Wavyzz/dolibarr
2
0
Fork 1
mirror of https://github.com/Dolibarr/dolibarr.git synced 2026-02-06 16:11:44 +01:00
Code Issues Packages Projects Releases Wiki Activity

NEW : Template supplier invoices

Browse Source
This commit is contained in:
Adrien Raze
2022-02-07 14:34:27 +01:00
parent 9f7e8fa3ed
commit ee52cac3ba
2815 changed files with 56596 additions and 30626 deletions
Download Patch File Download Diff File Expand all files Collapse all files

19
test/phpunit/SecurityTest.php
View File

@@ -359,7 +359,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$_POST['param8b']='<img src=x onerror=alert(document.location) t='; // this is html obfuscated by non closing tag
$_POST['param8c']='< with space after is ok';
$_POST['param8d']='<abc123 is html to clean';
$_POST['param8e']='<123abc is not html to clean';
$_POST['param8e']='<123abc is not html to clean'; // other similar case: '<2021-12-12'
$_POST['param8f']='abc<<svg <><<animate onbegin=alert(document.domain) a';
$_POST["param9"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\'';
$_POST["param10"]='is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\'';
@@ -501,6 +501,10 @@ class SecurityTest extends PHPUnit\Framework\TestCase
print __METHOD__." result param7 = ".$result."\n";
$this->assertEquals('"c:\this is a path~1\aaan &#x;;;;" abcdef', $result);
$result=GETPOST("param8e", 'restricthtml');
print __METHOD__." result param8e = ".$result."\n";
$this->assertEquals('', $result);
$result=GETPOST("param12", 'restricthtml');
print __METHOD__." result=".$result."\n";
$this->assertEquals(trim($_POST["param12"]), $result, 'Test a string with DOCTYPE and restricthtml');
@@ -519,7 +523,7 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$result=GETPOST("param15", 'restricthtml'); // <img onerror<=alert(document.domain)> src=>0xbeefed
print __METHOD__." result=".$result."\n";
$this->assertEquals("<img onerror=alert(document.domain) src=>0xbeefed", $result, 'Test 15a'); // The GETPOST return a harmull string
$this->assertEquals("<img onerror=alert(document.domain) src=>0xbeefed", $result, 'Test 15'); // The GETPOST return a harmull string
// Test with restricthtml + MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES to test disabling of bad atrributes
$conf->global->MAIN_RESTRICTHTML_ONLY_VALID_HTML = 1;
@@ -672,10 +676,14 @@ class SecurityTest extends PHPUnit\Framework\TestCase
*/
public function testDolStringOnlyTheseHtmlAttributes()
{
$stringtotest = 'eée';
$decodedstring = dol_string_onlythesehtmlattributes($stringtotest);
$this->assertEquals('e&eacute;e', $decodedstring, 'Function did not sanitize correclty with test 1');
$stringtotest = '<div onload="ee"><a href="123"><span class="abc">abc</span></a></div>';
$decodedstring = dol_string_onlythesehtmlattributes($stringtotest);
$decodedstring = preg_replace("/\n$/", "", $decodedstring);
$this->assertEquals('<div><a href="123"><span class="abc">abc</span></a></div>', $decodedstring, 'Function did not sanitize correclty with test 1');
$this->assertEquals('<div><a href="123"><span class="abc">abc</span></a></div>', $decodedstring, 'Function did not sanitize correclty with test 2');
return 0;
}
@@ -787,6 +795,11 @@ class SecurityTest extends PHPUnit\Framework\TestCase
$this->assertEquals(400, $tmp['http_code'], 'Should GET url to '.$url.' that resolves to a local URL'); // Test we receive an error because localtest.me is not an external URL
*/
$url = 'http://192.0.0.192';
$tmp = getURLContent($url, 'GET', '', 0, array(), array('http', 'https'), 0); // Only external URL but on an IP in blacklist
print __METHOD__." url=".$url." tmp['http_code'] = ".$tmp['http_code']."\n";
$this->assertEquals(400, $tmp['http_code'], 'Access should be refused and was not'); // Test we receive an error because ip is in blacklist
return 0;
}