Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2025-12-23 18:01:36 +01:00
Code Issues Packages Projects Releases Wiki Activity

Enhance phpunit

Browse Source
This commit is contained in:
Laurent Destailleur
2022-11-28 16:54:34 +01:00
parent 75de251402
commit ba4e5ef245
2 changed files with 42 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
htdocs/core/lib/functions.lib.php
View File

@@ -915,8 +915,8 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options
try { try {
$dom = new DOMDocument; $dom = new DOMDocument;
// Add a trick to solve pb with text without parent tag // Add a trick to solve pb with text without parent tag
// like '<h1>Foo</h1><p>bar</p>' that ends up with '<h1>Foo<p>bar</p></h1>' // like '<h1>Foo</h1><p>bar</p>' that wrongly ends up without the trick into '<h1>Foo<p>bar</p></h1>'
// like 'abc' that ends up with '<p>abc</p>' // like 'abc' that wrongly ends up without the tric into with '<p>abc</p>'
$out = '<div class="tricktoremove">'.$out.'</div>'; $out = '<div class="tricktoremove">'.$out.'</div>';
$dom->loadHTML($out, LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_HTML_NODEFDTD|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL); $dom->loadHTML($out, LIBXML_ERR_NONE|LIBXML_HTML_NOIMPLIED|LIBXML_HTML_NODEFDTD|LIBXML_NONET|LIBXML_NOWARNING|LIBXML_NOXMLDECL);
@@ -925,6 +925,8 @@ function sanitizeVal($out = '', $check = 'alphanohtml', $filter = null, $options
// Remove the trick added to solve pb with text without parent tag // Remove the trick added to solve pb with text without parent tag
$out = preg_replace('/^<div class="tricktoremove">/', '', $out); $out = preg_replace('/^<div class="tricktoremove">/', '', $out);
$out = preg_replace('/<\/div>$/', '', $out); $out = preg_replace('/<\/div>$/', '', $out);
var_dump('xxx');
var_dump($out);
} catch (Exception $e) { } catch (Exception $e) {
//print $e->getMessage(); //print $e->getMessage();
return 'InvalidHTMLString'; return 'InvalidHTMLString';

43
test/phpunit/SecurityTest.php
View File

@@ -537,16 +537,19 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals("Text with ' encoded with the numeric html entity converted into text entity &#39; (like when submited by CKEditor)", $result, 'Test 14'); $this->assertEquals("Text with ' encoded with the numeric html entity converted into text entity &#39; (like when submited by CKEditor)", $result, 'Test 14');
$result=GETPOST("param15", 'restricthtml'); // <img onerror<=alert(document.domain)> src=>0xbeefed $result=GETPOST("param15", 'restricthtml'); // param15 = <img onerror<=alert(document.domain)> src=>0xbeefed that is a dangerous string
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals("<img onerror=alert(document.domain) src=>0xbeefed", $result, 'Test 15'); // The GETPOST return a harmull string $this->assertEquals("<img onerror=alert(document.domain) src=>0xbeefed", $result, 'Test 15'); // The GETPOST return a harmull string
// Test with restricthtml + MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES to test disabling of bad atrributes // Test with restricthtml + MAIN_RESTRICTHTML_ONLY_VALID_HTML to test disabling of bad atrributes
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 1; $conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 1;
$result=GETPOST("param15", 'restricthtml');
$result=GETPOST("param15", 'restricthtml'); // param15 = <img onerror<=alert(document.domain)> src=>0xbeefed that is a dangerous string
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals('InvalidHTMLString', $result, 'Test 15b'); //$this->assertEquals('InvalidHTMLString', $result, 'Test 15b');
$this->assertEquals('<img onerror> src=&gt;0xbeefed', $result, 'Test 15b');
unset($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML); unset($conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML);
@@ -555,7 +558,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$result=GETPOST("param15", 'restricthtml'); $result=GETPOST("param15", 'restricthtml');
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
$this->assertEquals('<img src="">0xbeefed', $result, 'Test 15b'); $this->assertEquals('<img src="">0xbeefed', $result, 'Test 15c');
$result=GETPOST('param16', 'restricthtml'); $result=GETPOST('param16', 'restricthtml');
print __METHOD__." result=".$result."\n"; print __METHOD__." result=".$result."\n";
@@ -836,6 +839,36 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$this->assertEquals('google.com', $result, 'Test on dol_sanitizeUrl C'); $this->assertEquals('google.com', $result, 'Test on dol_sanitizeUrl C');
} }
/**
* testDolSanitizeEmail
*
* @return void
*/
public function testDolSanitizeEmail()
{
global $conf,$user,$langs,$db;
$conf=$this->savconf;
$user=$this->savuser;
$langs=$this->savlangs;
$db=$this->savdb;
$test = 'aaa@mycompany.com <My name>, bbb@mycompany.com <Another name>';
$result=dol_sanitizeEmail($test);
$this->assertEquals($test, $result, 'Test on dol_sanitizeEmail A');
$test = "aaa@mycompany.com <My name>,\nbbb@mycompany.com <Another name>";
$result=dol_sanitizeEmail($test);
$this->assertEquals('aaa@mycompany.com <My name>,bbb@mycompany.com <Another name>', $result, 'Test on dol_sanitizeEmail B');
$test = 'aaa@mycompany.com <My name>,\nbbb@mycompany.com <Another name>';
$result=dol_sanitizeEmail($test);
$this->assertEquals('aaa@mycompany.com <My name>,nbbb@mycompany.com <Another name>', $result, 'Test on dol_sanitizeEmail C');
$test = 'aaa@mycompany.com <My name>, "bcc:bbb"@mycompany.com <Another name>';
$result=dol_sanitizeEmail($test);
$this->assertEquals('aaa@mycompany.com <My name>, bccbbb@mycompany.com <Another name>', $result, 'Test on dol_sanitizeEmail D');
}
/** /**
* testDolSanitizeFileName * testDolSanitizeFileName
* *