UNPKG

xss-filters/tests/utils.js

Version:

8.85 kBJavaScriptView Raw

1/*
2Copyright (c) 2015, Yahoo! Inc. All rights reserved.
3Copyrights licensed under the New BSD License.
4See the accompanying LICENSE file for terms.
5*/
6/* jshint multistr:true */
7
8(function() {
9
10var expect = require('expect.js');
11
12exports.test_yd = function (filter, expectedResults) {
  if (!expectedResults || expectedResults.length !== 1)
      throw new Error('must take 1 expected results');
15
  var str, o;
17
  o = filter(123);
  expect(o).to.eql('123');
20
  str = 'foo&<>\'"';
  o = filter(str);
  expect(o).to.eql(expectedResults[0]);
24};
25
26exports.test_yc = function (filter, expectedResults) {
  if (!expectedResults || expectedResults.length !== 6)
      throw new Error('must take 6 expected results');
29
  var str, o;
31
  o = filter(123);
  expect(o).to.eql('123');
34
  str = '--> --!> <!--[if IE]><script>alert("yahoo\'s filters")</script>';
  o = filter(str);
  expect(o).to.eql(expectedResults[0]);
38
  // to prevent componded effect to close comment state with chracters ahead 
  str = 'foo--';
  o = filter(str) + '>';
  expect(o).to.eql(expectedResults[1] + '>');
43
  str = 'foo--!';
  o = filter(str) + '>';
  expect(o).to.eql(expectedResults[2] +'>');
47
  str = '[if IE]';
  o = filter(str) + '>';
  expect(o).to.eql(expectedResults[3] + '>');
51
  str = 'foo-';
  o = filter(str) + '->';
  expect(o).to.eql(expectedResults[4] + '->');
55
  str = 'foo-';
  o = filter(str) + '-!>';
  expect(o).to.eql(expectedResults[5] + '-!>');
59};
60
61exports.test_yav = function (filter, expectedResults) {
  if (!expectedResults || expectedResults.length !== 18)
      throw new Error('must take 18 expected results');
64
  var str, o;
66
  o = filter(123);
  expect(o).to.eql('123');
69
  str = 'foo&<>\'"` \t\n\f';
  o = filter(str);
  expect(o).to.eql(expectedResults[0]);
73
  str = '\f';
  o = filter(str);
  expect(o).to.eql(expectedResults[1]);
77
  str = '';
  o = filter(str);
  expect(o).to.eql(expectedResults[2]);
81
  // test if prohibited state change
  o = filter("''");
  expect(o).to.eql(expectedResults[3]);
  o = filter(" ''");
  expect(o).to.eql(expectedResults[4]);
  o = filter("\t''");
  expect(o).to.eql(expectedResults[5]);
  o = filter("\n''");
  expect(o).to.eql(expectedResults[6]);
  o = filter("\f''");
  expect(o).to.eql(expectedResults[7]);
93
  // test if prohibited state change
  o = filter('""');
  expect(o).to.eql(expectedResults[8]);
  o = filter(' ""');
  expect(o).to.eql(expectedResults[9]);
  o = filter('\t""');
  expect(o).to.eql(expectedResults[10]);
  o = filter('\n""');
  expect(o).to.eql(expectedResults[11]);
  o = filter('\f""');
  expect(o).to.eql(expectedResults[12]);
105
  // test if prohibited state change
  o = filter('``');
  expect(o).to.eql(expectedResults[13]);
  o = filter(' ``');
  expect(o).to.eql(expectedResults[14]);
  o = filter('\t``');
  expect(o).to.eql(expectedResults[15]);
  o = filter('\n``');
  expect(o).to.eql(expectedResults[16]);
  o = filter('\f``');
  expect(o).to.eql(expectedResults[17]);
117};
118
119
120exports.test_yubl = function (filter, expectedResults) {
  var testStrings = [
      '\u0001\u0002\u0003\u0004\u0005\u0006\u0007\u0008\u0009\
123\u000A\u000B\u000C\u000D\u000E\u000F\u0010\u0011\u0012\
124\u0013\u0014\u0015\u0016\u0017\u0018\u0019\u001A\u001B\
125\u001C\u001D\u001E\u001F\u0020j\nav&#x61;\rscript\t:',
      '&Tab;&#X0a;&NewLine;j&#x61;&NewLine;&#x76;&#x61&Tab;&Tab;&#115&#99&#114&#105&#112&#116&#x3a;alert(0)',
      'JavascripT:alert(0)',
      'j&#x61;&#x76;&#x61&#115&#99&#114&#105&#112&#116&#x3a;alert(0)',
      'javascript:javascript:alert(0)',
130
      'vbscript&colon;',
      '&Tab;&#X0a;&NewLine;v&#98scripT:',
133
      'https://www.yahoo.com',
      'http://www.yahoo.com',
      'ftp://ftp.yahoo.com',
      'data:image/png',
      'data:application/javascript',
      'data:text/css',
      'data:text/html',
141
      'javajavascript:script:alert(0)',
      'javaXscript:alert(0)',
      'ABCjavascript:alert(0)'
  ];
146
  var defaultResults = [
      '%01%02%03%04%05%06%07%08%09\
149%0A%0B%0C%0D%0E%0F%10%11%12\
150%13%14%15%16%17%18%19%1A%1B\
151%1C%1D%1E%1F%20j%0Aav&#x61;%0Dscript%09:',
      'x-&Tab;&#X0a;&NewLine;j&#x61;&NewLine;&#x76;&#x61&Tab;&Tab;&#115&#99&#114&#105&#112&#116&#x3a;alert(0)',
      'x-JavascripT:alert(0)',
      'x-j&#x61;&#x76;&#x61&#115&#99&#114&#105&#112&#116&#x3a;alert(0)',
      'x-javascript:javascript:alert(0)',
156
      'x-vbscript&colon;',
      'x-&Tab;&#X0a;&NewLine;v&#98scripT:',
159
      'https://www.yahoo.com',
      'http://www.yahoo.com',
      'ftp://ftp.yahoo.com',
      'data:image/png',
      'data:application/javascript',
      'data:text/css',
      'data:text/html',
167
      'javajavascript:script:alert(0)',
      'javaXscript:alert(0)',
      'ABCjavascript:alert(0)'
  ];
172
  if (expectedResults && expectedResults.length > testStrings.length)
      throw new Error('must take ' + testStrings.length + ' expected results');
175
  testStrings.forEach(function (str, i) {
      expect(filter(str)).to.eql(expectedResults && expectedResults[i] ? expectedResults[i] : defaultResults[i]);
  });
179};
180
181exports.test_yu = function (filter) {
  var str, o;
  str = 'http://6.6.6.6/?q=[somewhere]';
  o = filter(str);
  expect(o).to.eql(encodeURI(str));
186
  str = 'http://6.6.6.6/somewhere';
  o = filter(str);
  expect(o).to.eql(encodeURI(str));
190
  str = '//6.6.6.6/somewhere';
  o = filter(str);
  expect(o).to.eql(encodeURI(str));
194
  str = 'http://[6.6.6.6]/somewhere';
  o = filter(str);
  expect(o).to.eql(encodeURI(str));
198
  str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]/somewhere';
  o = filter(str);
  expect(o).to.eql(encodeURI(str));
202
  str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]';
  o = filter(str);
  expect(o).to.eql(encodeURI(str));
206
  str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:80';
  o = filter(str);
  expect(o).to.eql(encodeURI(str));
210
  str = '[]?&=#/:;';
  o = filter(str);
  expect(o).to.eql(encodeURI(str));
214
  // an feature indicator of which encodeURI()/encodeURIComponent() is used
  str = 'foo\uD800';
  try {
      o = filter(str);
  } catch (err) {
      expect(err.message).to.eql('URI malformed');
  }
222};
223
224exports.test_yufull = function (filter, expectedResults) {
  if (!expectedResults || expectedResults.length !== 1)
      throw new Error('must take 1 expected results');
227
  var str, o;
  str = 'http://6.6.6.6/?q=[somewhere]';
  o = filter(str);
  expect(o).to.eql('http://6.6.6.6/?q=%5Bsomewhere%5D');
232
  str = 'http://6.6.6.6/somewhere';
  o = filter(str);
  expect(o).to.eql(encodeURI(str));
236
  str = '//6.6.6.6/somewhere';
  o = filter(str);
  expect(o).to.eql(encodeURI(str));
240
  str = 'http://[6.6.6.6]/somewhere';
  o = filter(str);
  expect(o).to.eql(encodeURI(str));
244
  str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]/somewhere';
  o = filter(str);
  expect(o).to.eql(str);
248
  str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]';
  o = filter(str);
  expect(o).to.eql(expectedResults[0]);
252
  str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:80';
  o = filter(str);
  expect(o).to.eql(str);
256
  str = '[]?&=#/:;';
  o = filter(str);
  expect(o).to.eql(encodeURI(str));
260
  // an feature indicator of which encodeURI()/encodeURIComponent() is used
  str = 'foo\uD800';
  try {
      o = filter(str);
  } catch (err) {
      expect(err.message).to.eql('URI malformed');
  }
268};
269
270exports.test_yuc = function (filter) {
  var str, o;
  str = 'http://6.6.6.6/?q=[somewhere]';
  o = filter(str);
  expect(o).to.eql(encodeURIComponent(str));
275
  str = 'http://6.6.6.6/somewhere';
  o = filter(str);
  expect(o).to.eql(encodeURIComponent(str));
279
  str = '//6.6.6.6/somewhere';
  o = filter(str);
  expect(o).to.eql(encodeURIComponent(str));
283
  str = 'http://[6.6.6.6]/somewhere';
  o = filter(str);
  expect(o).to.eql(encodeURIComponent(str));
287
  str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]/somewhere';
  o = filter(str);
  expect(o).to.eql(encodeURIComponent(str));
291
  str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]';
  o = filter(str);
  expect(o).to.eql(encodeURIComponent(str));
295
  str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:80';
  o = filter(str);
  expect(o).to.eql(encodeURIComponent(str));
299
  str = '[]?&=#/:;';
  o = filter(str);
  expect(o).to.eql(encodeURIComponent(str));
303
  // an feature indicator of which encodeURI()/encodeURIComponent() is used
  str = 'foo\uD800';
  try {
      o = filter(str);
  } catch (err) {
      expect(err.message).to.eql('URI malformed');
  }
311};
312
313})();

1	`/*`
2	`Copyright (c) 2015, Yahoo! Inc. All rights reserved.`
3	`Copyrights licensed under the New BSD License.`
4	`See the accompanying LICENSE file for terms.`
5	`*/`
6	`/* jshint multistr:true */`
7
8	`(function() {`
9
10	`var expect = require('expect.js');`
11
12	`exports.test_yd = function (filter, expectedResults) {`
13	`if (!expectedResults \|\| expectedResults.length !== 1)`
14	`throw new Error('must take 1 expected results');`
15
16	`var str, o;`
17
18	`o = filter(123);`
19	`expect(o).to.eql('123');`
20
21	`str = 'foo&<>\'"';`
22	`o = filter(str);`
23	`expect(o).to.eql(expectedResults[0]);`
24	`};`
25
26	`exports.test_yc = function (filter, expectedResults) {`
27	`if (!expectedResults \|\| expectedResults.length !== 6)`
28	`throw new Error('must take 6 expected results');`
29
30	`var str, o;`
31
32	`o = filter(123);`
33	`expect(o).to.eql('123');`
34
35	`str = '--> --!> <!--[if IE]><script>alert("yahoo\'s filters")</script>';`
36	`o = filter(str);`
37	`expect(o).to.eql(expectedResults[0]);`
38
39	`// to prevent componded effect to close comment state with chracters ahead`
40	`str = 'foo--';`
41	`o = filter(str) + '>';`
42	`expect(o).to.eql(expectedResults[1] + '>');`
43
44	`str = 'foo--!';`
45	`o = filter(str) + '>';`
46	`expect(o).to.eql(expectedResults[2] +'>');`
47
48	`str = '[if IE]';`
49	`o = filter(str) + '>';`
50	`expect(o).to.eql(expectedResults[3] + '>');`
51
52	`str = 'foo-';`
53	`o = filter(str) + '->';`
54	`expect(o).to.eql(expectedResults[4] + '->');`
55
56	`str = 'foo-';`
57	`o = filter(str) + '-!>';`
58	`expect(o).to.eql(expectedResults[5] + '-!>');`
59	`};`
60
61	`exports.test_yav = function (filter, expectedResults) {`
62	`if (!expectedResults \|\| expectedResults.length !== 18)`
63	`throw new Error('must take 18 expected results');`
64
65	`var str, o;`
66
67	`o = filter(123);`
68	`expect(o).to.eql('123');`
69
70	str = 'foo&<>\'"` \t\n\f';
71	`o = filter(str);`
72	`expect(o).to.eql(expectedResults[0]);`
73
74	`str = '\f';`
75	`o = filter(str);`
76	`expect(o).to.eql(expectedResults[1]);`
77
78	`str = '';`
79	`o = filter(str);`
80	`expect(o).to.eql(expectedResults[2]);`
81
82	`// test if prohibited state change`
83	`o = filter("''");`
84	`expect(o).to.eql(expectedResults[3]);`
85	`o = filter(" ''");`
86	`expect(o).to.eql(expectedResults[4]);`
87	`o = filter("\t''");`
88	`expect(o).to.eql(expectedResults[5]);`
89	`o = filter("\n''");`
90	`expect(o).to.eql(expectedResults[6]);`
91	`o = filter("\f''");`
92	`expect(o).to.eql(expectedResults[7]);`
93
94	`// test if prohibited state change`
95	`o = filter('""');`
96	`expect(o).to.eql(expectedResults[8]);`
97	`o = filter(' ""');`
98	`expect(o).to.eql(expectedResults[9]);`
99	`o = filter('\t""');`
100	`expect(o).to.eql(expectedResults[10]);`
101	`o = filter('\n""');`
102	`expect(o).to.eql(expectedResults[11]);`
103	`o = filter('\f""');`
104	`expect(o).to.eql(expectedResults[12]);`
105
106	`// test if prohibited state change`
107	o = filter('``');
108	`expect(o).to.eql(expectedResults[13]);`
109	o = filter(' ``');
110	`expect(o).to.eql(expectedResults[14]);`
111	o = filter('\t``');
112	`expect(o).to.eql(expectedResults[15]);`
113	o = filter('\n``');
114	`expect(o).to.eql(expectedResults[16]);`
115	o = filter('\f``');
116	`expect(o).to.eql(expectedResults[17]);`
117	`};`
118
119
120	`exports.test_yubl = function (filter, expectedResults) {`
121	`var testStrings = [`
122	`'\u0001\u0002\u0003\u0004\u0005\u0006\u0007\u0008\u0009\`
123	`\u000A\u000B\u000C\u000D\u000E\u000F\u0010\u0011\u0012\`
124	`\u0013\u0014\u0015\u0016\u0017\u0018\u0019\u001A\u001B\`
125	`\u001C\u001D\u001E\u001F\u0020j\nava\rscript\t:',`
126	`'&Tab;&#X0a;&NewLine;ja&NewLine;v&#x61&Tab;&Tab;&#115&#99&#114&#105&#112&#116:alert(0)',`
127	`'JavascripT:alert(0)',`
128	`'jav&#x61&#115&#99&#114&#105&#112&#116:alert(0)',`
129	`'javascript:javascript:alert(0)',`
130
131	`'vbscript&colon;',`
132	`'&Tab;&#X0a;&NewLine;v&#98scripT:',`
133
134	`'https://www.yahoo.com',`
135	`'http://www.yahoo.com',`
136	`'ftp://ftp.yahoo.com',`
137	`'data:image/png',`
138	`'data:application/javascript',`
139	`'data:text/css',`
140	`'data:text/html',`
141
142	`'javajavascript:script:alert(0)',`
143	`'javaXscript:alert(0)',`
144	`'ABCjavascript:alert(0)'`
145	`];`
146
147	`var defaultResults = [`
148	`'%01%02%03%04%05%06%07%08%09\`
149	`%0A%0B%0C%0D%0E%0F%10%11%12\`
150	`%13%14%15%16%17%18%19%1A%1B\`
151	`%1C%1D%1E%1F%20j%0Aava%0Dscript%09:',`
152	`'x-&Tab;&#X0a;&NewLine;ja&NewLine;v&#x61&Tab;&Tab;&#115&#99&#114&#105&#112&#116:alert(0)',`
153	`'x-JavascripT:alert(0)',`
154	`'x-jav&#x61&#115&#99&#114&#105&#112&#116:alert(0)',`
155	`'x-javascript:javascript:alert(0)',`
156
157	`'x-vbscript&colon;',`
158	`'x-&Tab;&#X0a;&NewLine;v&#98scripT:',`
159
160	`'https://www.yahoo.com',`
161	`'http://www.yahoo.com',`
162	`'ftp://ftp.yahoo.com',`
163	`'data:image/png',`
164	`'data:application/javascript',`
165	`'data:text/css',`
166	`'data:text/html',`
167
168	`'javajavascript:script:alert(0)',`
169	`'javaXscript:alert(0)',`
170	`'ABCjavascript:alert(0)'`
171	`];`
172
173	`if (expectedResults && expectedResults.length > testStrings.length)`
174	`throw new Error('must take ' + testStrings.length + ' expected results');`
175
176	`testStrings.forEach(function (str, i) {`
177	`expect(filter(str)).to.eql(expectedResults && expectedResults[i] ? expectedResults[i] : defaultResults[i]);`
178	`});`
179	`};`
180
181	`exports.test_yu = function (filter) {`
182	`var str, o;`
183	`str = 'http://6.6.6.6/?q=[somewhere]';`
184	`o = filter(str);`
185	`expect(o).to.eql(encodeURI(str));`
186
187	`str = 'http://6.6.6.6/somewhere';`
188	`o = filter(str);`
189	`expect(o).to.eql(encodeURI(str));`
190
191	`str = '//6.6.6.6/somewhere';`
192	`o = filter(str);`
193	`expect(o).to.eql(encodeURI(str));`
194
195	`str = 'http://[6.6.6.6]/somewhere';`
196	`o = filter(str);`
197	`expect(o).to.eql(encodeURI(str));`
198
199	`str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]/somewhere';`
200	`o = filter(str);`
201	`expect(o).to.eql(encodeURI(str));`
202
203	`str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]';`
204	`o = filter(str);`
205	`expect(o).to.eql(encodeURI(str));`
206
207	`str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:80';`
208	`o = filter(str);`
209	`expect(o).to.eql(encodeURI(str));`
210
211	`str = '[]?&=#/:;';`
212	`o = filter(str);`
213	`expect(o).to.eql(encodeURI(str));`
214
215	`// an feature indicator of which encodeURI()/encodeURIComponent() is used`
216	`str = 'foo\uD800';`
217	`try {`
218	`o = filter(str);`
219	`} catch (err) {`
220	`expect(err.message).to.eql('URI malformed');`
221	`}`
222	`};`
223
224	`exports.test_yufull = function (filter, expectedResults) {`
225	`if (!expectedResults \|\| expectedResults.length !== 1)`
226	`throw new Error('must take 1 expected results');`
227
228	`var str, o;`
229	`str = 'http://6.6.6.6/?q=[somewhere]';`
230	`o = filter(str);`
231	`expect(o).to.eql('http://6.6.6.6/?q=%5Bsomewhere%5D');`
232
233	`str = 'http://6.6.6.6/somewhere';`
234	`o = filter(str);`
235	`expect(o).to.eql(encodeURI(str));`
236
237	`str = '//6.6.6.6/somewhere';`
238	`o = filter(str);`
239	`expect(o).to.eql(encodeURI(str));`
240
241	`str = 'http://[6.6.6.6]/somewhere';`
242	`o = filter(str);`
243	`expect(o).to.eql(encodeURI(str));`
244
245	`str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]/somewhere';`
246	`o = filter(str);`
247	`expect(o).to.eql(str);`
248
249	`str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]';`
250	`o = filter(str);`
251	`expect(o).to.eql(expectedResults[0]);`
252
253	`str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:80';`
254	`o = filter(str);`
255	`expect(o).to.eql(str);`
256
257	`str = '[]?&=#/:;';`
258	`o = filter(str);`
259	`expect(o).to.eql(encodeURI(str));`
260
261	`// an feature indicator of which encodeURI()/encodeURIComponent() is used`
262	`str = 'foo\uD800';`
263	`try {`
264	`o = filter(str);`
265	`} catch (err) {`
266	`expect(err.message).to.eql('URI malformed');`
267	`}`
268	`};`
269
270	`exports.test_yuc = function (filter) {`
271	`var str, o;`
272	`str = 'http://6.6.6.6/?q=[somewhere]';`
273	`o = filter(str);`
274	`expect(o).to.eql(encodeURIComponent(str));`
275
276	`str = 'http://6.6.6.6/somewhere';`
277	`o = filter(str);`
278	`expect(o).to.eql(encodeURIComponent(str));`
279
280	`str = '//6.6.6.6/somewhere';`
281	`o = filter(str);`
282	`expect(o).to.eql(encodeURIComponent(str));`
283
284	`str = 'http://[6.6.6.6]/somewhere';`
285	`o = filter(str);`
286	`expect(o).to.eql(encodeURIComponent(str));`
287
288	`str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]/somewhere';`
289	`o = filter(str);`
290	`expect(o).to.eql(encodeURIComponent(str));`
291
292	`str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]';`
293	`o = filter(str);`
294	`expect(o).to.eql(encodeURIComponent(str));`
295
296	`str = 'http://[2001:0db8:85a3:0000:0000:8a2e:0370:7334]:80';`
297	`o = filter(str);`
298	`expect(o).to.eql(encodeURIComponent(str));`
299
300	`str = '[]?&=#/:;';`
301	`o = filter(str);`
302	`expect(o).to.eql(encodeURIComponent(str));`
303
304	`// an feature indicator of which encodeURI()/encodeURIComponent() is used`
305	`str = 'foo\uD800';`
306	`try {`
307	`o = filter(str);`
308	`} catch (err) {`
309	`expect(err.message).to.eql('URI malformed');`
310	`}`
311	`};`
312
313	`})();`