no-jira: parametrized XSS filter test

a7201284 · srosse · 0e749dea · a7201284 · a7201284 · a7201284
Commit a7201284 authored 5 years ago by srosse
--- a/src/test/java/org/olat/core/util/filter/impl/XSSFilterParamTest.java
+++ b/src/test/java/org/olat/core/util/filter/impl/XSSFilterParamTest.java
+/**
+ * <a href="http://www.openolat.org">
+ * OpenOLAT - Online Learning and Training</a><br>
+ * <p>
+ * Licensed under the Apache License, Version 2.0 (the "License"); <br>
+ * you may not use this file except in compliance with the License.<br>
+ * You may obtain a copy of the License at the
+ * <a href="http://www.apache.org/licenses/LICENSE-2.0">Apache homepage</a>
+ * <p>
+ * Unless required by applicable law or agreed to in writing,<br>
+ * software distributed under the License is distributed on an "AS IS" BASIS, <br>
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. <br>
+ * See the License for the specific language governing permissions and <br>
+ * limitations under the License.
+ * <p>
+ * Initial code contributed and copyrighted by<br>
+ * frentix GmbH, http://www.frentix.com
+ * <p>
+ */
+package org.olat.core.util.filter.impl;
+import java.util.Arrays;
+import java.util.Collection;
+import org.junit.Assert;
+import org.junit.Test;
+import org.junit.runner.RunWith;
+import org.junit.runners.Parameterized;
+import org.junit.runners.Parameterized.Parameters;
+import org.olat.core.util.filter.Filter;
+/**
+ * Description:<br>
+ * This test case tests the cross site scripting filter
+ * 
+ * <P>
+ * Initial Date:  14.07.2009 <br>
+ * @author gnaegi
+ * @author Roman Haag, roman.haag@frentix.com
+ */
+@RunWith(Parameterized.class)
+public class XSSFilterParamTest {
+	@Parameters
+    public static Collection<Object[]> data() {
+        return Arrays.asList(new Object[][] {
+        	{ null, null },
+        	{ "", "" },
+	        { "hello", "hello" },
+			{ "°+\"*ç%&/()=?`", "&deg;+&quot;*&ccedil;%&amp;/()=?`" },
+			{ "Du &amp; ich", "Du &amp; ich" },
+			{ "Du & ich", "Du &amp; ich" },
+			{ "Du @ ich", "Du @ ich" },
+			{ "1<2", "1&lt;2" },
+			{ "2>1", "2&gt;1" },
+			{ "&nbsp;","&nbsp;" },
+			// test_balancing_tags
+			{ "<b>hello", "<b>hello</b>" },
+			{ "<b>hello", "<b>hello</b>" },
+			{ "hello<b>", "hello" },
+			{ "hello</b>", "hello" },
+			{ "hello<b/>", "hello" },
+			{ "<b><b><b>hello", "<b><b><b>hello</b></b></b>" },
+			{ "</b><b>", "" },
+			{ "<b><i>hello</b>", "<b><i>hello</i></b>" },
+			{ "<b><i><em>hello</em></b>", "<b><i><em>hello</em></i></b>" },
+			// test_end_slashes()
+			{ "<img>", "<img />" },
+			{ "<img/>", "<img />" },
+			{ "<b/></b>", "" },
+			// test_balancing_angle_brackets()
+			{ "<img src=\"foo\"", "<img src=\"foo\" />" },
+			{ "b>", "b&gt;" },
+			{ "<img src=\"foo\"/", "<img src=\"foo\" />" },
+			{ ">", "&gt;" },
+			//FIXME: what to do? it should work if in another tag!
+	//		{ "foo<b", "foo&lt;b" },
+	//		{ "<span>foo<b</span>", "<span>foo<b</span>" },
+	//		{ "b>foo", "b&gt;foo" },
+	//		{ "><b", "&gt;&lt;b" },
+	//		{ "><f", "&gt;&lt;f" },
+			{ "b><", "b&gt;&lt;" },
+			{ "><b>", "&gt;" },
+			// test_attributes()
+			{ "<img src=foo>", "<img src=\"foo\" />" },
+			{ "<img asrc=foo>", "<img />" },
+			{ "<span       title=\"bli\"  >&nbsp;</span>", "<span title=\"bli\">&nbsp;</span>" },
+			{ "<img src=test test>", "<img src=\"test\" />" },
+			{ "<img src=\"blibla\" alt=\"blubb\">", "<img alt=\"blubb\" src=\"blibla\" />" },
+			//alt cannot contain < , title will allow it for jsMath
+			{ "<img src=\"blibla\" alt=\"a>b\">", "<img src=\"blibla\" />" }, 
+			// test_disallow_script_tags()
+			{ "script", "script" },
+			{ "<script>", "" },
+	//		{ "<script", "&lt;script" },
+			{ "<script", "" },
+			{ "<script/>", "" },
+			{ "</script>", "" },
+			{ "<script woo=yay>", "" },
+			{ "<script woo=\"yay\">", "" },
+			{ "<script woo=\"yay>", "" },
+			{ "<script woo=\"yay<b>", "" },
+			{ "<script<script>>", "" },
+			{ "<<script>script<script>>", "&lt;" },
+			{ "<<script><script>>", "&lt;" },
+			{ "<<script>script>>", "&lt;" },
+			{ "<<script<script>>", "&lt;" },
+			// test_protocols()
+			{ "<a href=\"http://foo\">bar</a>", "<a href=\"http://foo\">bar</a>" },
+			// we don't allow ftp. 
+			//FIXME: is this ok? (strip link)
+	//		{ "<a href=\"ftp://foo\">bar</a>", "<a href=\"#foo\">bar</a>" },
+			{ "<a href=\"ftp://foo\">bar</a>", "bar" },
+			{ "<a href=\"mailto:foo\">bar</a>",	"<a href=\"mailto:foo\">bar</a>" },
+			{ "<a href=\"mailto:foo@frentix.com\">bar</a>",	"<a href=\"mailto:foo@frentix.com\">bar</a>" },
+			{ "<a href=\"javascript:foo\">bar</a>", "bar" },
+			{ "<a href=\"java script:foo\">bar</a>", "bar" },
+			{ "<a href=\"java\tscript:foo\">bar</a>", "bar" },
+			{ "<a href=\"java\nscript:foo\">bar</a>", "bar" },
+			{ "<a href=\"java" + String.valueOf((char) 1) + "script:foo\">bar</a>", "bar" },
+			{ "<a href=\"jscript:foo\">bar</a>", "bar" },
+			{ "<a href=\"vbscript:foo\">bar</a>", "bar" },
+			{ "<a href=\"view-source:foo\">bar</a>", "bar" },
+			{ "<a href=\"view-source@foo\">bar</a>", "bar" },
+			// test_link() {
+			{ "<a href=\"blibla.html\" alt=\"blub\" target=\"_blank\">new window link</A>", "<a alt=\"blub\" href=\"blibla.html\" target=\"_blank\">new window link</a>" },
+			// test_link_htmlEntities() {
+			{ "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&amp;gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&amp;gen--496\">new window link</a>" },
+			{ "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&auml;gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&auml;gen--496\">new window link</a>" },
+			{ "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&aacute;gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&aacute;gen--496\">new window link</a>" },
+			//escape unkown entity
+			{ "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&xss;gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&amp;xss;gen--496\">new window link</a>" },
+			//check if escaped result is allowed
+			{ "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&amp;xss;gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&amp;xss;gen--496\">new window link</a>" },
+			// test_link_complexer(){
+			{ "<a class=\"o_icon_link_extern\" target=\"_blank\" href=\"http://www.frentix.com\" onclick=\"javascript:alert('hallo');\" title=\"a good link\">a complicated link</a>",
+					"<a class=\"o_icon_link_extern\" href=\"http://www.frentix.com\" target=\"_blank\" title=\"a good link\">a complicated link</a>" },
+			// test_self_closing_tags() {
+			{ "<img src=\"a\">", "<img src=\"a\" />" },
+			{ "<img src=\"a\">foo</img>", "<img src=\"a\" />foo" },
+			{ "</img>", "" },
+			// test_comments()
+			{ "<!-- a<b --->", "" },
+			{ "<!-- a<b -->don't remove me<!-- hello world -->", "don't remove me" },
+			{ "<!-- a<b  \n <!-- hello world \n -->", "" },
+			{ "<!--comments1--> visible text <!--comments2-->", " visible text " },
+			// test_tiny_paragraph()
+			{ "<span>bliblablu</span>", "<span>bliblablu</span>" },
+			{ "<p style=\"text-align: right;\">right orientation</p>", "<p style=\"text-align: right;\">right orientation</p>" },
+			{ "<h1>Big font</h1>", "<h1>Big font</h1>" },
+			{ "<h7>small font</h7>", "small font" },
+			{ "<span style=\"font-family: wingdings;\">invalid font</span>", "<span style=\"font-family: wingdings;\">invalid font</span>" },
+			{ "<span style=\"font-family: serif;\">invalid font</span>", "<span style=\"font-family: serif;\">invalid font</span>" },
+			//FIXME:RH: to allow multiple fonts (as output from tiny)
+			//committed as bug: http://code.google.com/p/owaspantisamy/issues/detail?id=49
+	//		{ "<span style=\"font-family: serif, arial;\">preformated</span>", "<span style=\"font-family: courier new , courier;\">preformated</span>" },
+			{ "<span class=\"schoen\">irgendwas</span>", "<span class=\"schoen\">irgendwas</span>" },
+			// test_style_rgb(){
+			{ "<p style=\"background-color: rgb(0%,0,0);\">background</p>", "<p>background</p>" },
+			{ "<p style=\"background-color: rgba(100%,0,0);\">background</p>", "<p style=\"\">background</p>" },
+			{ "<p style=\"background-color: rgb(100,50,50);\">background</p>", "<p style=\"background-color: rgb(100,50,50);\">background</p>" },
+			// test_tiny_lists(){
+			//lists (output without \n as policy has formatOutput = false		
+			{ "<ul>\n<li>a list: adsf</li>\n<li>adsf</li>\n<li>adsfas</li>\n</ul>", "<ul>\n<li>a list: adsf</li>\n<li>adsf</li>\n<li>adsfas</li>\n</ul>" },
+			{ "<ol style=\"font-size: 20pt;\">\n<li>numbered list</li>\n<li>adf</li>\n<li>asdfa</li>\n</ol>", "<ol style=\"font-size: 20.0pt;\">\n<li>numbered list</li>\n<li>adf</li>\n<li>asdfa</li>\n</ol>" },
+			// test_tiny_tables()
+			//tables
+			{ "<table border=\"1\" style=\"width: 268px; height: 81px;\" class=\"table\">\n<caption>bliblablue</caption>\n<tbody>\n<tr>\n<td>\n<p>adsfadsf</p>\n</td>\n<td>asdf</td>\n</tr>\n<tr>\n<td>asf</td>\n<td>\n<p>asdf</p>\n</td>\n</tr>\n</tbody>\n</table>", "<table border=\"1\" class=\"table\" style=\"width: 268.0px;height: 81.0px;\">\n<caption>bliblablue</caption>\n<tbody>\n<tr>\n<td>\n<p>adsfadsf</p>\n</td>\n<td>asdf</td>\n</tr>\n<tr>\n<td>asf</td>\n<td>\n<p>asdf</p>\n</td>\n</tr>\n</tbody>\n</table>" },
+			{ "<tr style=\"background-color: rgb(46, 147, 209);\">\n<td style=\"border: 1px solid rgb(240, 68, 14);\">asf</td>\n<td>\n<p>asdf</p>\n</td>\n</tr>","\nasf\n\n<p>asdf</p>\n" },
+			// test_tiny_singleElements(){
+			//sup/sub
+			{ "<p><sup>super</sup>script <sub>sub</sub>script</p>", "<p><sup>super</sup>script <sub>sub</sub>script</p>" },
+			// test_tiny_jsmath(){
+			{ "<span title=\"a%20%3C%20b%20%3E%20c%20%3C%20/b%20%3E\">&nbsp;</span>","<span title=\"a%20%3C%20b%20%3E%20c%20%3C%20/b%20%3E\">&nbsp;</span>" },
+			// should be saved with entities not with < etc...
+	//		{ "<span title=\"a>b\">&nbsp;</span>", "<span title=\"a&gt;b\">&nbsp;</span>" },
+			// test_font_awesome() {
+			// for now i tags must have at least a space to not b removed
+			{ "<i class=\"o_icon o_icon_dev\"> </i> ", "<i class=\"o_icon o_icon_dev\"> </i> " },
+			// test_figure() {
+			// for now i tags must have at least a space to not b removed
+			{ "<figure class=\"image\"><img src=\"bla.png\" /><figcaption>gugs</figcaption></figure>", "<figure class=\"image\"><img src=\"bla.png\" /><figcaption>gugs</figcaption></figure>" },
+			// test_big_tiny_output
+			{ "<br>", "<br />" }
+        });
+    }
+    private Filter vFilter = new OWASPAntiSamyXSSFilter(-1, true);
+    private String input;
+    private String output;
+    public XSSFilterParamTest(String input, String output) {
+    	this.input = input;
+    	this.output = output;
+    }
+    @Test
+	public void filter() {
+		String filterRes = vFilter.filter(input);
+		if (filterRes == output || filterRes.equals(output)){
+			System.out.println("------------------------------------------------");
+		} else {
+			System.out.println("---------------- E R R O R ---------------------");
+		}
+		System.out.println("           Expected: " + output);
+		System.out.println("************************************************\n\n");
+		Assert.assertEquals(output, filterRes);
+	}	
+}
--- a/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java
+++ b/src/test/java/org/olat/core/util/filter/impl/XSSFilterTest.java
@@ -21,52 +21,26 @@ package org.olat.core.util.filter.impl;
 import static org.assertj.core.api.Assertions.assertThat;
-import org.junit.After;
 import org.junit.Assert;
-import org.junit.Before;
 import org.junit.Test;
-import org.junit.runner.RunWith;
-import org.junit.runners.JUnit4;
 import org.olat.core.util.filter.Filter;
 import org.olat.core.util.filter.impl.OWASPAntiSamyXSSFilter.Variant;
 /**
 * Description:<br>
- * This test case tests the cross site scripting filter
+ * This test case tests special cases of the cross site scripting filter
 * 
 * <P>
 * Initial Date:  14.07.2009 <br>
 * @author gnaegi
 * @author Roman Haag, roman.haag@frentix.com
 */
-@RunWith(JUnit4.class)
 public class XSSFilterTest {
-	protected Filter vFilter;
-	private int counter;
-	private int testsToRun;
-	@Before
-	public void setup() {
-		vFilter = new OWASPAntiSamyXSSFilter(-1, true);
-		counter = 0;
-		testsToRun = 0;
-	}
-	@After
-	public void tearDown() {
-		vFilter = null;
-		System.out.println("Run " + counter + " out of " + testsToRun + " testcases successfully.\n\n");
-	}
-	private void t(String input, String result) {
-		t(input, result, vFilter);
-	}
 	private void t(String input, String result, Filter f) {
 		String filterRes = f.filter(input);
 		if (filterRes == result || filterRes.equals(result)){
-			counter ++;
 			System.out.println("------------------------------------------------");
 		} else {
 			System.out.println("---------------- E R R O R ---------------------");
@@ -76,228 +50,12 @@ public class XSSFilterTest {
 		Assert.assertEquals(result, filterRes);
 	}
-	@Test
-	public void test_basics() {
-		testsToRun = 8;
-		t(null,null);
-		t("", "");
-		t("hello", "hello");
-		t("°+\"*ç%&/()=?`", "&deg;+&quot;*&ccedil;%&amp;/()=?`");
-		t("Du &amp; ich", "Du &amp; ich");
-		t("Du & ich", "Du &amp; ich");
-		t("1<2", "1&lt;2");
-		t("2>1", "2&gt;1");
-		t("&nbsp;","&nbsp;");
-	}
-	@Test
-	public void test_balancing_tags() {
-		testsToRun = 9;
-		t("<b>hello", "<b>hello</b>");
-		t("<b>hello", "<b>hello</b>");
-		t("hello<b>", "hello");
-		t("hello</b>", "hello");
-		t("hello<b/>", "hello");
-		t("<b><b><b>hello", "<b><b><b>hello</b></b></b>");
-		t("</b><b>", "");
-		t("<b><i>hello</b>", "<b><i>hello</i></b>");
-		t("<b><i><em>hello</em></b>", "<b><i><em>hello</em></i></b>");
-	}
-	@Test
-	public void test_end_slashes() {
-		testsToRun = 3;
-		t("<img>", "<img />");
-		t("<img/>", "<img />");
-		t("<b/></b>", "");
-	}
-	@Test
-	public void test_balancing_angle_brackets() {
-		testsToRun = 9;
-		t("<img src=\"foo\"", "<img src=\"foo\" />");
-		t("b>", "b&gt;");
-		t("<img src=\"foo\"/", "<img src=\"foo\" />");
-		t(">", "&gt;");
-		//FIXME: what to do? it should work if in another tag!
-//		t("foo<b", "foo&lt;b");
-//		t("<span>foo<b</span>", "<span>foo<b</span>");
-//		t("b>foo", "b&gt;foo");
-//		t("><b", "&gt;&lt;b");
-//		t("><f", "&gt;&lt;f");
-		t("b><", "b&gt;&lt;");
-		t("><b>", "&gt;");
-	}
-	@Test
-	public void test_attributes() {
-		testsToRun = 6;
-		t("<img src=foo>", "<img src=\"foo\" />");
-		t("<img asrc=foo>", "<img />");
-		t("<span       title=\"bli\"  >&nbsp;</span>", "<span title=\"bli\">&nbsp;</span>");
-		t("<img src=test test>", "<img src=\"test\" />");
-		t("<img src=\"blibla\" alt=\"blubb\">", "<img alt=\"blubb\" src=\"blibla\" />");
-		//alt cannot contain < , title will allow it for jsMath
-		t("<img src=\"blibla\" alt=\"a>b\">", "<img src=\"blibla\" />"); 
-	}
-	@Test
-	public void test_disallow_script_tags() {
-		testsToRun = 14;
-		t("script", "script");
-		t("<script>", "");
-//		t("<script", "&lt;script");
-		t("<script", "");
-		t("<script/>", "");
-		t("</script>", "");
-		t("<script woo=yay>", "");
-		t("<script woo=\"yay\">", "");
-		t("<script woo=\"yay>", "");
-		t("<script woo=\"yay<b>", "");
-		t("<script<script>>", "");
-		t("<<script>script<script>>", "&lt;");
-		t("<<script><script>>", "&lt;");
-		t("<<script>script>>", "&lt;");
-		t("<<script<script>>", "&lt;");
-	}
-	@Test
-	public void test_protocols() {
-		testsToRun = 11;
-		t("<a href=\"http://foo\">bar</a>", "<a href=\"http://foo\">bar</a>");
-		// we don't allow ftp. 
-		//FIXME: is this ok? (strip link)
-//		t("<a href=\"ftp://foo\">bar</a>", "<a href=\"#foo\">bar</a>");
-		t("<a href=\"ftp://foo\">bar</a>", "bar");
-		t("<a href=\"mailto:foo\">bar</a>",	"<a href=\"mailto:foo\">bar</a>");
-		t("<a href=\"javascript:foo\">bar</a>", "bar");
-		t("<a href=\"java script:foo\">bar</a>", "bar");
-		t("<a href=\"java\tscript:foo\">bar</a>", "bar");
-		t("<a href=\"java\nscript:foo\">bar</a>", "bar");
-		t("<a href=\"java" + String.valueOf((char) 1) + "script:foo\">bar</a>", "bar");
-		t("<a href=\"jscript:foo\">bar</a>", "bar");
-		t("<a href=\"vbscript:foo\">bar</a>", "bar");
-		t("<a href=\"view-source:foo\">bar</a>", "bar");
-	}
-	@Test
-	public void test_link() {
-		testsToRun = 1;
-		t("<a href=\"blibla.html\" alt=\"blub\" target=\"_blank\">new window link</A>", "<a alt=\"blub\" href=\"blibla.html\" target=\"_blank\">new window link</a>");
-	}
-	@Test
-	public void test_link_htmlEntities() {
-		testsToRun = 1;
-		t("<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&amp;gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&amp;gen--496\">new window link</a>");
-		t("<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&auml;gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&auml;gen--496\">new window link</a>");
-		t("<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&aacute;gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&aacute;gen--496\">new window link</a>");
-		//escape unkown entity
-		t("<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&xss;gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&amp;xss;gen--496\">new window link</a>");
-		//check if escaped result is allowed
-		t("<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&amp;xss;gen--496\">new window link</a>", "<a href=\"http://www.schreinersicht.ch/artikel/Mehr_als_nur_S&amp;xss;gen--496\">new window link</a>");
-	}
-	@Test
-	public void test_link_complexer(){
-		testsToRun = 1;
-		t("<a class=\"o_icon_link_extern\" target=\"_blank\" href=\"http://www.frentix.com\" onclick=\"javascript:alert('hallo');\" title=\"a good link\">a complicated link</a>",
-				"<a class=\"o_icon_link_extern\" href=\"http://www.frentix.com\" target=\"_blank\" title=\"a good link\">a complicated link</a>");
-	}
-	@Test
-	public void test_self_closing_tags() {
-		testsToRun = 3;
-		t("<img src=\"a\">", "<img src=\"a\" />");
-		t("<img src=\"a\">foo</img>", "<img src=\"a\" />foo");
-		t("</img>", "");
-	}
-	@Test
-	public void test_comments() {
-		testsToRun = 4;
-		t("<!-- a<b --->", "");
-		t("<!-- a<b -->don't remove me<!-- hello world -->", "don't remove me");
-		t("<!-- a<b  \n <!-- hello world \n -->", "");
-		t("<!--comments1--> visible text <!--comments2-->", " visible text ");
-	}
-	@Test
-	public void test_tiny_paragraph(){
-		testsToRun = 8;
-		t("<span>bliblablu</span>", "<span>bliblablu</span>");
-		t("<p style=\"text-align: right;\">right orientation</p>", "<p style=\"text-align: right;\">right orientation</p>");
-		t("<h1>Big font</h1>", "<h1>Big font</h1>");
-		t("<h7>small font</h7>", "small font");
-		t("<span style=\"font-family: wingdings;\">invalid font</span>", "<span style=\"font-family: wingdings;\">invalid font</span>");
-		t("<span style=\"font-family: serif;\">invalid font</span>", "<span style=\"font-family: serif;\">invalid font</span>");
-		//FIXME:RH: to allow multiple fonts (as output from tiny)
-		//committed as bug: http://code.google.com/p/owaspantisamy/issues/detail?id=49
-//		t("<span style=\"font-family: serif, arial;\">preformated</span>", "<span style=\"font-family: courier new , courier;\">preformated</span>");
-		t("<span class=\"schoen\">irgendwas</span>", "<span class=\"schoen\">irgendwas</span>");
-	}
-	/**
-	 * This checks a bug in Batik
-	 */
-	@Test
-	public void test_style_rgb(){
-		t("<p style=\"background-color: rgb(0%,0,0);\">background</p>", "<p>background</p>");
-		t("<p style=\"background-color: rgba(100%,0,0);\">background</p>", "<p style=\"\">background</p>");
-		t("<p style=\"background-color: rgb(100,50,50);\">background</p>", "<p style=\"background-color: rgb(100,50,50);\">background</p>");
-	}
-	@Test
-	public void test_tiny_lists(){
-		testsToRun = 2;
-		//lists (output without \n as policy has formatOutput = false		
-		t("<ul>\n<li>a list: adsf</li>\n<li>adsf</li>\n<li>adsfas</li>\n</ul>", "<ul>\n<li>a list: adsf</li>\n<li>adsf</li>\n<li>adsfas</li>\n</ul>");
-		t("<ol style=\"font-size: 20pt;\">\n<li>numbered list</li>\n<li>adf</li>\n<li>asdfa</li>\n</ol>", "<ol style=\"font-size: 20.0pt;\">\n<li>numbered list</li>\n<li>adf</li>\n<li>asdfa</li>\n</ol>");
-	}
-	@Test
-	public void test_tiny_tables(){
-		testsToRun = 2;
-	//tables
-		t("<table border=\"1\" style=\"width: 268px; height: 81px;\" class=\"table\">\n<caption>bliblablue</caption>\n<tbody>\n<tr>\n<td>\n<p>adsfadsf</p>\n</td>\n<td>asdf</td>\n</tr>\n<tr>\n<td>asf</td>\n<td>\n<p>asdf</p>\n</td>\n</tr>\n</tbody>\n</table>", "<table border=\"1\" class=\"table\" style=\"width: 268.0px;height: 81.0px;\">\n<caption>bliblablue</caption>\n<tbody>\n<tr>\n<td>\n<p>adsfadsf</p>\n</td>\n<td>asdf</td>\n</tr>\n<tr>\n<td>asf</td>\n<td>\n<p>asdf</p>\n</td>\n</tr>\n</tbody>\n</table>");
-		t("<tr style=\"background-color: rgb(46, 147, 209);\">\n<td style=\"border: 1px solid rgb(240, 68, 14);\">asf</td>\n<td>\n<p>asdf</p>\n</td>\n</tr>","\nasf\n\n<p>asdf</p>\n");
-	}
-	@Test
-	public void test_tiny_singleElements(){
-		testsToRun = 1;
-		//sup/sub
-		t("<p><sup>super</sup>script <sub>sub</sub>script</p>", "<p><sup>super</sup>script <sub>sub</sub>script</p>");
-	}
-	@Test
-	public void test_tiny_jsmath(){
-		testsToRun = 2;
-		t("<span title=\"a%20%3C%20b%20%3E%20c%20%3C%20/b%20%3E\">&nbsp;</span>","<span title=\"a%20%3C%20b%20%3E%20c%20%3C%20/b%20%3E\">&nbsp;</span>");
-		// should be saved with entities not with < etc...
-//		t("<span title=\"a>b\">&nbsp;</span>", "<span title=\"a&gt;b\">&nbsp;</span>");
-	}
-	@Test
-	public void test_font_awesome() {
-		// for now i tags must have at least a space to not b removed
-		t("<i class=\"o_icon o_icon_dev\"> </i> ", "<i class=\"o_icon o_icon_dev\"> </i> ");
-	}
-	@Test
-	public void test_figure() {
-		// for now i tags must have at least a space to not b removed
-		t("<figure class=\"image\"><img src=\"bla.png\" /><figcaption>gugs</figcaption></figure>", "<figure class=\"image\"><img src=\"bla.png\" /><figcaption>gugs</figcaption></figure>");
-	}
 	@Test
 	public void test_edusharing() {
 		String html = "<img src=\"/olat/edusharing/preview?objectUrl=ccrep://OpenOLAT/d5130470-14b4-4ad4-88b7-dfb3ebe943da&version=1.0\" data-es_identifier=\"2083dbe64f00b07232b11608ec0842fc\" data-es_objecturl=\"ccrep://OpenOLAT/d5130470-14b4-4ad4-88b7-dfb3ebe943da\" data-es_version=\"1.0\" data-es_version_current=\"1.0\" data-es_mediatype='i23' data-es_mimetype=\"image/png\" data-es_width=\"1000\" data-es_height=\"446\" data-es_first_edit=\"false\" class=\"edusharing\" alt=\"Bildschirmfoto 2018-11-07 um 16.09.49.png\" title=\"Bildschirmfoto 2018-11-07 um 16.09.49.png\" width=\"1000\" height=\"446\">";
 		// t() did not work, because antisamy changed the order of the attributes
+		Filter vFilter = new OWASPAntiSamyXSSFilter(-1, true);
 		String filtered = vFilter.filter(html);
 		assertThat(filtered).contains("src");
 		assertThat(filtered).contains("width");
@@ -310,14 +68,6 @@ public class XSSFilterTest {
 		assertThat(filtered).contains("es_width");
 		assertThat(filtered).contains("es_height");
 	}
-	@Test
-	public void test_big_tiny_output(){
-		testsToRun = 1;
-		String input = "<br>";
-		String output = "<br />";
-		t(input,output);
-	}
 	@Test
 	public void test_rawText() {

--- a/src/test/java/org/olat/test/AllTestsJunit4.java
+++ b/src/test/java/org/olat/test/AllTestsJunit4.java
@@ -53,6 +53,7 @@ import org.junit.runners.Suite;
 	org.olat.core.util.vfs.VFSTest.class,
 	org.olat.core.util.vfs.VFSManagerTest.class,
 	org.olat.core.util.filter.impl.XSSFilterTest.class,
+	org.olat.core.util.filter.impl.XSSFilterParamTest.class,
 	org.olat.core.util.filter.impl.AddBaseURLToMediaRelativeURLFilterTest.class,
 	org.olat.core.util.filter.impl.SimpleHTMLTagsFilterTest.class,
 	org.olat.core.util.filter.impl.NekoHTMLFilterTest.class,