1 |
|
2 |
|
3 |
|
4 |
|
5 |
|
6 |
|
7 |
|
8 | (function() {
|
9 |
|
10 | var expect = require('expect.js');
|
11 |
|
12 | exports.test_yd = function (filter, expectedResults) {
|
13 | if (!expectedResults || expectedResults.length !== 1)
|
14 | throw new Error('must take 1 expected results');
|
15 |
|
16 | var str, o;
|
17 |
|
18 | o = filter(123);
|
19 | expect(o).to.eql('123');
|
20 |
|
21 | str = 'foo&<>\'"';
|
22 | o = filter(str);
|
23 | expect(o).to.eql(expectedResults[0]);
|
24 | };
|
25 |
|
26 | exports.test_yc = function (filter, expectedResults) {
|
27 | if (!expectedResults || expectedResults.length !== 6)
|
28 | throw new Error('must take 6 expected results');
|
29 |
|
30 | var str, o;
|
31 |
|
32 | o = filter(123);
|
33 | expect(o).to.eql('123');
|
34 |
|
35 | str = '--> --!> <!--[if IE]><script>alert("yahoo\'s filters")</script>';
|
36 | o = filter(str);
|
37 | expect(o).to.eql(expectedResults[0]);
|
38 |
|
39 |
|
40 | str = 'foo--';
|
41 | o = filter(str) + '>';
|
42 | expect(o).to.eql(expectedResults[1] + '>');
|
43 |
|
44 | str = 'foo--!';
|
45 | o = filter(str) + '>';
|
46 | expect(o).to.eql(expectedResults[2] +'>');
|
47 |
|
48 | str = '[if IE]';
|
49 | o = filter(str) + '>';
|
50 | expect(o).to.eql(expectedResults[3] + '>');
|
51 |
|
52 | str = 'foo-';
|
53 | o = filter(str) + '->';
|
54 | expect(o).to.eql(expectedResults[4] + '->');
|
55 |
|
56 | str = 'foo-';
|
57 | o = filter(str) + '-!>';
|
58 | expect(o).to.eql(expectedResults[5] + '-!>');
|
59 | };
|
60 |
|
61 | exports.test_yav = function (filter, expectedResults) {
|
62 | if (!expectedResults || expectedResults.length !== 18)
|
63 | throw new Error('must take 18 expected results');
|
64 |
|
65 | var str, o;
|
66 |
|
67 | o = filter(123);
|
68 | expect(o).to.eql('123');
|
69 |
|
70 | str = 'foo&<>\'"` \t\n\f';
|
71 | o = filter(str);
|
72 | expect(o).to.eql(expectedResults[0]);
|
73 |
|
74 | str = '\f';
|
75 | o = filter(str);
|
76 | expect(o).to.eql(expectedResults[1]);
|
77 |
|
78 | str = '';
|
79 | o = filter(str);
|
80 | expect(o).to.eql(expectedResults[2]);
|
81 |
|
82 |
|
83 | o = filter("''");
|
84 | expect(o).to.eql(expectedResults[3]);
|
85 | o = filter(" ''");
|
86 | expect(o).to.eql(expectedResults[4]);
|
87 | o = filter("\t''");
|
88 | expect(o).to.eql(expectedResults[5]);
|
89 | o = filter("\n''");
|
90 | expect(o).to.eql(expectedResults[6]);
|
91 | o = filter("\f''");
|
92 | expect(o).to.eql(expectedResults[7]);
|
93 |
|
94 |
|
95 | o = filter('""');
|
96 | expect(o).to.eql(expectedResults[8]);
|
97 | o = filter(' ""');
|
98 | expect(o).to.eql(expectedResults[9]);
|
99 | o = filter('\t""');
|
100 | expect(o).to.eql(expectedResults[10]);
|
101 | o = filter('\n""');
|
102 | expect(o).to.eql(expectedResults[11]);
|
103 | o = filter('\f""');
|
104 | expect(o).to.eql(expectedResults[12]);
|
105 |
|
106 |
|
107 | o = filter('``');
|
108 | expect(o).to.eql(expectedResults[13]);
|
109 | o = filter(' ``');
|
110 | expect(o).to.eql(expectedResults[14]);
|
111 | o = filter('\t``');
|
112 | expect(o).to.eql(expectedResults[15]);
|
113 | o = filter('\n``');
|
114 | expect(o).to.eql(expectedResults[16]);
|
115 | o = filter('\f``');
|
116 | expect(o).to.eql(expectedResults[17]);
|
117 | };
|
118 |
|
119 |
|
120 | exports.test_yubl = function (filter, expectedResults) {
|
121 | var testStrings = [
|
122 | '\u0001\u0002\u0003\u0004\u0005\u0006\u0007\u0008\u0009\
|
123 | \u000A\u000B\u000C\u000D\u000E\u000F\u0010\u0011\u0012\
|
124 | \u0013\u0014\u0015\u0016\u0017\u0018\u0019\u001A\u001B\
|
125 | \u001C\u001D\u001E\u001F\u0020j\nava\rscript\t:',
|
126 | '	

ja
va		script:alert(0)',
|
127 | 'JavascripT:alert(0)',
|
128 | 'javascript:alert(0)',
|
129 | 'javascript:javascript:alert(0)',
|
130 |
|
131 | 'vbscript:',
|
132 | '	

vbscripT:',
|
133 |
|
134 | 'https://www.yahoo.com',
|
135 | 'http://www.yahoo.com',
|
136 | 'ftp://ftp.yahoo.com',
|
137 | 'data:image/png',
|
138 | 'data:application/javascript',
|
139 | 'data:text/css',
|
140 | 'data:text/html',
|
141 |
|
142 | 'javajavascript:script:alert(0)',
|
143 | 'javaXscript:alert(0)',
|
144 | 'ABCjavascript:alert(0)'
|
145 | ];
|
146 |
|
147 | var defaultResults = [
|
148 | '%01%02%03%04%05%06%07%08%09\
|
149 | %0A%0B%0C%0D%0E%0F%10%11%12\
|
150 | %13%14%15%16%17%18%19%1A%1B\
|
151 | %1C%1D%1E%1F%20j%0Aava%0Dscript%09:',
|
152 | 'x-	

ja
va		script:alert(0)',
|
153 | 'x-JavascripT:alert(0)',
|
154 | 'x-javascript:alert(0)',
|
155 | 'x-javascript:javascript:alert(0)',
|
156 |
|
157 | 'x-vbscript:',
|
158 | 'x-	

vbscripT:',
|
159 |
|
160 | 'https://www.yahoo.com',
|
161 | 'http://www.yahoo.com',
|
162 | 'ftp://ftp.yahoo.com',
|
163 | 'data:image/png',
|
164 | 'data:application/javascript',
|
165 | 'data:text/css',
|
166 | 'data:text/html',
|
167 |
|
168 | 'javajavascript:script:alert(0)',
|
169 | 'javaXscript:alert(0)',
|
170 | 'ABCjavascript:alert(0)'
|
171 | ];
|
172 |
|
173 | if (expectedResults && expectedResults.length > testStrings.length)
|
174 | throw new Error('must take ' + testStrings.length + ' expected results');
|
175 |
|
176 | testStrings.forEach(function (str, i) {
|
177 | expect(filter(str)).to.eql(expectedResults && expectedResults[i] ? expectedResults[i] : defaultResults[i]);
|
178 | });
|
179 | };
|
180 |
|
181 | exports.test_yu = function (filter) {
|
182 | var str, o;
|
183 | str = 'http://6.6.6.6/?q=[somewhere]';
|
184 | o = filter(str);
|
185 | expect(o).to.eql(encodeURI(str));
|
186 |
|
187 | str = 'http://6.6.6.6/somewhere';
|
188 | o = filter(str);
|
189 | expect(o).to.eql(encodeURI(str));
|
190 |
|
191 | str = '//6.6.6.6/somewhere';
|
192 | o = filter(str);
|
193 | expect(o).to.eql(encodeURI(str));
|
194 |
|
195 | str = 'http://[6.6.6.6]/somewhere';
|
196 | o = filter(str);
|
197 | expect(o).to.eql(encodeURI(str));
|
198 |
|
199 | str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]/somewhere';
|
200 | o = filter(str);
|
201 | expect(o).to.eql(encodeURI(str));
|
202 |
|
203 | str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]';
|
204 | o = filter(str);
|
205 | expect(o).to.eql(encodeURI(str));
|
206 |
|
207 | str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:80';
|
208 | o = filter(str);
|
209 | expect(o).to.eql(encodeURI(str));
|
210 |
|
211 | str = '[]?&=#/:;';
|
212 | o = filter(str);
|
213 | expect(o).to.eql(encodeURI(str));
|
214 |
|
215 |
|
216 | str = 'foo\uD800';
|
217 | try {
|
218 | o = filter(str);
|
219 | } catch (err) {
|
220 | expect(err.message).to.eql('URI malformed');
|
221 | }
|
222 | };
|
223 |
|
224 | exports.test_yufull = function (filter, expectedResults) {
|
225 | if (!expectedResults || expectedResults.length !== 1)
|
226 | throw new Error('must take 1 expected results');
|
227 |
|
228 | var str, o;
|
229 | str = 'http://6.6.6.6/?q=[somewhere]';
|
230 | o = filter(str);
|
231 | expect(o).to.eql('http://6.6.6.6/?q=%5Bsomewhere%5D');
|
232 |
|
233 | str = 'http://6.6.6.6/somewhere';
|
234 | o = filter(str);
|
235 | expect(o).to.eql(encodeURI(str));
|
236 |
|
237 | str = '//6.6.6.6/somewhere';
|
238 | o = filter(str);
|
239 | expect(o).to.eql(encodeURI(str));
|
240 |
|
241 | str = 'http://[6.6.6.6]/somewhere';
|
242 | o = filter(str);
|
243 | expect(o).to.eql(encodeURI(str));
|
244 |
|
245 | str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]/somewhere';
|
246 | o = filter(str);
|
247 | expect(o).to.eql(str);
|
248 |
|
249 | str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]';
|
250 | o = filter(str);
|
251 | expect(o).to.eql(expectedResults[0]);
|
252 |
|
253 | str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:80';
|
254 | o = filter(str);
|
255 | expect(o).to.eql(str);
|
256 |
|
257 | str = '[]?&=#/:;';
|
258 | o = filter(str);
|
259 | expect(o).to.eql(encodeURI(str));
|
260 |
|
261 |
|
262 | str = 'foo\uD800';
|
263 | try {
|
264 | o = filter(str);
|
265 | } catch (err) {
|
266 | expect(err.message).to.eql('URI malformed');
|
267 | }
|
268 | };
|
269 |
|
270 | exports.test_yuc = function (filter) {
|
271 | var str, o;
|
272 | str = 'http://6.6.6.6/?q=[somewhere]';
|
273 | o = filter(str);
|
274 | expect(o).to.eql(encodeURIComponent(str));
|
275 |
|
276 | str = 'http://6.6.6.6/somewhere';
|
277 | o = filter(str);
|
278 | expect(o).to.eql(encodeURIComponent(str));
|
279 |
|
280 | str = '//6.6.6.6/somewhere';
|
281 | o = filter(str);
|
282 | expect(o).to.eql(encodeURIComponent(str));
|
283 |
|
284 | str = 'http://[6.6.6.6]/somewhere';
|
285 | o = filter(str);
|
286 | expect(o).to.eql(encodeURIComponent(str));
|
287 |
|
288 | str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]/somewhere';
|
289 | o = filter(str);
|
290 | expect(o).to.eql(encodeURIComponent(str));
|
291 |
|
292 | str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]';
|
293 | o = filter(str);
|
294 | expect(o).to.eql(encodeURIComponent(str));
|
295 |
|
296 | str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:80';
|
297 | o = filter(str);
|
298 | expect(o).to.eql(encodeURIComponent(str));
|
299 |
|
300 | str = '[]?&=#/:;';
|
301 | o = filter(str);
|
302 | expect(o).to.eql(encodeURIComponent(str));
|
303 |
|
304 |
|
305 | str = 'foo\uD800';
|
306 | try {
|
307 | o = filter(str);
|
308 | } catch (err) {
|
309 | expect(err.message).to.eql('URI malformed');
|
310 | }
|
311 | };
|
312 |
|
313 | })();
|