| /******************************************************************************* |
| * Licensed to the Apache Software Foundation (ASF) under one or |
| * more contributor license agreements. See the NOTICE file |
| * distributed with this work for additional information regarding |
| * copyright ownership. The ASF licenses this file to you under the |
| * Apache License, Version 2.0 (the "License"); you may not use |
| * this file except in compliance with the License. You may obtain |
| * a copy of the License at |
| * |
| * http://www.apache.org/licenses/LICENSE-2.0 Unless required by |
| * applicable law or agreed to in writing, software distributed |
| * under the License is distributed on an "AS IS" BASIS, WITHOUT |
| * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| * See the License for the specific language governing permissions |
| * and limitations under the License. |
| ******************************************************************************/ |
| package org.apache.sling.xss.impl; |
| |
| import static org.junit.Assert.fail; |
| |
| import org.junit.Before; |
| import org.junit.Test; |
| |
| import org.apache.sling.xss.ProtectionContext; |
| |
| /** Test the XSSProtectionServiceImpl with various strings. |
| * |
| * Notes on testing with Japanese text: |
| * |
| * 1) To encode Japanese and other text, you can write that |
| * text to an UTF-8 encoded xml file (with an editor |
| * that supports full Unicode, Eclipse works for example) |
| * and use native2ascii -encoding UTF-8 < thatFile |
| * |
| * 2) Make sure your terminal's and JVM encoding is |
| * set correctly, otherwise strings displayed in error |
| * messages will be wrong. Eclipse's Java debugger |
| * displays everything right, I assume others do as well. |
| */ |
| public class XSSProtectionServiceImplTest { |
| |
| private XSSFilterImpl xssFilter; |
| |
| @Before |
| public void setup() { |
| xssFilter = new XSSFilterImpl(); |
| } |
| |
| private void assertNoChange(String input) throws Exception { |
| assertXssProtection(input, input); |
| } |
| |
| private void assertXssProtection(String input, String expected) throws Exception { |
| final String output = xssFilter.filter(ProtectionContext.PLAIN_HTML_CONTENT, input); |
| if(!expected.equals(output)) { |
| fail("For input [" + input + "], expected [" + expected + "] but got [" + output + "]"); |
| } |
| } |
| |
| @Test |
| public void simpleStringsTest() throws Exception { |
| assertNoChange(""); |
| assertNoChange("FOO"); |
| assertNoChange("The Quick Brown Fox"); |
| } |
| |
| @Test |
| public void testStringsThatNeedChanges() throws Exception { |
| assertXssProtection("Some <tag> in the text", "Some <tag> in the text"); |
| assertXssProtection("And a <script src='foo'/> here", "And a <script src='foo'/> here"); |
| assertXssProtection("And Bonnie & Clyde", "And Bonnie & Clyde"); |
| } |
| |
| @Test |
| public void testWithAccents() throws Exception { |
| assertNoChange("Accents here \u00e9 \u00e0 \u00e8 \u00f6 \u00e4 \u00fc \u00e2 \u00ea \u00ee \u00f4 \u00fb and done"); |
| } |
| |
| @Test |
| public void test21umlaut() throws Exception { |
| assertNoChange("The 21 here is followed by u umlaut: 21\u00fcfile"); |
| } |
| |
| @Test |
| public void testJapaneseStringOne() throws Exception { |
| assertNoChange("Japanese mark: \u3001\u3002\uff1f\uff01\uffe5\u30fb\uff20\uff03\uff04\uff05\uff3e\uff06\uff0a\uff08\uff09\u300c\u300d etc."); |
| } |
| |
| @Test |
| public void testJapaneseStringTwo() throws Exception { |
| assertNoChange( |
| "\u30e9\u30c9\u30af\u30ea\u30d5\u3001\u30de\u30e9\u30bd\u30f3\u4e94\u8f2a\u4ee3\u8868\u306b1\u4e07m\u51fa\u5834\u306b\u3082\u542b\u307f" |
| ); |
| } |
| } |