/* * Copyright 2011 Google Inc. * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package com.google.template.soy.shared.restricted; import com.google.common.collect.ImmutableSet; import com.google.template.soy.data.Dir; import com.google.template.soy.data.SanitizedContent; import com.google.template.soy.data.SanitizedContent.ContentKind; import com.google.template.soy.data.SoyValue; import com.google.template.soy.data.UnsafeSanitizedContentOrdainer; import com.google.template.soy.data.restricted.BooleanData; import com.google.template.soy.data.restricted.FloatData; import com.google.template.soy.data.restricted.IntegerData; import com.google.template.soy.data.restricted.NullData; import com.google.template.soy.data.restricted.StringData; import com.google.template.soy.shared.restricted.TagWhitelist.OptionalSafeTag; import junit.framework.TestCase; import java.util.logging.Level; import java.util.logging.Logger; public class SanitizersTest extends TestCase { private static final String ASCII_CHARS; static { StringBuilder sb = new StringBuilder(0x80); for (int i = 0; i < 0x80; ++i) { sb.append((char) i); } ASCII_CHARS = sb.toString(); } private static final SoyValue ASCII_CHARS_SOYDATA = StringData.forValue(ASCII_CHARS); /** Substrings that might change the parsing mode of scripts they are embedded in. */ private static final String[] EMBEDDING_HAZARDS = new String[] { "", "" }; public final void testEscapeJsString() { // The minimal escapes. // Do not remove anything from this set without talking to your friendly local ise-team@. assertEquals( "\\x00 \\x22 \\x27 \\\\ \\r \\n \\u2028 \\u2029", Sanitizers.escapeJsString("\u0000 \" \' \\ \r \n \u2028 \u2029")); for (String hazard : EMBEDDING_HAZARDS) { assertFalse(hazard, Sanitizers.escapeJsString(hazard).contains(hazard)); } // Check correctness of other Latins. String escapedAscii = ( "\\x00\u0001\u0002\u0003\u0004\u0005\u0006\u0007\\x08\\t\\n\\x0b\\f\\r\u000e\u000f" + "\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017" + "\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f" + " !\\x22#$%\\x26\\x27()*+,-.\\/" + "0123456789:;\\x3c\\x3d\\x3e?" + "@ABCDEFGHIJKLMNO" + "PQRSTUVWXYZ[\\\\]^_" + "`abcdefghijklmno" + "pqrstuvwxyz{|}~\u007f"); assertEquals(escapedAscii, Sanitizers.escapeJsString(ASCII_CHARS)); assertEquals(escapedAscii, Sanitizers.escapeJsString(ASCII_CHARS_SOYDATA)); } public final void testEscapeJsRegExpString() { // The minimal escapes. // Do not remove anything from this set without talking to your friendly local ise-team@. assertEquals( "\\x00 \\x22 \\x27 \\\\ \\/ \\r \\n \\u2028 \\u2029" + // RegExp operators. " \\x24\\x5e\\x2a\\x28\\x29\\x2d\\x2b\\x7b\\x7d\\x5b\\x5d\\x7c\\x3f", Sanitizers.escapeJsRegex( "\u0000 \" \' \\ / \r \n \u2028 \u2029" + " $^*()-+{}[]|?")); for (String hazard : EMBEDDING_HAZARDS) { assertFalse(hazard, Sanitizers.escapeJsRegex(hazard).contains(hazard)); } String escapedAscii = ( "\\x00\u0001\u0002\u0003\u0004\u0005\u0006\u0007\\x08\\t\\n\\x0b\\f\\r\u000e\u000f" + "\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017" + "\u0018\u0019\u001a\u001b\u001c\u001d\u001e\u001f" + " !\\x22#\\x24%\\x26\\x27\\x28\\x29\\x2a\\x2b\\x2c\\x2d\\x2e\\/" + "0123456789\\x3a;\\x3c\\x3d\\x3e\\x3f" + "@ABCDEFGHIJKLMNO" + "PQRSTUVWXYZ\\x5b\\\\\\x5d\\x5e_" + "`abcdefghijklmno" + "pqrstuvwxyz\\x7b\\x7c\\x7d~\u007f"); assertEquals(escapedAscii, Sanitizers.escapeJsRegex(ASCII_CHARS)); assertEquals(escapedAscii, Sanitizers.escapeJsRegex(ASCII_CHARS_SOYDATA)); } public final void testEscapeJsValue() { assertEquals( // Adds quotes. "'Don\\x27t run with \\x22scissors\\x22.\\n'", Sanitizers.escapeJsValue("Don't run with \"scissors\".\n")); assertEquals( // SoyValue version does the same as String version. "'Don\\x27t run with \\x22scissors\\x22.\\n'", Sanitizers.escapeJsValue(StringData.forValue("Don't run with \"scissors\".\n"))); assertEquals( " 4.0 ", Sanitizers.escapeJsValue(IntegerData.forValue(4))); assertEquals( " 4.5 ", Sanitizers.escapeJsValue(FloatData.forValue(4.5))); assertEquals( " true ", Sanitizers.escapeJsValue(BooleanData.TRUE)); assertEquals( " null ", Sanitizers.escapeJsValue(NullData.INSTANCE)); assertEquals( "foo() + bar", Sanitizers.escapeJsValue(UnsafeSanitizedContentOrdainer.ordainAsSafe( "foo() + bar", SanitizedContent.ContentKind.JS))); // Wrong content kind should be wrapped in a string. assertEquals( "'foo() + bar'", Sanitizers.escapeJsValue(UnsafeSanitizedContentOrdainer.ordainAsSafe( "foo() + bar", SanitizedContent.ContentKind.HTML))); } public final void testEscapeCssString() { // The minimal escapes. // Do not remove anything from this set without talking to your friendly local ise-team@. assertEquals( "\\0 \\22 \\27 \\5c \\a \\c \\d ", Sanitizers.escapeCssString("\u0000 \" \' \\ \n \u000c \r")); for (String hazard : EMBEDDING_HAZARDS) { assertFalse(hazard, Sanitizers.escapeCssString(hazard).contains(hazard)); } String escapedAscii = ( "\\0 \u0001\u0002\u0003\u0004\u0005\u0006\u0007\\8 \\9 \\a \\b \\c \\d \u000e\u000f" + "\u0010\u0011\u0012\u0013\u0014\u0015\u0016\u0017" + "\u0018\u0019\u001A\u001B\u001C\u001D\u001E\u001F" + " !\\22 #$%\\26 \\27 \\28 \\29 \\2a +,-.\\2f " + "0123456789\\3a \\3b \\3c \\3d \\3e ?" + "\\40 ABCDEFGHIJKLMNO" + "PQRSTUVWXYZ[\\5c ]^_" + "`abcdefghijklmno" + "pqrstuvwxyz\\7b |\\7d ~\u007f"); assertEquals(escapedAscii, Sanitizers.escapeCssString(ASCII_CHARS)); assertEquals(escapedAscii, Sanitizers.escapeCssString(ASCII_CHARS_SOYDATA)); } public final void testFilterCssValue() { assertEquals("33px", Sanitizers.filterCssValue("33px")); assertEquals("33px", Sanitizers.filterCssValue(StringData.forValue("33px"))); assertEquals("-.5em", Sanitizers.filterCssValue("-.5em")); assertEquals("inherit", Sanitizers.filterCssValue("inherit")); assertEquals("display", Sanitizers.filterCssValue("display")); assertEquals("none", Sanitizers.filterCssValue("none")); assertEquals("#id", Sanitizers.filterCssValue("#id")); assertEquals(".class", Sanitizers.filterCssValue(".class")); assertEquals("red", Sanitizers.filterCssValue("red")); assertEquals("#aabbcc", Sanitizers.filterCssValue("#aabbcc")); assertEquals("zSoyz", Sanitizers.filterCssValue("expression")); assertEquals("zSoyz", Sanitizers.filterCssValue(StringData.forValue("expression"))); assertEquals("zSoyz", Sanitizers.filterCssValue("Expression")); assertEquals("zSoyz", Sanitizers.filterCssValue("\\65xpression")); assertEquals("zSoyz", Sanitizers.filterCssValue("\\65 xpression")); assertEquals("zSoyz", Sanitizers.filterCssValue("-moz-binding")); assertEquals("zSoyz", Sanitizers.filterCssValue("/*")); assertEquals("zSoyz", Sanitizers.filterCssValue("color:expression('whatever')")); assertEquals("color:expression('whatever')", Sanitizers.filterCssValue( UnsafeSanitizedContentOrdainer.ordainAsSafe( "color:expression('whatever')", SanitizedContent.ContentKind.CSS))); for (String hazard : EMBEDDING_HAZARDS) { assertFalse(hazard, Sanitizers.filterCssValue(hazard).contains(hazard)); } } public final void testFilterHtmlAttributes() { assertEquals("dir", Sanitizers.filterHtmlAttributes("dir")); assertEquals("data-foo", Sanitizers.filterHtmlAttributes("data-foo")); assertEquals("hamburger", Sanitizers.filterHtmlAttributes("hamburger")); assertEquals("action-packed", Sanitizers.filterHtmlAttributes("action-packed")); assertEquals("dir", Sanitizers.filterHtmlAttributes(StringData.forValue("dir"))); assertEquals("zSoyz", Sanitizers.filterHtmlAttributes(">", ContentKind.HTML), Sanitizers.cleanHtml(UnsafeSanitizedContentOrdainer.ordainAsSafe( "", ContentKind.HTML))); } public final void testCleanHtml_optionalSafeTags() { // No OptionalSafeTags. assertEquals(UnsafeSanitizedContentOrdainer.ordainAsSafe("ff", ContentKind.HTML), Sanitizers.cleanHtml("
  1. f
")); // One OptionalSafeTag. assertEquals(UnsafeSanitizedContentOrdainer.ordainAsSafe( "ff", ContentKind.HTML), Sanitizers.cleanHtml( StringData.forValue("
  1. f
"), ImmutableSet.of(OptionalSafeTag.SPAN))); // All OptionalSafeTags. assertEquals(UnsafeSanitizedContentOrdainer.ordainAsSafe( "
  1. f
", ContentKind.HTML), Sanitizers.cleanHtml( StringData.forValue("
  1. f
"), ImmutableSet.copyOf(OptionalSafeTag.values()))); // Does not preserve
  • which are not nested in a parent
      or
    "), ImmutableSet.of(OptionalSafeTag.LI, OptionalSafeTag.OL, OptionalSafeTag.UL))); assertEquals( UnsafeSanitizedContentOrdainer.ordainAsSafe( "
    1. 0
      1. 1
    2. 2
    3", ContentKind.HTML), Sanitizers.cleanHtml( StringData.forValue("
    1. 0
      1. 1
    2. 2
    "), ImmutableSet.of(OptionalSafeTag.LI, OptionalSafeTag.OL))); assertEquals( UnsafeSanitizedContentOrdainer.ordainAsSafe("", ContentKind.HTML), Sanitizers.cleanHtml( StringData.forValue("