ILIAS  release_5-4 Revision v5.4.26-12-gabc799a52e6
escapingTest.php
Go to the documentation of this file.
1 <?php
2 
9 class Twig_Test_EscapingTest extends \PHPUnit\Framework\TestCase
10 {
14  protected $htmlSpecialChars = array(
15  '\'' => '&#039;',
16  '"' => '&quot;',
17  '<' => '&lt;',
18  '>' => '&gt;',
19  '&' => '&amp;',
20  );
21 
22  protected $htmlAttrSpecialChars = array(
23  '\'' => '&#x27;',
24  /* Characters beyond ASCII value 255 to unicode escape */
25  'Ā' => '&#x0100;',
26  /* Immune chars excluded */
27  ',' => ',',
28  '.' => '.',
29  '-' => '-',
30  '_' => '_',
31  /* Basic alnums excluded */
32  'a' => 'a',
33  'A' => 'A',
34  'z' => 'z',
35  'Z' => 'Z',
36  '0' => '0',
37  '9' => '9',
38  /* Basic control characters and null */
39  "\r" => '&#x0D;',
40  "\n" => '&#x0A;',
41  "\t" => '&#x09;',
42  "\0" => '&#xFFFD;', // should use Unicode replacement char
43  /* Encode chars as named entities where possible */
44  '<' => '&lt;',
45  '>' => '&gt;',
46  '&' => '&amp;',
47  '"' => '&quot;',
48  /* Encode spaces for quoteless attribute protection */
49  ' ' => '&#x20;',
50  );
51 
52  protected $jsSpecialChars = array(
53  /* HTML special chars - escape without exception to hex */
54  '<' => '\\x3C',
55  '>' => '\\x3E',
56  '\'' => '\\x27',
57  '"' => '\\x22',
58  '&' => '\\x26',
59  /* Characters beyond ASCII value 255 to unicode escape */
60  'Ā' => '\\u0100',
61  /* Immune chars excluded */
62  ',' => ',',
63  '.' => '.',
64  '_' => '_',
65  /* Basic alnums excluded */
66  'a' => 'a',
67  'A' => 'A',
68  'z' => 'z',
69  'Z' => 'Z',
70  '0' => '0',
71  '9' => '9',
72  /* Basic control characters and null */
73  "\r" => '\\x0D',
74  "\n" => '\\x0A',
75  "\t" => '\\x09',
76  "\0" => '\\x00',
77  /* Encode spaces for quoteless attribute protection */
78  ' ' => '\\x20',
79  );
80 
81  protected $urlSpecialChars = array(
82  /* HTML special chars - escape without exception to percent encoding */
83  '<' => '%3C',
84  '>' => '%3E',
85  '\'' => '%27',
86  '"' => '%22',
87  '&' => '%26',
88  /* Characters beyond ASCII value 255 to hex sequence */
89  'Ā' => '%C4%80',
90  /* Punctuation and unreserved check */
91  ',' => '%2C',
92  '.' => '.',
93  '_' => '_',
94  '-' => '-',
95  ':' => '%3A',
96  ';' => '%3B',
97  '!' => '%21',
98  /* Basic alnums excluded */
99  'a' => 'a',
100  'A' => 'A',
101  'z' => 'z',
102  'Z' => 'Z',
103  '0' => '0',
104  '9' => '9',
105  /* Basic control characters and null */
106  "\r" => '%0D',
107  "\n" => '%0A',
108  "\t" => '%09',
109  "\0" => '%00',
110  /* PHP quirks from the past */
111  ' ' => '%20',
112  '~' => '~',
113  '+' => '%2B',
114  );
115 
116  protected $cssSpecialChars = array(
117  /* HTML special chars - escape without exception to hex */
118  '<' => '\\3C ',
119  '>' => '\\3E ',
120  '\'' => '\\27 ',
121  '"' => '\\22 ',
122  '&' => '\\26 ',
123  /* Characters beyond ASCII value 255 to unicode escape */
124  'Ā' => '\\100 ',
125  /* Immune chars excluded */
126  ',' => '\\2C ',
127  '.' => '\\2E ',
128  '_' => '\\5F ',
129  /* Basic alnums excluded */
130  'a' => 'a',
131  'A' => 'A',
132  'z' => 'z',
133  'Z' => 'Z',
134  '0' => '0',
135  '9' => '9',
136  /* Basic control characters and null */
137  "\r" => '\\D ',
138  "\n" => '\\A ',
139  "\t" => '\\9 ',
140  "\0" => '\\0 ',
141  /* Encode spaces for quoteless attribute protection */
142  ' ' => '\\20 ',
143  );
144 
145  protected $env;
146 
147  protected function setUp()
148  {
149  $this->env = new Twig_Environment($this->getMockBuilder('Twig_LoaderInterface')->getMock());
150  }
151 
152  public function testHtmlEscapingConvertsSpecialChars()
153  {
154  foreach ($this->htmlSpecialChars as $key => $value) {
155  $this->assertEquals($value, twig_escape_filter($this->env, $key, 'html'), 'Failed to escape: '.$key);
156  }
157  }
158 
159  public function testHtmlAttributeEscapingConvertsSpecialChars()
160  {
161  foreach ($this->htmlAttrSpecialChars as $key => $value) {
162  $this->assertEquals($value, twig_escape_filter($this->env, $key, 'html_attr'), 'Failed to escape: '.$key);
163  }
164  }
165 
166  public function testJavascriptEscapingConvertsSpecialChars()
167  {
168  foreach ($this->jsSpecialChars as $key => $value) {
169  $this->assertEquals($value, twig_escape_filter($this->env, $key, 'js'), 'Failed to escape: '.$key);
170  }
171  }
172 
173  public function testJavascriptEscapingReturnsStringIfZeroLength()
174  {
175  $this->assertEquals('', twig_escape_filter($this->env, '', 'js'));
176  }
177 
178  public function testJavascriptEscapingReturnsStringIfContainsOnlyDigits()
179  {
180  $this->assertEquals('123', twig_escape_filter($this->env, '123', 'js'));
181  }
182 
183  public function testCssEscapingConvertsSpecialChars()
184  {
185  foreach ($this->cssSpecialChars as $key => $value) {
186  $this->assertEquals($value, twig_escape_filter($this->env, $key, 'css'), 'Failed to escape: '.$key);
187  }
188  }
189 
190  public function testCssEscapingReturnsStringIfZeroLength()
191  {
192  $this->assertEquals('', twig_escape_filter($this->env, '', 'css'));
193  }
194 
195  public function testCssEscapingReturnsStringIfContainsOnlyDigits()
196  {
197  $this->assertEquals('123', twig_escape_filter($this->env, '123', 'css'));
198  }
199 
200  public function testUrlEscapingConvertsSpecialChars()
201  {
202  foreach ($this->urlSpecialChars as $key => $value) {
203  $this->assertEquals($value, twig_escape_filter($this->env, $key, 'url'), 'Failed to escape: '.$key);
204  }
205  }
206 
215  public function testUnicodeCodepointConversionToUtf8()
216  {
217  $expected = ' ~ޙ';
218  $codepoints = array(0x20, 0x7e, 0x799);
219  $result = '';
220  foreach ($codepoints as $value) {
221  $result .= $this->codepointToUtf8($value);
222  }
223  $this->assertEquals($expected, $result);
224  }
225 
233  protected function codepointToUtf8($codepoint)
234  {
235  if ($codepoint < 0x80) {
236  return chr($codepoint);
237  }
238  if ($codepoint < 0x800) {
239  return chr($codepoint >> 6 & 0x3f | 0xc0)
240  .chr($codepoint & 0x3f | 0x80);
241  }
242  if ($codepoint < 0x10000) {
243  return chr($codepoint >> 12 & 0x0f | 0xe0)
244  .chr($codepoint >> 6 & 0x3f | 0x80)
245  .chr($codepoint & 0x3f | 0x80);
246  }
247  if ($codepoint < 0x110000) {
248  return chr($codepoint >> 18 & 0x07 | 0xf0)
249  .chr($codepoint >> 12 & 0x3f | 0x80)
250  .chr($codepoint >> 6 & 0x3f | 0x80)
251  .chr($codepoint & 0x3f | 0x80);
252  }
253  throw new Exception('Codepoint requested outside of Unicode range.');
254  }
255 
256  public function testJavascriptEscapingEscapesOwaspRecommendedRanges()
257  {
258  $immune = array(',', '.', '_'); // Exceptions to escaping ranges
259  for ($chr = 0; $chr < 0xFF; ++$chr) {
260  if ($chr >= 0x30 && $chr <= 0x39
261  || $chr >= 0x41 && $chr <= 0x5A
262  || $chr >= 0x61 && $chr <= 0x7A) {
263  $literal = $this->codepointToUtf8($chr);
264  $this->assertEquals($literal, twig_escape_filter($this->env, $literal, 'js'));
265  } else {
266  $literal = $this->codepointToUtf8($chr);
267  if (in_array($literal, $immune)) {
268  $this->assertEquals($literal, twig_escape_filter($this->env, $literal, 'js'));
269  } else {
270  $this->assertNotEquals(
271  $literal,
272  twig_escape_filter($this->env, $literal, 'js'),
273  "$literal should be escaped!");
274  }
275  }
276  }
277  }
278 
279  public function testHtmlAttributeEscapingEscapesOwaspRecommendedRanges()
280  {
281  $immune = array(',', '.', '-', '_'); // Exceptions to escaping ranges
282  for ($chr = 0; $chr < 0xFF; ++$chr) {
283  if ($chr >= 0x30 && $chr <= 0x39
284  || $chr >= 0x41 && $chr <= 0x5A
285  || $chr >= 0x61 && $chr <= 0x7A) {
286  $literal = $this->codepointToUtf8($chr);
287  $this->assertEquals($literal, twig_escape_filter($this->env, $literal, 'html_attr'));
288  } else {
289  $literal = $this->codepointToUtf8($chr);
290  if (in_array($literal, $immune)) {
291  $this->assertEquals($literal, twig_escape_filter($this->env, $literal, 'html_attr'));
292  } else {
293  $this->assertNotEquals(
294  $literal,
295  twig_escape_filter($this->env, $literal, 'html_attr'),
296  "$literal should be escaped!");
297  }
298  }
299  }
300  }
301 
302  public function testCssEscapingEscapesOwaspRecommendedRanges()
303  {
304  // CSS has no exceptions to escaping ranges
305  for ($chr = 0; $chr < 0xFF; ++$chr) {
306  if ($chr >= 0x30 && $chr <= 0x39
307  || $chr >= 0x41 && $chr <= 0x5A
308  || $chr >= 0x61 && $chr <= 0x7A) {
309  $literal = $this->codepointToUtf8($chr);
310  $this->assertEquals($literal, twig_escape_filter($this->env, $literal, 'css'));
311  } else {
312  $literal = $this->codepointToUtf8($chr);
313  $this->assertNotEquals(
314  $literal,
315  twig_escape_filter($this->env, $literal, 'css'),
316  "$literal should be escaped!");
317  }
318  }
319  }
320 }
Twig_Test_EscapingTest\codepointToUtf8
codepointToUtf8($codepoint)
Convert a Unicode Codepoint to a literal UTF-8 character.
Definition: escapingTest.php:233
$result
$result
Definition: CleanUpTest.php:463
Twig_Test_EscapingTest\$htmlAttrSpecialChars
$htmlAttrSpecialChars
Definition: escapingTest.php:22
Twig_Test_EscapingTest\testJavascriptEscapingReturnsStringIfContainsOnlyDigits
testJavascriptEscapingReturnsStringIfContainsOnlyDigits()
Definition: escapingTest.php:178
Twig_Test_EscapingTest\testCssEscapingEscapesOwaspRecommendedRanges
testCssEscapingEscapesOwaspRecommendedRanges()
Definition: escapingTest.php:302
Twig_Test_EscapingTest\testHtmlAttributeEscapingConvertsSpecialChars
testHtmlAttributeEscapingConvertsSpecialChars()
Definition: escapingTest.php:159
Twig_Test_EscapingTest\$htmlSpecialChars
$htmlSpecialChars
All character encodings supported by htmlspecialchars().
Definition: escapingTest.php:14
Twig_Test_EscapingTest\$env
$env
Definition: escapingTest.php:145
Twig_Test_EscapingTest\testCssEscapingConvertsSpecialChars
testCssEscapingConvertsSpecialChars()
Definition: escapingTest.php:183
Twig_Test_EscapingTest\testCssEscapingReturnsStringIfContainsOnlyDigits
testCssEscapingReturnsStringIfContainsOnlyDigits()
Definition: escapingTest.php:195
Twig_Test_EscapingTest
This class is adapted from code coming from Zend Framework.
Definition: escapingTest.php:9
Twig_Test_EscapingTest\$jsSpecialChars
$jsSpecialChars
Definition: escapingTest.php:52
Twig_Test_EscapingTest\testJavascriptEscapingReturnsStringIfZeroLength
testJavascriptEscapingReturnsStringIfZeroLength()
Definition: escapingTest.php:173
Twig_Test_EscapingTest\testUrlEscapingConvertsSpecialChars
testUrlEscapingConvertsSpecialChars()
Definition: escapingTest.php:200
Twig_Test_EscapingTest\testHtmlEscapingConvertsSpecialChars
testHtmlEscapingConvertsSpecialChars()
Definition: escapingTest.php:152
Twig_Test_EscapingTest\testUnicodeCodepointConversionToUtf8
testUnicodeCodepointConversionToUtf8()
Range tests to confirm escaped range of characters is within OWASP recommendation.
Definition: escapingTest.php:215
Twig_Test_EscapingTest\testCssEscapingReturnsStringIfZeroLength
testCssEscapingReturnsStringIfZeroLength()
Definition: escapingTest.php:190
Twig_Test_EscapingTest\testJavascriptEscapingEscapesOwaspRecommendedRanges
testJavascriptEscapingEscapesOwaspRecommendedRanges()
Definition: escapingTest.php:256
Twig_Test_EscapingTest\$cssSpecialChars
$cssSpecialChars
Definition: escapingTest.php:116
Twig_Test_EscapingTest\testJavascriptEscapingConvertsSpecialChars
testJavascriptEscapingConvertsSpecialChars()
Definition: escapingTest.php:166
Twig_Test_EscapingTest\testHtmlAttributeEscapingEscapesOwaspRecommendedRanges
testHtmlAttributeEscapingEscapesOwaspRecommendedRanges()
Definition: escapingTest.php:279
Twig_Environment
Stores the Twig configuration.
Definition: Environment.php:17
Twig_Test_EscapingTest\$urlSpecialChars
$urlSpecialChars
Definition: escapingTest.php:81
$key
$key
Definition: croninfo.php:18
Twig_Test_EscapingTest\setUp
setUp()
Definition: escapingTest.php:147