/vendor/twig/twig/test/Twig/Tests/escapingTest.php

https://github.com/fatra/kurs · PHP · 324 lines · 255 code · 23 blank · 46 comment · 32 complexity · 42d0f7f1a17f25a06b8a8df92b06b5c1 MD5 · raw file 

    

  1. <?php

    2. 

  2. 

    3. 

  3. /**

    4. 

  4.  * This class is adapted from code coming from Zend Framework.

    5. 

  5.  *

    6. 

  6.  * @copyright Copyright (c) 2005-2012 Zend Technologies USA Inc. (http://www.zend.com)

    7. 

  7.  * @license   http://framework.zend.com/license/new-bsd New BSD License

    8. 

  8.  */

    9. 

  9. 

    10. 

  10. class Twig_Test_EscapingTest extends PHPUnit_Framework_TestCase

    11. 

  11. {

    12. 

  12.     /**

    13. 

  13.      * All character encodings supported by htmlspecialchars()

    14. 

  14.      */

    15. 

  15.     protected $htmlSpecialChars = array(

    16. 

  16.         '\''    => '&#039;',

    17. 

  17.         '"'     => '&quot;',

    18. 

  18.         '<'     => '&lt;',

    19. 

  19.         '>'     => '&gt;',

    20. 

  20.         '&'     => '&amp;'

    21. 

  21.     );

    22. 

  22. 

    23. 

  23.     protected $htmlAttrSpecialChars = array(

    24. 

  24.         '\''    => '&#x27;',

    25. 

  25.         '"'     => '&quot;',

    26. 

  26.         '<'     => '&lt;',

    27. 

  27.         '>'     => '&gt;',

    28. 

  28.         '&'     => '&amp;',

    29. 

  29.         /* Characters beyond ASCII value 255 to unicode escape */

    30. 

  30.         'Ā'     => '&#x0100;',

    31. 

  31.         /* Immune chars excluded */

    32. 

  32.         ','     => ',',

    33. 

  33.         '.'     => '.',

    34. 

  34.         '-'     => '-',

    35. 

  35.         '_'     => '_',

    36. 

  36.         /* Basic alnums exluded */

    37. 

  37.         'a'     => 'a',

    38. 

  38.         'A'     => 'A',

    39. 

  39.         'z'     => 'z',

    40. 

  40.         'Z'     => 'Z',

    41. 

  41.         '0'     => '0',

    42. 

  42.         '9'     => '9',

    43. 

  43.         /* Basic control characters and null */

    44. 

  44.         "\r"    => '&#x0D;',

    45. 

  45.         "\n"    => '&#x0A;',

    46. 

  46.         "\t"    => '&#x09;',

    47. 

  47.         "\0"    => '&#xFFFD;', // should use Unicode replacement char

    48. 

  48.         /* Encode chars as named entities where possible */

    49. 

  49.         '<'     => '&lt;',

    50. 

  50.         '>'     => '&gt;',

    51. 

  51.         '&'     => '&amp;',

    52. 

  52.         '"'     => '&quot;',

    53. 

  53.         /* Encode spaces for quoteless attribute protection */

    54. 

  54.         ' '     => '&#x20;',

    55. 

  55.     );

    56. 

  56. 

    57. 

  57.     protected $jsSpecialChars = array(

    58. 

  58.         /* HTML special chars - escape without exception to hex */

    59. 

  59.         '<'     => '\\x3C',

    60. 

  60.         '>'     => '\\x3E',

    61. 

  61.         '\''    => '\\x27',

    62. 

  62.         '"'     => '\\x22',

    63. 

  63.         '&'     => '\\x26',

    64. 

  64.         /* Characters beyond ASCII value 255 to unicode escape */

    65. 

  65.         'Ā'     => '\\u0100',

    66. 

  66.         /* Immune chars excluded */

    67. 

  67.         ','     => ',',

    68. 

  68.         '.'     => '.',

    69. 

  69.         '_'     => '_',

    70. 

  70.         /* Basic alnums exluded */

    71. 

  71.         'a'     => 'a',

    72. 

  72.         'A'     => 'A',

    73. 

  73.         'z'     => 'z',

    74. 

  74.         'Z'     => 'Z',

    75. 

  75.         '0'     => '0',

    76. 

  76.         '9'     => '9',

    77. 

  77.         /* Basic control characters and null */

    78. 

  78.         "\r"    => '\\x0D',

    79. 

  79.         "\n"    => '\\x0A',

    80. 

  80.         "\t"    => '\\x09',

    81. 

  81.         "\0"    => '\\x00',

    82. 

  82.         /* Encode spaces for quoteless attribute protection */

    83. 

  83.         ' '     => '\\x20',

    84. 

  84.     );

    85. 

  85. 

    86. 

  86.     protected $urlSpecialChars = array(

    87. 

  87.         /* HTML special chars - escape without exception to percent encoding */

    88. 

  88.         '<'     => '%3C',

    89. 

  89.         '>'     => '%3E',

    90. 

  90.         '\''    => '%27',

    91. 

  91.         '"'     => '%22',

    92. 

  92.         '&'     => '%26',

    93. 

  93.         /* Characters beyond ASCII value 255 to hex sequence */

    94. 

  94.         'Ā'     => '%C4%80',

    95. 

  95.         /* Punctuation and unreserved check */

    96. 

  96.         ','     => '%2C',

    97. 

  97.         '.'     => '.',

    98. 

  98.         '_'     => '_',

    99. 

  99.         '-'     => '-',

    100. 

  100.         ':'     => '%3A',

    101. 

  101.         ';'     => '%3B',

    102. 

  102.         '!'     => '%21',

    103. 

  103.         /* Basic alnums excluded */

    104. 

  104.         'a'     => 'a',

    105. 

  105.         'A'     => 'A',

    106. 

  106.         'z'     => 'z',

    107. 

  107.         'Z'     => 'Z',

    108. 

  108.         '0'     => '0',

    109. 

  109.         '9'     => '9',

    110. 

  110.         /* Basic control characters and null */

    111. 

  111.         "\r"    => '%0D',

    112. 

  112.         "\n"    => '%0A',

    113. 

  113.         "\t"    => '%09',

    114. 

  114.         "\0"    => '%00',

    115. 

  115.         /* PHP quirks from the past */

    116. 

  116.         ' '     => '%20',

    117. 

  117.         '~'     => '~',

    118. 

  118.         '+'     => '%2B',

    119. 

  119.     );

    120. 

  120. 

    121. 

  121.     protected $cssSpecialChars = array(

    122. 

  122.         /* HTML special chars - escape without exception to hex */

    123. 

  123.         '<'     => '\\3C ',

    124. 

  124.         '>'     => '\\3E ',

    125. 

  125.         '\''    => '\\27 ',

    126. 

  126.         '"'     => '\\22 ',

    127. 

  127.         '&'     => '\\26 ',

    128. 

  128.         /* Characters beyond ASCII value 255 to unicode escape */

    129. 

  129.         'Ā'     => '\\100 ',

    130. 

  130.         /* Immune chars excluded */

    131. 

  131.         ','     => '\\2C ',

    132. 

  132.         '.'     => '\\2E ',

    133. 

  133.         '_'     => '\\5F ',

    134. 

  134.         /* Basic alnums exluded */

    135. 

  135.         'a'     => 'a',

    136. 

  136.         'A'     => 'A',

    137. 

  137.         'z'     => 'z',

    138. 

  138.         'Z'     => 'Z',

    139. 

  139.         '0'     => '0',

    140. 

  140.         '9'     => '9',

    141. 

  141.         /* Basic control characters and null */

    142. 

  142.         "\r"    => '\\D ',

    143. 

  143.         "\n"    => '\\A ',

    144. 

  144.         "\t"    => '\\9 ',

    145. 

  145.         "\0"    => '\\0 ',

    146. 

  146.         /* Encode spaces for quoteless attribute protection */

    147. 

  147.         ' '     => '\\20 ',

    148. 

  148.     );

    149. 

  149. 

    150. 

  150.     protected $env;

    151. 

  151. 

    152. 

  152.     public function setUp()

    153. 

  153.     {

    154. 

  154.         $this->env = new Twig_Environment();

    155. 

  155.     }

    156. 

  156. 

    157. 

  157.     public function testHtmlEscapingConvertsSpecialChars()

    158. 

  158.     {

    159. 

  159.         foreach ($this->htmlSpecialChars as $key => $value) {

    160. 

  160.             $this->assertEquals($value, twig_escape_filter($this->env, $key, 'html'), 'Failed to escape: '.$key);

    161. 

  161.         }

    162. 

  162.     }

    163. 

  163. 

    164. 

  164.     public function testHtmlAttributeEscapingConvertsSpecialChars()

    165. 

  165.     {

    166. 

  166.         foreach ($this->htmlAttrSpecialChars as $key => $value) {

    167. 

  167.             $this->assertEquals($value, twig_escape_filter($this->env, $key, 'html_attr'), 'Failed to escape: '.$key);

    168. 

  168.         }

    169. 

  169.     }

    170. 

  170. 

    171. 

  171.     public function testJavascriptEscapingConvertsSpecialChars()

    172. 

  172.     {

    173. 

  173.         foreach ($this->jsSpecialChars as $key => $value) {

    174. 

  174.             $this->assertEquals($value, twig_escape_filter($this->env, $key, 'js'), 'Failed to escape: '.$key);

    175. 

  175.         }

    176. 

  176.     }

    177. 

  177. 

    178. 

  178.     public function testJavascriptEscapingReturnsStringIfZeroLength()

    179. 

  179.     {

    180. 

  180.         $this->assertEquals('', twig_escape_filter($this->env, '', 'js'));

    181. 

  181.     }

    182. 

  182. 

    183. 

  183.     public function testJavascriptEscapingReturnsStringIfContainsOnlyDigits()

    184. 

  184.     {

    185. 

  185.         $this->assertEquals('123', twig_escape_filter($this->env, '123', 'js'));

    186. 

  186.     }

    187. 

  187. 

    188. 

  188.     public function testCssEscapingConvertsSpecialChars()

    189. 

  189.     {

    190. 

  190.         foreach ($this->cssSpecialChars as $key => $value) {

    191. 

  191.             $this->assertEquals($value, twig_escape_filter($this->env, $key, 'css'), 'Failed to escape: '.$key);

    192. 

  192.         }

    193. 

  193.     }

    194. 

  194. 

    195. 

  195.     public function testCssEscapingReturnsStringIfZeroLength()

    196. 

  196.     {

    197. 

  197.         $this->assertEquals('', twig_escape_filter($this->env, '', 'css'));

    198. 

  198.     }

    199. 

  199. 

    200. 

  200.     public function testCssEscapingReturnsStringIfContainsOnlyDigits()

    201. 

  201.     {

    202. 

  202.         $this->assertEquals('123', twig_escape_filter($this->env, '123', 'css'));

    203. 

  203.     }

    204. 

  204. 

    205. 

  205.     public function testUrlEscapingConvertsSpecialChars()

    206. 

  206.     {

    207. 

  207.         foreach ($this->urlSpecialChars as $key => $value) {

    208. 

  208.             $this->assertEquals($value, twig_escape_filter($this->env, $key, 'url'), 'Failed to escape: '.$key);

    209. 

  209.         }

    210. 

  210.     }

    211. 

  211. 

    212. 

  212.     /**

    213. 

  213.      * Range tests to confirm escaped range of characters is within OWASP recommendation

    214. 

  214.      */

    215. 

  215. 

    216. 

  216.     /**

    217. 

  217.      * Only testing the first few 2 ranges on this prot. function as that's all these

    218. 

  218.      * other range tests require

    219. 

  219.      */

    220. 

  220.     public function testUnicodeCodepointConversionToUtf8()

    221. 

  221.     {

    222. 

  222.         $expected = " ~ޙ";

    223. 

  223.         $codepoints = array(0x20, 0x7e, 0x799);

    224. 

  224.         $result = '';

    225. 

  225.         foreach ($codepoints as $value) {

    226. 

  226.             $result .= $this->codepointToUtf8($value);

    227. 

  227.         }

    228. 

  228.         $this->assertEquals($expected, $result);

    229. 

  229.     }

    230. 

  230. 

    231. 

  231.     /**

    232. 

  232.      * Convert a Unicode Codepoint to a literal UTF-8 character.

    233. 

  233.      *

    234. 

  234.      * @param int Unicode codepoint in hex notation

    235. 

  235.      * @return string UTF-8 literal string

    236. 

  236.      */

    237. 

  237.     protected function codepointToUtf8($codepoint)

    238. 

  238.     {

    239. 

  239.         if ($codepoint < 0x80) {

    240. 

  240.             return chr($codepoint);

    241. 

  241.         }

    242. 

  242.         if ($codepoint < 0x800) {

    243. 

  243.             return chr($codepoint >> 6 & 0x3f | 0xc0)

    244. 

  244.                 . chr($codepoint & 0x3f | 0x80);

    245. 

  245.         }

    246. 

  246.         if ($codepoint < 0x10000) {

    247. 

  247.             return chr($codepoint >> 12 & 0x0f | 0xe0)

    248. 

  248.                 . chr($codepoint >> 6 & 0x3f | 0x80)

    249. 

  249.                 . chr($codepoint & 0x3f | 0x80);

    250. 

  250.         }

    251. 

  251.         if ($codepoint < 0x110000) {

    252. 

  252.             return chr($codepoint >> 18 & 0x07 | 0xf0)

    253. 

  253.                 . chr($codepoint >> 12 & 0x3f | 0x80)

    254. 

  254.                 . chr($codepoint >> 6 & 0x3f | 0x80)

    255. 

  255.                 . chr($codepoint & 0x3f | 0x80);

    256. 

  256.         }

    257. 

  257.         throw new Exception('Codepoint requested outside of Unicode range');

    258. 

  258.     }

    259. 

  259. 

    260. 

  260.     public function testJavascriptEscapingEscapesOwaspRecommendedRanges()

    261. 

  261.     {

    262. 

  262.         $immune = array(',', '.', '_'); // Exceptions to escaping ranges

    263. 

  263.         for ($chr=0; $chr < 0xFF; $chr++) {

    264. 

  264.             if ($chr >= 0x30 && $chr <= 0x39

    265. 

  265.             || $chr >= 0x41 && $chr <= 0x5A

    266. 

  266.             || $chr >= 0x61 && $chr <= 0x7A) {

    267. 

  267.                 $literal = $this->codepointToUtf8($chr);

    268. 

  268.                 $this->assertEquals($literal, twig_escape_filter($this->env, $literal, 'js'));

    269. 

  269.             } else {

    270. 

  270.                 $literal = $this->codepointToUtf8($chr);

    271. 

  271.                 if (in_array($literal, $immune)) {

    272. 

  272.                     $this->assertEquals($literal, twig_escape_filter($this->env, $literal, 'js'));

    273. 

  273.                 } else {

    274. 

  274.                     $this->assertNotEquals(

    275. 

  275.                         $literal,

    276. 

  276.                         twig_escape_filter($this->env, $literal, 'js'),

    277. 

  277.                         "$literal should be escaped!");

    278. 

  278.                 }

    279. 

  279.             }

    280. 

  280.         }

    281. 

  281.     }

    282. 

  282. 

    283. 

  283.     public function testHtmlAttributeEscapingEscapesOwaspRecommendedRanges()

    284. 

  284.     {

    285. 

  285.         $immune = array(',', '.', '-', '_'); // Exceptions to escaping ranges

    286. 

  286.         for ($chr=0; $chr < 0xFF; $chr++) {

    287. 

  287.             if ($chr >= 0x30 && $chr <= 0x39

    288. 

  288.             || $chr >= 0x41 && $chr <= 0x5A

    289. 

  289.             || $chr >= 0x61 && $chr <= 0x7A) {

    290. 

  290.                 $literal = $this->codepointToUtf8($chr);

    291. 

  291.                 $this->assertEquals($literal, twig_escape_filter($this->env, $literal, 'html_attr'));

    292. 

  292.             } else {

    293. 

  293.                 $literal = $this->codepointToUtf8($chr);

    294. 

  294.                 if (in_array($literal, $immune)) {

    295. 

  295.                     $this->assertEquals($literal, twig_escape_filter($this->env, $literal, 'html_attr'));

    296. 

  296.                 } else {

    297. 

  297.                     $this->assertNotEquals(

    298. 

  298.                         $literal,

    299. 

  299.                         twig_escape_filter($this->env, $literal, 'html_attr'),

    300. 

  300.                         "$literal should be escaped!");

    301. 

  301.                 }

    302. 

  302.             }

    303. 

  303.         }

    304. 

  304.     }

    305. 

  305. 

    306. 

  306.     public function testCssEscapingEscapesOwaspRecommendedRanges()

    307. 

  307.     {

    308. 

  308.         $immune = array(); // CSS has no exceptions to escaping ranges

    309. 

  309.         for ($chr=0; $chr < 0xFF; $chr++) {

    310. 

  310.             if ($chr >= 0x30 && $chr <= 0x39

    311. 

  311.             || $chr >= 0x41 && $chr <= 0x5A

    312. 

  312.             || $chr >= 0x61 && $chr <= 0x7A) {

    313. 

  313.                 $literal = $this->codepointToUtf8($chr);

    314. 

  314.                 $this->assertEquals($literal, twig_escape_filter($this->env, $literal, 'css'));

    315. 

  315.             } else {

    316. 

  316.                 $literal = $this->codepointToUtf8($chr);

    317. 

  317.                 $this->assertNotEquals(

    318. 

  318.                     $literal,

    319. 

  319.                     twig_escape_filter($this->env, $literal, 'css'),

    320. 

  320.                     "$literal should be escaped!");

    321. 

  321.             }

    322. 

  322.         }

    323. 

  323.     }

    324. 

  324. }
    325.