664. $this->assertEquals('""', $instance->encodeForVBScript('"'));
  665. }
  666. function testEncodeForVBScript_03() {
  667. $instance = ESAPI::getEncoder();
  668. $this->assertEquals('"<script">', $instance->encodeForVBScript('<script>'));
  669. }
  670. function testEncodeForVBScript_04() {
  671. $instance = ESAPI::getEncoder();
  672. $this->assertEquals(' "!"@"$"%"(")"="+"{"}"["]""', $instance->encodeForVBScript(' !@$%()=+{}[]"'));
  673. }
  674. /*
  675. * Test of encodeForXPath method of class Encoder.
  676. */
  677. function testEncodeForXPath_01() {
  678. $instance = ESAPI::getEncoder();
  679. $this->assertEquals(null, $instance->encodeForXPath(null));
  680. }
  681. function testEncodeForXPath_02() {
  682. $instance = ESAPI::getEncoder();
  683. $this->assertEquals("&#x27;or 1&#x3d;1", $instance->encodeForXPath("'or 1=1"));
  684. }
  685. /*
  686. * Test of encodeForSQL method of class Encoder.
  687. */
  688. function testEncodeForSQL_MySQL_ANSI_01() {
  689. $instance = ESAPI::getEncoder();
  690. $mysqlAnsiCodec = new MySQLCodec(MySQLCodec::MYSQL_ANSI);
  691. $this->assertEquals(null, $instance->encodeForSQL($mysqlAnsiCodec, null));
  692. }
  693. function testEncodeForSQL_MySQL_ANSI_02() {
  694. $instance = ESAPI::getEncoder();
  695. $mysqlAnsiCodec = new MySQLCodec(MySQLCodec::MYSQL_ANSI);
  696. $this->assertEquals("Jeff'' or ''1''=''1", $instance->encodeForSQL($mysqlAnsiCodec, "Jeff' or '1'='1"));
  697. }
  698. function testEncodeForSQL_MySQL_STD_01() {
  699. $instance = ESAPI::getEncoder();
  700. $mysqlStdCodec = new MySQLCodec(MySQLCodec::MYSQL_STD);
  701. $this->assertEquals(null, $instance->encodeForSQL($mysqlStdCodec, null));
  702. }
  703. function testEncodeForSQL_MySQL_STD_02() {
  704. $instance = ESAPI::getEncoder();
  705. $mysqlStdCodec = new MySQLCodec(MySQLCodec::MYSQL_STD);
  706. $this->assertEquals("Jeff\\' or \\'1\\'\\=\\'1", $instance->encodeForSQL($mysqlStdCodec, "Jeff' or '1'='1"));
  707. }
  708. function testEncodeForSQL_MySQL_STD_03() {
  709. $instance = ESAPI::getEncoder();
  710. $mysqlStdCodec = new MySQLCodec(MySQLCodec::MYSQL_STD);
  711. $this->assertEquals( "\\b \\n \\r \\t \\Z \\_ \\\" \\' \\\\ \\0 \\%", $instance->encodeForSQL($mysqlStdCodec, "\x08 \x0a \x0d \x09 \x1a _ \" ' \\ \x00 \x25") );
  712. }
  713. function testEncodeForSQL_Oracle01() {
  714. $instance = ESAPI::getEncoder();
  715. $oracleCodec = new OracleCodec();
  716. $this->assertEquals(null, $instance->encodeForSQL($oracleCodec, null));
  717. }
  718. function testEncodeForSQL_Oracle02() {
  719. $instance = ESAPI::getEncoder();
  720. $oracleCodec = new OracleCodec();
  721. $this->assertEquals("Jeff'' or ''1''=''1", $instance->encodeForSQL($oracleCodec, "Jeff' or '1'='1"));
  722. }
  723. /*
  724. * Test of encodeForLDAP method of class Encoder.
  725. */
  726. function testEncodeForLDAP_01() {
  727. $this->markTestIncomplete('This test has not been implemented yet.'); /* DELETE ME ("encodeForLDAP");
  728. $instance = ESAPI::getEncoder();
  729. $this->assertEquals(null, $instance->encodeForLDAP(null));
  730. */
  731. }
  732. function testEncodeForLDAP_02() {
  733. $this->markTestIncomplete('This test has not been implemented yet.'); /* DELETE ME ("encodeForLDAP");
  734. $instance = ESAPI::getEncoder();
  735. $this->assertEquals("No special characters to escape", "Hi This is a test #??", $instance->encodeForLDAP("Hi This is a test #??"));
  736. */
  737. }
  738. function testEncodeForLDAP_03() {
  739. $this->markTestIncomplete('This test has not been implemented yet.'); /* DELETE ME ("encodeForLDAP");
  740. $instance = ESAPI::getEncoder();
  741. $this->assertEquals("Zeros", "Hi \\00", $instance->encodeForLDAP("Hi \u0000"));
  742. */
  743. }
  744. function testEncodeForLDAP_04() {
  745. $this->markTestIncomplete('This test has not been implemented yet.'); /* DELETE ME ("encodeForLDAP");
  746. $instance = ESAPI::getEncoder();
  747. $this->assertEquals("LDAP Christams Tree", "Hi \\28This\\29 = is \\2a a \\5c test # ? ? ?", $instance->encodeForLDAP("Hi (This) = is * a \\ test # ? ? ?"));
  748. */
  749. }
  750. /*
  751. * Test of encodeForDN method of class Encoder.
  752. */
  753. function testEncodeForDN_01() {
  754. $this->markTestIncomplete('This test has not been implemented yet.'); /* DELETE ME ("encodeForDN");
  755. $instance = ESAPI::getEncoder();
  756. $this->assertEquals(null, $instance->encodeForDN(null));
  757. */
  758. }
  759. function testEncodeForDN_02() {
  760. $this->markTestIncomplete('This test has not been implemented yet.'); /* DELETE ME ("encodeForDN");
  761. $instance = ESAPI::getEncoder();
  762. $this->assertEquals("No special characters to escape", "Hello?", $instance->encodeForDN("Hello?"));
  763. */
  764. }
  765. function testEncodeForDN_03() {
  766. $this->markTestIncomplete('This test has not been implemented yet.'); /* DELETE ME ("encodeForDN");
  767. $instance = ESAPI::getEncoder();
  768. $this->assertEquals("leading #", "\\# Hello?", $instance->encodeForDN("# Hello?"));
  769. */
  770. }
  771. function testEncodeForDN_04() {
  772. $this->markTestIncomplete('This test has not been implemented yet.'); /* DELETE ME ("encodeForDN");
  773. $instance = ESAPI::getEncoder();
  774. $this->assertEquals("leading space", "\\ Hello?", $instance->encodeForDN(" Hello?"));
  775. */
  776. }
  777. function testEncodeForDN_05() {
  778. $this->markTestIncomplete('This test has not been implemented yet.'); /* DELETE ME ("encodeForDN");
  779. $instance = ESAPI::getEncoder();
  780. $this->assertEquals("trailing space", "Hello?\\ ", $instance->encodeForDN("Hello? "));
  781. */
  782. }
  783. function testEncodeForDN_06() {
  784. $this->markTestIncomplete('This test has not been implemented yet.'); /* DELETE ME ("encodeForDN");
  785. $instance = ESAPI::getEncoder();
  786. $this->assertEquals("less than greater than", "Hello\\<\\>", $instance->encodeForDN("Hello<>"));
  787. */
  788. }
  789. function testEncodeForDN_07() {
  790. $this->markTestIncomplete('This test has not been implemented yet.'); /* DELETE ME ("encodeForDN");
  791. $instance = ESAPI::getEncoder();
  792. $this->assertEquals("only 3 spaces", "\\ \\ ", $instance->encodeForDN(" "));
  793. */
  794. }
  795. function testEncodeForDN_08() {
  796. $this->markTestIncomplete('This test has not been implemented yet.'); /* DELETE ME ("encodeForDN");
  797. $instance = ESAPI::getEncoder();
  798. $this->assertEquals("Christmas Tree DN", "\\ Hello\\\\ \\+ \\, \\\"World\\\" \\;\\ ", $instance->encodeForDN(" Hello\\ + , \"World\" ; "));
  799. */
  800. }
  801. /*
  802. * Test of encodeForXML method of class Encoder.
  803. */
  804. function testEncodeForXML_null() {
  805. $instance = ESAPI::getEncoder();
  806. $this->assertEquals(null, $instance->encodeForXML(null));
  807. }
  808. function testEncodeForXML_space() {
  809. $instance = ESAPI::getEncoder();
  810. $this->assertEquals(' ', $instance->encodeForXML(' '));
  811. }
  812. function testEncodeForXML_scripttag() {
  813. $instance = ESAPI::getEncoder();
  814. $this->assertEquals('&lt;script&gt;', $instance->encodeForXML('<script>'));
  815. }
  816. function testEncodeForXML_immune() {
  817. $instance = ESAPI::getEncoder();
  818. $this->assertEquals(',.-_', $instance->encodeForXML(',.-_'));
  819. }
  820. function testEncodeForXML_symbols() {
  821. $instance = ESAPI::getEncoder();
  822. $this->assertEquals('&#x21;&#x40;&#x24;&#x25;&#x28;&#x29;&#x3d;&#x2b;&#x7b;&#x7d;&#x5b;&#x5d;', $instance->encodeForXML('!@$%()=+{}[]'));
  823. }
  824. function testEncodeForXML_pound() {
  825. $instance = ESAPI::getEncoder();
  826. $this->assertEquals('&#xa3;', $instance->encodeForXML("\xA3"));
  827. }
  828. /*
  829. * Test of encodeForXMLAttribute method of class Encoder.
  830. */
  831. function testEncodeForXMLAttribute_null() {
  832. $instance = ESAPI::getEncoder();
  833. $this->assertEquals(null, $instance->encodeForXMLAttribute(null));
  834. }
  835. function testEncodeForXMLAttribute_space() {
  836. $instance = ESAPI::getEncoder();
  837. $this->assertEquals("&#x20;", $instance->encodeForXMLAttribute(" "));
  838. }
  839. function testEncodeForXMLAttribute_scripttag() {
  840. $instance = ESAPI::getEncoder();
  841. $this->assertEquals("&lt;script&gt;", $instance->encodeForXMLAttribute("<script>"));
  842. }
  843. function testEncodeForXMLAttribute_immune() {
  844. $instance = ESAPI::getEncoder();
  845. $this->assertEquals(",.-_", $instance->encodeForXMLAttribute(",.-_"));
  846. }
  847. function testEncodeForXMLAttribute_symbols() {
  848. $instance = ESAPI::getEncoder();
  849. $this->assertEquals("&#x20;&#x21;&#x40;&#x24;&#x25;&#x28;&#x29;&#x3d;&#x2b;&#x7b;&#x7d;&#x5b;&#x5d;", $instance->encodeForXMLAttribute(" !@$%()=+{}[]"));
  850. }
  851. function testEncodeForXMLAttribute_pound() {
  852. $instance = ESAPI::getEncoder();
  853. $this->assertEquals('&#xa3;', $instance->encodeForXMLAttribute("\xA3"));
  854. }
  855. /*
  856. * Test of encodeForURL method of class Encoder.
  857. */
  858. function testEncodeForURL_01() {
  859. $instance = ESAPI::getEncoder();
  860. $this->assertEquals(null, $instance->encodeForURL(null));
  861. }
  862. function testEncodeForURL_02() {
  863. $instance = ESAPI::getEncoder();
  864. $this->assertEquals("%3Cscript%3E", $instance->encodeForURL("<script>"));
  865. }
  866. function testEncodeForURL_03() {
  867. $instance = ESAPI::getEncoder();
  868. $this->assertEquals("+", $instance->encodeForURL(" "));
  869. }
  870. /*
  871. * Test of decodeFromURL method, of class Encoder.
  872. */
  873. function testDecodeFromURL_01() {
  874. $instance = ESAPI::getEncoder();
  875. $this->assertEquals(null, $instance->decodeFromURL(null));
  876. }
  877. function testDecodeFromURL_02() {
  878. $instance = ESAPI::getEncoder();
  879. $this->assertEquals("<script>", $instance->decodeFromURL("%3Cscript%3E"));
  880. }
  881. function testDecodeFromURL_03() {
  882. $instance = ESAPI::getEncoder();
  883. $this->assertEquals(" ", $instance->decodeFromURL("+++++"));
  884. }
  885. /*
  886. * Test of encodeForBase64 method of class Encoder.
  887. */
  888. function testEncodeForBase64_01() {
  889. $instance = ESAPI::getEncoder();
  890. $this->assertEquals(null, $instance->encodeForBase64(null, false));
  891. }
  892. function testEncodeForBase64_02() {
  893. $instance = ESAPI::getEncoder();
  894. $this->assertEquals(null, $instance->encodeForBase64(null, true));
  895. }
  896. function testEncodeForBase64_03() {
  897. $instance = ESAPI::getEncoder();
  898. $this->assertEquals(null, $instance->decodeFromBase64(null));
  899. }
  900. // Test wrapping at 76 chars
  901. function testEncodeForBase64_04() {
  902. $instance = ESAPI::getEncoder();
  903. $unencoded = ESAPI::getRandomizer()->getRandomString( 76, Encoder::CHAR_SPECIALS );
  904. $encoded = $instance->encodeForBase64( $unencoded, false );
  905. $encodedWrapped = $instance->encodeForBase64( $unencoded, true );
  906. $expected = mb_substr($encoded, 0, 76, 'ASCII') . "\r\n" . mb_substr($encoded, 76, mb_strlen($encoded, 'ASCII')-76, 'ASCII');
  907. $this->assertEquals( $expected, $encodedWrapped );
  908. }
  909. function testEncodeForBase64_05() {
  910. $instance = ESAPI::getEncoder();
  911. try {
  912. for ( $i=0; $i < 100; $i++ ) {
  913. $unencoded = ESAPI::getRandomizer()->getRandomString( 20, Encoder::CHAR_SPECIALS );
  914. $encoded = $instance->encodeForBase64( $unencoded, ESAPI::getRandomizer()->getRandomBoolean() );
  915. $decoded = $instance->decodeFromBase64( $encoded );
  916. $this->assertEquals( $unencoded, $decoded );
  917. }
  918. } catch ( Exception $unexpected ) {
  919. $this->fail();
  920. }
  921. }
  922. /*
  923. * Test of decodeFromBase64 method, of class Encoder.
  924. */
  925. function testDecodeFromBase64_01() {
  926. $instance = ESAPI::getEncoder();
  927. for ( $i=0; $i < 100; $i++ ) {
  928. try {
  929. $unencoded = ESAPI::getRandomizer()->getRandomString( 20, Encoder::CHAR_SPECIALS );
  930. $encoded = $instance->encodeForBase64( $unencoded, ESAPI::getRandomizer()->getRandomBoolean() );
  931. $decoded = $instance->decodeFromBase64( $encoded );
  932. $this->assertEquals( $unencoded, $decoded );
  933. } catch ( Exception $unexpected ) {
  934. $this->fail();
  935. }
  936. }
  937. for ( $i=0; $i < 100; $i++ ) {
  938. try {
  939. // get a string of 20 char_specials.
  940. $unencoded = ESAPI::getRandomizer()->getRandomString( 20, Encoder::CHAR_SPECIALS );
  941. // encode the string of char_specials and then prepend an alplanum
  942. $encoded = ESAPI::getRandomizer()->getRandomString(1, Encoder::CHAR_ALPHANUMERICS) . $instance->encodeForBase64( $unencoded, ESAPI::getRandomizer()->getRandomBoolean() );
  943. // decoding the encoded (and prepended to) string
  944. $decoded = $instance->decodeFromBase64( $encoded );
  945. // the decoded result should not equal the original string of 20 char_specials.
  946. $this->assertNotEquals( $unencoded, $decoded );
  947. } catch ( Exception $unexpected ) {
  948. $this->fail(); // Note: java expects an IO exception, but base64_decode() doesn't throw one
  949. }
  950. }
  951. }
  952. function testDecodeSingleCharacter_NumeralZero()
  953. {
  954. $instance = ESAPI::getEncoder();
  955. $this->assertEquals( '', $instance->decodeFromBase64('0') );
  956. }
  957. function testDecodeSingleCharacter_NumeralOne()
  958. {
  959. $instance = ESAPI::getEncoder();
  960. $this->assertEquals( '', $instance->decodeFromBase64('1') );
  961. }
  962. function testDecodeSingleCharacter_AlphaLower()
  963. {
  964. $instance = ESAPI::getEncoder();
  965. $this->assertEquals( '', $instance->decodeFromBase64('a') );
  966. }
  967. function testDecodeSingleCharacter_AlphaUpper()
  968. {
  969. $instance = ESAPI::getEncoder();
  970. $this->assertEquals( '', $instance->decodeFromBase64('A') );
  971. }
  972. function testDecodeSingleCharacter_CharBackslash()
  973. {
  974. $instance = ESAPI::getEncoder();
  975. $this->assertEquals( '', $instance->decodeFromBase64('\\') );
  976. }
  977. function testDecodeSingleCharacter_CharPlus()
  978. {
  979. $instance = ESAPI::getEncoder();
  980. $this->assertEquals( '', $instance->decodeFromBase64('+') );
  981. }
  982. function testDecodeSingleCharacter_CharPad()
  983. {
  984. $instance = ESAPI::getEncoder();
  985. $this->assertEquals( '', $instance->decodeFromBase64('=') );
  986. }
  987. function testDecodeSingleInvalidCharacter_CharHyphen()
  988. {
  989. $instance = ESAPI::getEncoder();
  990. $this->assertEquals( '', $instance->decodeFromBase64('-') );
  991. }
  992. /*
  993. * Test of WindowsCodec
  994. */
  995. function testWindowsCodec_01() {
  996. $instance = ESAPI::getEncoder();
  997. $codec_win = new WindowsCodec();
  998. $this->assertEquals(null, $instance->encodeForOS($codec_win, null));
  999. }
  1000. function testWindowsCodec_02() {
  1001. $codec_win = new WindowsCodec();
  1002. $decoded = $codec_win->decodeCharacter(Codec::normalizeEncoding("n"));
  1003. $this->assertEquals(null, $decoded['decodedCharacter']);
  1004. }
  1005. function testWindowsCodec_03() {
  1006. $codec_win = new WindowsCodec();
  1007. $decoded = $codec_win->decodeCharacter(Codec::normalizeEncoding(""));
  1008. $this->assertEquals(null, $decoded['decodedCharacter']);
  1009. }
  1010. function testWindowsCodec_04() {
  1011. $codec_win = new WindowsCodec();
  1012. $immune = array("\0"); // not that it matters, but the java test would encode alphanums with such an immune param.
  1013. $encoded = $codec_win->encodeCharacter($immune, "<");
  1014. $decoded = $codec_win->decode($encoded);
  1015. $this->assertEquals("<", $decoded);
  1016. }
  1017. function testWindowsCodec_05() {
  1018. $codec_win = new WindowsCodec();
  1019. $orig = "c:\\jeff";
  1020. $this->assertEquals($orig, $codec_win->decode($orig));
  1021. }
  1022. function testWindowsCodec_06() {
  1023. $codec_win = new WindowsCodec();
  1024. $immune = array();
  1025. $orig = "c:\\jeff";
  1026. $encoded = $codec_win->encode($immune, $orig);
  1027. $this->assertEquals($orig, $codec_win->decode($encoded));
  1028. }
  1029. function testWindowsCodec_07() {
  1030. $codec_win = new WindowsCodec();
  1031. $instance = ESAPI::getEncoder();
  1032. $this->assertEquals("c^:^\\jeff", $instance->encodeForOS($codec_win, "c:\\jeff"));
  1033. }
  1034. function testWindowsCodec_08() {
  1035. $codec_win = new WindowsCodec();
  1036. $immune = array();
  1037. $this->assertEquals("c^:^\\jeff", $codec_win->encode($immune, "c:\\jeff"));
  1038. }
  1039. function testWindowsCodec_09() {
  1040. $codec_win = new WindowsCodec();
  1041. $instance = ESAPI::getEncoder();
  1042. $this->assertEquals("dir^ ^&^ foo", $instance->encodeForOS($codec_win, "dir & foo"));
  1043. }
  1044. function testWindowsCodec_10() {
  1045. $codec_win = new WindowsCodec();
  1046. $immune = array();
  1047. $this->assertEquals("dir^ ^&^ foo", $codec_win->encode($immune, "dir & foo"));
  1048. }
  1049. /*
  1050. * Test of UnixCodec
  1051. */
  1052. function testUnixCodec_01() {
  1053. $instance = ESAPI::getEncoder();
  1054. $codec_unix = new UnixCodec();
  1055. $this->assertEquals(null, $instance->encodeForOS($codec_unix, null));
  1056. }
  1057. function testUnixCodec_02() {
  1058. $codec_unix = new UnixCodec();
  1059. $decoded = $codec_unix->decodeCharacter(Codec::normalizeEncoding("n"));
  1060. $this->assertEquals(null, $decoded['decodedCharacter']);
  1061. }
  1062. function testUnixCodec_03() {
  1063. $codec_unix = new UnixCodec();
  1064. $decoded = $codec_unix->decodeCharacter(Codec::normalizeEncoding(""));
  1065. $this->assertEquals(null, $decoded['decodedCharacter']);
  1066. }
  1067. function testUnixCodec_04() {
  1068. $codec_unix = new UnixCodec();
  1069. $immune = array("\0"); // not that it matters, but the java test would encode alphanums with such an immune param.
  1070. $encoded = $codec_unix->encodeCharacter($immune, "<");
  1071. $decoded = $codec_unix->decode($encoded);
  1072. $this->assertEquals("<", $decoded);
  1073. }
  1074. function testUnixCodec_05() {
  1075. $codec_unix = new UnixCodec();
  1076. $orig = "/etc/passwd";
  1077. $this->assertEquals($orig, $codec_unix->decode($orig));
  1078. }
  1079. function testUnixCodec_06() {
  1080. $codec_unix = new UnixCodec();
  1081. $immune = array();
  1082. $orig = "/etc/passwd";
  1083. $encoded = $codec_unix->encode($immune, $orig);
  1084. $this->assertEquals($orig, $codec_unix->decode($encoded));
  1085. }
  1086. function testUnixCodec_07() {
  1087. $codec_unix = new UnixCodec();
  1088. $instance = ESAPI::getEncoder();
  1089. // TODO: Check that this is acceptable for Unix hosts
  1090. $this->assertEquals("c\\:\\\\jeff", $instance->encodeForOS($codec_unix, "c:\\jeff"));
  1091. }
  1092. function testUnixCodec_08() {
  1093. $codec_unix = new UnixCodec();
  1094. $immune = array();
  1095. // TODO: Check that this is acceptable for Unix hosts
  1096. $this->assertEquals("c\\:\\\\jeff", $codec_unix->encode($immune, "c:\\jeff"));
  1097. }
  1098. function testUnixCodec_09() {
  1099. $codec_unix = new UnixCodec();
  1100. $instance = ESAPI::getEncoder();
  1101. // TODO: Check that this is acceptable for Unix hosts
  1102. $this->assertEquals("dir\\ \\&\\ foo", $instance->encodeForOS($codec_unix, "dir & foo"));
  1103. }
  1104. function testUnixCodec_10() {
  1105. $codec_unix = new UnixCodec();
  1106. $immune = array();
  1107. // TODO: Check that this is acceptable for Unix hosts
  1108. $this->assertEquals("dir\\ \\&\\ foo", $codec_unix->encode($immune, "dir & foo"));
  1109. }
  1110. // Unix paths (that must be encoded safely)
  1111. function testUnixCodec_11() {
  1112. $codec_unix = new UnixCodec();
  1113. $instance = ESAPI::getEncoder();
  1114. $immune = array();
  1115. // TODO: Check that this is acceptable for Unix
  1116. $this->assertEquals("\\/etc\\/hosts", $instance->encodeForOS($codec_unix, "/etc/hosts"));
  1117. }
  1118. function testUnixCodec_12() {
  1119. $codec_unix = new UnixCodec();
  1120. $instance = ESAPI::getEncoder();
  1121. $immune = array();
  1122. // TODO: Check that this is acceptable for Unix
  1123. $this->assertEquals("\\/etc\\/hosts\\;\\ ls\\ -l", $instance->encodeForOS($codec_unix, "/etc/hosts; ls -l"));
  1124. }
  1125. // these tests check that mixed character encoding is handled properly when
  1126. // encoding.
  1127. function testCharsForBase64() {
  1128. $instance = $this->encoderInstance;
  1129. $expected = '/^[a-zA-Z0-9\/+]*={0,2}$/';
  1130. for ($i=0; $i<256 ; $i++) {
  1131. $input = chr($i);
  1132. $output = $instance->encodeForBase64($input);
  1133. $this->assertRegExp($expected, $output, "Input was character with ordinal: {$i} - %s");
  1134. $this->assertEquals($input, $instance->decodeFromBase64($output));
  1135. }
  1136. }
  1137. function testCharsPlusAlphaForBase64() {
  1138. $instance = $this->encoderInstance;
  1139. $expected = '/^[a-zA-Z0-9\/+]*={0,2}$/';
  1140. for ($i=0; $i<256 ; $i++) {
  1141. $input = 'a' . chr($i);
  1142. $output = $instance->encodeForBase64($input);
  1143. $this->assertRegExp($expected, $output, "Input was 'a' concat with character with ordinal: {$i} - %s");
  1144. $this->assertEquals($input, $instance->decodeFromBase64($output));

Large files files are truncated, but you can click here to view the full file