From a720128456a3309fc45d3272ad1ca5e341637285 Mon Sep 17 00:00:00 2001
From: srosse <stephane.rosse@frentix.com>
Date: Fri, 17 May 2019 12:01:52 +0200
Subject: [PATCH] no-jira: parametrized XSS filter test
---
.../util/filter/impl/XSSFilterParamTest.java | 212 +++++++++++++++
.../core/util/filter/impl/XSSFilterTest.java | 254 +-----------------
.../java/org/olat/test/AllTestsJunit4.java | 1 +
3 files changed, 215 insertions(+), 252 deletions(-)
create mode 100644 src/test/java/org/olat/core/util/filter/impl/XSSFilterParamTest.java
diff --git a/src/test/java/org/olat/core/util/filter/impl/XSSFilterParamTest.java b/src/test/java/org/olat/core/util/filter/impl/XSSFilterParamTest.java
new file mode 100644
index 00000000000..522203454d5
--- /dev/null
+++ b/src/test/java/org/olat/core/util/filter/impl/XSSFilterParamTest.java
@@ -0,0 +1,212 @@
+/**
+ * <a href="http://www.openolat.org">
+ * OpenOLAT - Online Learning and Training</a><br>
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License"); <br>
+ * you may not use this file except in compliance with the License.<br>
+ * You may obtain a copy of the License at the
+ * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a>
+ * <p>
+ * Unless required by applicable law or agreed to in writing,<br>
+ * software distributed under the License is distributed on an "AS IS" BASIS, <br>
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br>
+ * See the License for the specific language governing permissions and <br>
+ * limitations under the License.
+ * <p>
+ * Initial code contributed and copyrighted by<br>
+ * frentix GmbH, http://www.frentix.com
+ * <p>
+ */
+package org.olat.core.util.filter.impl;
+
+import java.util.Arrays;
+import java.util.Collection;
+
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameters;
+import org.olat.core.util.filter.Filter;
+
+/**
+ * Description:<br>
+ * This test case tests the cross site scripting filter
+ *
+ * <P>
+ * Initial Date: 14.07.2009 <br>
+ * @author gnaegi
+ * @author Roman Haag, roman.haag@frentix.com
+ */
+@RunWith(Parameterized.class)
+public class XSSFilterParamTest {
+
+ @Parameters
+ public static Collection<Object[]> data() {
+ return Arrays.asList(new Object[][] {
+ { null, null },
+ { "", "" },
+ { "hello", "hello" },
+ { "°+\"*ç%&/()=?`", "°+"*ç%&/()=?`" },
+ { "Du & ich", "Du & ich" },
+ { "Du & ich", "Du & ich" },
+ { "Du @ ich", "Du @ ich" },
+ { "1<2", "1<2" },
+ { "2>1", "2>1" },
+ { " "," " },
+ // test_balancing_tags
+ { "<b>hello", "<b>hello</b>" },
+ { "<b>hello", "<b>hello</b>" },
+ { "hello<b>", "hello" },
+ { "hello</b>", "hello" },
+ { "hello<b/>", "hello" },
+ { "<b><b><b>hello", "<b><b><b>hello</b></b></b>" },
+ { "</b><b>", "" },
+ { "<b><i>hello</b>", "<b><i>hello</i></b>" },
+ { "<b><i><em>hello</em></b>", "<b><i><em>hello</em></i></b>" },
+ // test_end_slashes()
+ { "<img>", "<img />" },
+ { "<img/>", "<img />" },
+ { "<b/></b>", "" },
+ // test_balancing_angle_brackets()
+ { "<img src=\"foo\"", "<img src=\"foo\" />" },
+ { "b>", "b>" },
+ { "<img src=\"foo\"/", "<img src=\"foo\" />" },
+ { ">", ">" },
+ //FIXME: what to do? it should work if in another tag!
+ // { "foo<b", "foo<b" },
+ // { "<span>foo<b</span>", "<span>foo<b</span>" },
+ // { "b>foo", "b>foo" },
+ // { "><b", "><b" },
+ // { "><f", "><f" },
+ { "b><", "b><" },
+ { "><b>", ">" },
+ // test_attributes()
+ { "<img src=foo>", "<img src=\"foo\" />" },
+ { "<img asrc=foo>", "<img />" },
+ { "<span title=\"bli\" > </span>", "<span title=\"bli\"> </span>" },
+ { "<img src=test test>", "<img src=\"test\" />" },
+ { "<img src=\"blibla\" alt=\"blubb\">", "<img alt=\"blubb\" src=\"blibla\" />" },
+ //alt cannot contain < , title will allow it for jsMath
+ { "<img src=\"blibla\" alt=\"a>b\">", "<img src=\"blibla\" />" },
+ // test_disallow_script_tags()
+ { "script", "script" },
+ { "<script>", "" },
+ // { "<script", "<script" },
+ { "<script", "" },
+ { "<script/>", "" },
+ { "</script>", "" },
+ { "<script woo=yay>", "" },
+ { "<script woo=\"yay\">", "" },
+ { "<script woo=\"yay>", "" },
+ { "<script woo=\"yay<b>", "" },
+ { "<script<script>>", "" },
+ { "<<script>script<script>>", "<" },
+ { "<<script><script>>", "<" },
+ { "<<script>script>>", "<" },
+ { "<<script<script>>", "<" },
+ // test_protocols()
+ { "<a href=\"http://foo\">bar</a>", "<a href=\"http://foo\">bar</a>" },
+ // we don't allow ftp.
+ //FIXME: is this ok? (strip link)
+ // { "<a href=\"ftp://foo\">bar</a>", "<a href=\"#foo\">bar</a>" },
+ { "<a href=\"ftp://foo\">bar</a>", "bar" },
+ { "<a href=\"mailto:foo\">bar</a>", "<a href=\"mailto:foo\">bar</a>" },
+ { "<a href=\"mailto:foo@frentix.com\">bar</a>", "<a href=\"mailto:foo@frentix.com\">bar</a>" },
+ { "<a href=\"javascript:foo\">bar</a>", "bar" },
+ { "<a href=\"java script:foo\">bar</a>", "bar" },
+ { "<a href=\"java\tscript:foo\">bar</a>", "bar" },
+ { "<a href=\"java\nscript:foo\">bar</a>", "bar" },
+ { "<a href=\"java" + String.valueOf((char) 1) + "script:foo\">bar</a>", "bar" },
+ { "<a href=\"jscript:foo\">bar</a>", "bar" },
+ { "<a href=\"vbscript:foo\">bar</a>", "bar" },
+ { "<a href=\"view-source:foo\">bar</a>", "bar" },
+ { "<a href=\"view-source@foo\">bar</a>", "bar" },
+ // test_link() {
+ { "<a href=\"blibla.html\" alt=\"blub\" target=\"_blank\">new window link</A>", "<a alt=\"blub\" href=\"blibla.html\" target=\"_blank\">new window link</a>" },
+ // test_link_htmlEntities() {
+ { "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&gen--496\">new window link</a>" },
+ { "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_Sägen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_Sägen--496\">new window link</a>" },
+ { "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_Ságen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_Ságen--496\">new window link</a>" },
+
+ //escape unkown entity
+ { "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&xss;gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&xss;gen--496\">new window link</a>" },
+ //check if escaped result is allowed
+ { "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&xss;gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&xss;gen--496\">new window link</a>" },
+ // test_link_complexer(){
+ { "<a class=\"o_icon_link_extern\" target=\"_blank\" href=\"http://www.frentix.com\" onclick=\"javascript:alert('hallo');\" title=\"a good link\">a complicated link</a>",
+ "<a class=\"o_icon_link_extern\" href=\"http://www.frentix.com\" target=\"_blank\" title=\"a good link\">a complicated link</a>" },
+ // test_self_closing_tags() {
+ { "<img src=\"a\">", "<img src=\"a\" />" },
+ { "<img src=\"a\">foo</img>", "<img src=\"a\" />foo" },
+ { "</img>", "" },
+ // test_comments()
+ { "<!-- a<b --->", "" },
+ { "<!-- a<b -->don't remove me<!-- hello world -->", "don't remove me" },
+ { "<!-- a<b \n <!-- hello world \n -->", "" },
+ { "<!--comments1--> visible text <!--comments2-->", " visible text " },
+ // test_tiny_paragraph()
+ { "<span>bliblablu</span>", "<span>bliblablu</span>" },
+ { "<p style=\"text-align: right;\">right orientation</p>", "<p style=\"text-align: right;\">right orientation</p>" },
+ { "<h1>Big font</h1>", "<h1>Big font</h1>" },
+ { "<h7>small font</h7>", "small font" },
+ { "<span style=\"font-family: wingdings;\">invalid font</span>", "<span style=\"font-family: wingdings;\">invalid font</span>" },
+ { "<span style=\"font-family: serif;\">invalid font</span>", "<span style=\"font-family: serif;\">invalid font</span>" },
+ //FIXME:RH: to allow multiple fonts (as output from tiny)
+ //committed as bug: http://code.google.com/p/owaspantisamy/issues/detail?id=49
+ // { "<span style=\"font-family: serif, arial;\">preformated</span>", "<span style=\"font-family: courier new , courier;\">preformated</span>" },
+ { "<span class=\"schoen\">irgendwas</span>", "<span class=\"schoen\">irgendwas</span>" },
+ // test_style_rgb(){
+ { "<p style=\"background-color: rgb(0%,0,0);\">background</p>", "<p>background</p>" },
+ { "<p style=\"background-color: rgba(100%,0,0);\">background</p>", "<p style=\"\">background</p>" },
+ { "<p style=\"background-color: rgb(100,50,50);\">background</p>", "<p style=\"background-color: rgb(100,50,50);\">background</p>" },
+ // test_tiny_lists(){
+ //lists (output without \n as policy has formatOutput = false
+ { "<ul>\n<li>a list: adsf</li>\n<li>adsf</li>\n<li>adsfas</li>\n</ul>", "<ul>\n<li>a list: adsf</li>\n<li>adsf</li>\n<li>adsfas</li>\n</ul>" },
+ { "<ol style=\"font-size: 20pt;\">\n<li>numbered list</li>\n<li>adf</li>\n<li>asdfa</li>\n</ol>", "<ol style=\"font-size: 20.0pt;\">\n<li>numbered list</li>\n<li>adf</li>\n<li>asdfa</li>\n</ol>" },
+ // test_tiny_tables()
+ //tables
+ { "<table border=\"1\" style=\"width: 268px; height: 81px;\" class=\"table\">\n<caption>bliblablue</caption>\n<tbody>\n<tr>\n<td>\n<p>adsfadsf</p>\n</td>\n<td>asdf</td>\n</tr>\n<tr>\n<td>asf</td>\n<td>\n<p>asdf</p>\n</td>\n</tr>\n</tbody>\n</table>", "<table border=\"1\" class=\"table\" style=\"width: 268.0px;height: 81.0px;\">\n<caption>bliblablue</caption>\n<tbody>\n<tr>\n<td>\n<p>adsfadsf</p>\n</td>\n<td>asdf</td>\n</tr>\n<tr>\n<td>asf</td>\n<td>\n<p>asdf</p>\n</td>\n</tr>\n</tbody>\n</table>" },
+ { "<tr style=\"background-color: rgb(46, 147, 209);\">\n<td style=\"border: 1px solid rgb(240, 68, 14);\">asf</td>\n<td>\n<p>asdf</p>\n</td>\n</tr>","\nasf\n\n<p>asdf</p>\n" },
+ // test_tiny_singleElements(){
+ //sup/sub
+ { "<p><sup>super</sup>script <sub>sub</sub>script</p>", "<p><sup>super</sup>script <sub>sub</sub>script</p>" },
+ // test_tiny_jsmath(){
+
+ { "<span title=\"a%20%3C%20b%20%3E%20c%20%3C%20/b%20%3E\"> </span>","<span title=\"a%20%3C%20b%20%3E%20c%20%3C%20/b%20%3E\"> </span>" },
+ // should be saved with entities not with < etc...
+ // { "<span title=\"a>b\"> </span>", "<span title=\"a>b\"> </span>" },
+ // test_font_awesome() {
+ // for now i tags must have at least a space to not b removed
+ { "<i class=\"o_icon o_icon_dev\"> </i> ", "<i class=\"o_icon o_icon_dev\"> </i> " },
+ // test_figure() {
+ // for now i tags must have at least a space to not b removed
+ { "<figure class=\"image\"><img src=\"bla.png\" /><figcaption>gugs</figcaption></figure>", "<figure class=\"image\"><img src=\"bla.png\" /><figcaption>gugs</figcaption></figure>" },
+ // test_big_tiny_output
+ { "<br>", "<br />" }
+ });
+ }
+
+ private Filter vFilter = new OWASPAntiSamyXSSFilter(-1, true);
+
+ private String input;
+ private String output;
+
+ public XSSFilterParamTest(String input, String output) {
+ this.input = input;
+ this.output = output;
+ }
+
+ @Test
+ public void filter() {
+ String filterRes = vFilter.filter(input);
+ if (filterRes == output || filterRes.equals(output)){
+ System.out.println("------------------------------------------------");
+ } else {
+ System.out.println("---------------- E R R O R ---------------------");
+ }
+ System.out.println(" Expected: " + output);
+ System.out.println("************************************************\n\n");
+ Assert.assertEquals(output, filterRes);
+ }
+}
diff --git a/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java b/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java
index 0cea7ead23c..94b11dd3314 100644
--- a/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java
+++ b/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java
@@ -21,52 +21,26 @@ package org.olat.core.util.filter.impl;
import static org.assertj.core.api.Assertions.assertThat;
-import org.junit.After;
import org.junit.Assert;
-import org.junit.Before;
import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.junit.runners.JUnit4;
import org.olat.core.util.filter.Filter;
import org.olat.core.util.filter.impl.OWASPAntiSamyXSSFilter.Variant;
/**
* Description:<br>
- * This test case tests the cross site scripting filter
+ * This test case tests special cases of the cross site scripting filter
*
* <P>
* Initial Date: 14.07.2009 <br>
* @author gnaegi
* @author Roman Haag, roman.haag@frentix.com
*/
-@RunWith(JUnit4.class)
public class XSSFilterTest {
- protected Filter vFilter;
- private int counter;
- private int testsToRun;
-
- @Before
- public void setup() {
- vFilter = new OWASPAntiSamyXSSFilter(-1, true);
- counter = 0;
- testsToRun = 0;
- }
-
- @After
- public void tearDown() {
- vFilter = null;
- System.out.println("Run " + counter + " out of " + testsToRun + " testcases successfully.\n\n");
- }
-
- private void t(String input, String result) {
- t(input, result, vFilter);
- }
private void t(String input, String result, Filter f) {
String filterRes = f.filter(input);
if (filterRes == result || filterRes.equals(result)){
- counter ++;
System.out.println("------------------------------------------------");
} else {
System.out.println("---------------- E R R O R ---------------------");
@@ -76,228 +50,12 @@ public class XSSFilterTest {
Assert.assertEquals(result, filterRes);
}
- @Test
- public void test_basics() {
- testsToRun = 8;
- t(null,null);
- t("", "");
- t("hello", "hello");
- t("°+\"*ç%&/()=?`", "°+"*ç%&/()=?`");
- t("Du & ich", "Du & ich");
- t("Du & ich", "Du & ich");
- t("1<2", "1<2");
- t("2>1", "2>1");
- t(" "," ");
- }
-
- @Test
- public void test_balancing_tags() {
- testsToRun = 9;
- t("<b>hello", "<b>hello</b>");
- t("<b>hello", "<b>hello</b>");
- t("hello<b>", "hello");
- t("hello</b>", "hello");
- t("hello<b/>", "hello");
- t("<b><b><b>hello", "<b><b><b>hello</b></b></b>");
- t("</b><b>", "");
- t("<b><i>hello</b>", "<b><i>hello</i></b>");
- t("<b><i><em>hello</em></b>", "<b><i><em>hello</em></i></b>");
- }
-
- @Test
- public void test_end_slashes() {
- testsToRun = 3;
- t("<img>", "<img />");
- t("<img/>", "<img />");
- t("<b/></b>", "");
- }
-
- @Test
- public void test_balancing_angle_brackets() {
- testsToRun = 9;
- t("<img src=\"foo\"", "<img src=\"foo\" />");
- t("b>", "b>");
- t("<img src=\"foo\"/", "<img src=\"foo\" />");
- t(">", ">");
- //FIXME: what to do? it should work if in another tag!
-// t("foo<b", "foo<b");
-// t("<span>foo<b</span>", "<span>foo<b</span>");
-// t("b>foo", "b>foo");
-// t("><b", "><b");
-// t("><f", "><f");
- t("b><", "b><");
- t("><b>", ">");
- }
-
- @Test
- public void test_attributes() {
- testsToRun = 6;
- t("<img src=foo>", "<img src=\"foo\" />");
- t("<img asrc=foo>", "<img />");
- t("<span title=\"bli\" > </span>", "<span title=\"bli\"> </span>");
- t("<img src=test test>", "<img src=\"test\" />");
- t("<img src=\"blibla\" alt=\"blubb\">", "<img alt=\"blubb\" src=\"blibla\" />");
- //alt cannot contain < , title will allow it for jsMath
- t("<img src=\"blibla\" alt=\"a>b\">", "<img src=\"blibla\" />");
- }
-
- @Test
- public void test_disallow_script_tags() {
- testsToRun = 14;
- t("script", "script");
- t("<script>", "");
-// t("<script", "<script");
- t("<script", "");
- t("<script/>", "");
- t("</script>", "");
- t("<script woo=yay>", "");
- t("<script woo=\"yay\">", "");
- t("<script woo=\"yay>", "");
- t("<script woo=\"yay<b>", "");
- t("<script<script>>", "");
- t("<<script>script<script>>", "<");
- t("<<script><script>>", "<");
- t("<<script>script>>", "<");
- t("<<script<script>>", "<");
- }
-
- @Test
- public void test_protocols() {
- testsToRun = 11;
- t("<a href=\"http://foo\">bar</a>", "<a href=\"http://foo\">bar</a>");
- // we don't allow ftp.
- //FIXME: is this ok? (strip link)
-// t("<a href=\"ftp://foo\">bar</a>", "<a href=\"#foo\">bar</a>");
- t("<a href=\"ftp://foo\">bar</a>", "bar");
- t("<a href=\"mailto:foo\">bar</a>", "<a href=\"mailto:foo\">bar</a>");
- t("<a href=\"javascript:foo\">bar</a>", "bar");
- t("<a href=\"java script:foo\">bar</a>", "bar");
- t("<a href=\"java\tscript:foo\">bar</a>", "bar");
- t("<a href=\"java\nscript:foo\">bar</a>", "bar");
- t("<a href=\"java" + String.valueOf((char) 1) + "script:foo\">bar</a>", "bar");
- t("<a href=\"jscript:foo\">bar</a>", "bar");
- t("<a href=\"vbscript:foo\">bar</a>", "bar");
- t("<a href=\"view-source:foo\">bar</a>", "bar");
- }
-
- @Test
- public void test_link() {
- testsToRun = 1;
- t("<a href=\"blibla.html\" alt=\"blub\" target=\"_blank\">new window link</A>", "<a alt=\"blub\" href=\"blibla.html\" target=\"_blank\">new window link</a>");
- }
-
- @Test
- public void test_link_htmlEntities() {
- testsToRun = 1;
- t("<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&gen--496\">new window link</a>");
- t("<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_Sägen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_Sägen--496\">new window link</a>");
- t("<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_Ságen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_Ságen--496\">new window link</a>");
-
- //escape unkown entity
- t("<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&xss;gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&xss;gen--496\">new window link</a>");
- //check if escaped result is allowed
- t("<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&xss;gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&xss;gen--496\">new window link</a>");
- }
-
- @Test
- public void test_link_complexer(){
- testsToRun = 1;
- t("<a class=\"o_icon_link_extern\" target=\"_blank\" href=\"http://www.frentix.com\" onclick=\"javascript:alert('hallo');\" title=\"a good link\">a complicated link</a>",
- "<a class=\"o_icon_link_extern\" href=\"http://www.frentix.com\" target=\"_blank\" title=\"a good link\">a complicated link</a>");
- }
-
- @Test
- public void test_self_closing_tags() {
- testsToRun = 3;
- t("<img src=\"a\">", "<img src=\"a\" />");
- t("<img src=\"a\">foo</img>", "<img src=\"a\" />foo");
- t("</img>", "");
- }
-
- @Test
- public void test_comments() {
- testsToRun = 4;
- t("<!-- a<b --->", "");
- t("<!-- a<b -->don't remove me<!-- hello world -->", "don't remove me");
- t("<!-- a<b \n <!-- hello world \n -->", "");
- t("<!--comments1--> visible text <!--comments2-->", " visible text ");
- }
-
- @Test
- public void test_tiny_paragraph(){
- testsToRun = 8;
- t("<span>bliblablu</span>", "<span>bliblablu</span>");
- t("<p style=\"text-align: right;\">right orientation</p>", "<p style=\"text-align: right;\">right orientation</p>");
- t("<h1>Big font</h1>", "<h1>Big font</h1>");
- t("<h7>small font</h7>", "small font");
- t("<span style=\"font-family: wingdings;\">invalid font</span>", "<span style=\"font-family: wingdings;\">invalid font</span>");
- t("<span style=\"font-family: serif;\">invalid font</span>", "<span style=\"font-family: serif;\">invalid font</span>");
- //FIXME:RH: to allow multiple fonts (as output from tiny)
- //committed as bug: http://code.google.com/p/owaspantisamy/issues/detail?id=49
-// t("<span style=\"font-family: serif, arial;\">preformated</span>", "<span style=\"font-family: courier new , courier;\">preformated</span>");
- t("<span class=\"schoen\">irgendwas</span>", "<span class=\"schoen\">irgendwas</span>");
- }
-
- /**
- * This checks a bug in Batik
- */
- @Test
- public void test_style_rgb(){
- t("<p style=\"background-color: rgb(0%,0,0);\">background</p>", "<p>background</p>");
- t("<p style=\"background-color: rgba(100%,0,0);\">background</p>", "<p style=\"\">background</p>");
- t("<p style=\"background-color: rgb(100,50,50);\">background</p>", "<p style=\"background-color: rgb(100,50,50);\">background</p>");
- }
-
- @Test
- public void test_tiny_lists(){
- testsToRun = 2;
- //lists (output without \n as policy has formatOutput = false
- t("<ul>\n<li>a list: adsf</li>\n<li>adsf</li>\n<li>adsfas</li>\n</ul>", "<ul>\n<li>a list: adsf</li>\n<li>adsf</li>\n<li>adsfas</li>\n</ul>");
- t("<ol style=\"font-size: 20pt;\">\n<li>numbered list</li>\n<li>adf</li>\n<li>asdfa</li>\n</ol>", "<ol style=\"font-size: 20.0pt;\">\n<li>numbered list</li>\n<li>adf</li>\n<li>asdfa</li>\n</ol>");
- }
-
- @Test
- public void test_tiny_tables(){
- testsToRun = 2;
- //tables
- t("<table border=\"1\" style=\"width: 268px; height: 81px;\" class=\"table\">\n<caption>bliblablue</caption>\n<tbody>\n<tr>\n<td>\n<p>adsfadsf</p>\n</td>\n<td>asdf</td>\n</tr>\n<tr>\n<td>asf</td>\n<td>\n<p>asdf</p>\n</td>\n</tr>\n</tbody>\n</table>", "<table border=\"1\" class=\"table\" style=\"width: 268.0px;height: 81.0px;\">\n<caption>bliblablue</caption>\n<tbody>\n<tr>\n<td>\n<p>adsfadsf</p>\n</td>\n<td>asdf</td>\n</tr>\n<tr>\n<td>asf</td>\n<td>\n<p>asdf</p>\n</td>\n</tr>\n</tbody>\n</table>");
- t("<tr style=\"background-color: rgb(46, 147, 209);\">\n<td style=\"border: 1px solid rgb(240, 68, 14);\">asf</td>\n<td>\n<p>asdf</p>\n</td>\n</tr>","\nasf\n\n<p>asdf</p>\n");
- }
-
- @Test
- public void test_tiny_singleElements(){
- testsToRun = 1;
- //sup/sub
- t("<p><sup>super</sup>script <sub>sub</sub>script</p>", "<p><sup>super</sup>script <sub>sub</sub>script</p>");
-
-
- }
-
- @Test
- public void test_tiny_jsmath(){
- testsToRun = 2;
- t("<span title=\"a%20%3C%20b%20%3E%20c%20%3C%20/b%20%3E\"> </span>","<span title=\"a%20%3C%20b%20%3E%20c%20%3C%20/b%20%3E\"> </span>");
- // should be saved with entities not with < etc...
-// t("<span title=\"a>b\"> </span>", "<span title=\"a>b\"> </span>");
- }
-
- @Test
- public void test_font_awesome() {
- // for now i tags must have at least a space to not b removed
- t("<i class=\"o_icon o_icon_dev\"> </i> ", "<i class=\"o_icon o_icon_dev\"> </i> ");
- }
-
- @Test
- public void test_figure() {
- // for now i tags must have at least a space to not b removed
- t("<figure class=\"image\"><img src=\"bla.png\" /><figcaption>gugs</figcaption></figure>", "<figure class=\"image\"><img src=\"bla.png\" /><figcaption>gugs</figcaption></figure>");
- }
-
@Test
public void test_edusharing() {
String html = "<img src=\"/olat/edusharing/preview?objectUrl=ccrep://OpenOLAT/d5130470-14b4-4ad4-88b7-dfb3ebe943da&version=1.0\" data-es_identifier=\"2083dbe64f00b07232b11608ec0842fc\" data-es_objecturl=\"ccrep://OpenOLAT/d5130470-14b4-4ad4-88b7-dfb3ebe943da\" data-es_version=\"1.0\" data-es_version_current=\"1.0\" data-es_mediatype='i23' data-es_mimetype=\"image/png\" data-es_width=\"1000\" data-es_height=\"446\" data-es_first_edit=\"false\" class=\"edusharing\" alt=\"Bildschirmfoto 2018-11-07 um 16.09.49.png\" title=\"Bildschirmfoto 2018-11-07 um 16.09.49.png\" width=\"1000\" height=\"446\">";
// t() did not work, because antisamy changed the order of the attributes
+ Filter vFilter = new OWASPAntiSamyXSSFilter(-1, true);
String filtered = vFilter.filter(html);
assertThat(filtered).contains("src");
assertThat(filtered).contains("width");
@@ -310,14 +68,6 @@ public class XSSFilterTest {
assertThat(filtered).contains("es_width");
assertThat(filtered).contains("es_height");
}
-
- @Test
- public void test_big_tiny_output(){
- testsToRun = 1;
- String input = "<br>";
- String output = "<br />";
- t(input,output);
- }
@Test
public void test_rawText() {
diff --git a/src/test/java/org/olat/test/AllTestsJunit4.java b/src/test/java/org/olat/test/AllTestsJunit4.java
index da439120cb9..fdc4532321c 100644
--- a/src/test/java/org/olat/test/AllTestsJunit4.java
+++ b/src/test/java/org/olat/test/AllTestsJunit4.java
@@ -53,6 +53,7 @@ import org.junit.runners.Suite;
org.olat.core.util.vfs.VFSTest.class,
org.olat.core.util.vfs.VFSManagerTest.class,
org.olat.core.util.filter.impl.XSSFilterTest.class,
+ org.olat.core.util.filter.impl.XSSFilterParamTest.class,
org.olat.core.util.filter.impl.AddBaseURLToMediaRelativeURLFilterTest.class,
org.olat.core.util.filter.impl.SimpleHTMLTagsFilterTest.class,
org.olat.core.util.filter.impl.NekoHTMLFilterTest.class,
--
GitLab