3 declare(strict_types
=1);
5 namespace PhpMyAdmin\Tests
;
7 use PhpMyAdmin\Sanitize
;
9 class SanitizeTest
extends AbstractTestCase
12 * Sets up the fixture, for example, opens a network connection.
13 * This method is called before a test is executed.
15 protected function setUp(): void
18 parent
::setLanguage();
22 * Tests for proper escaping of XSS.
24 public function testXssInHref(): void
27 '[a@javascript:alert(\'XSS\');@target]link</a>',
28 Sanitize
::sanitizeMessage('[a@javascript:alert(\'XSS\');@target]link[/a]')
33 * Tests correct generating of link redirector.
35 public function testLink(): void
37 $lang = $GLOBALS['lang'];
39 unset($GLOBALS['server']);
40 unset($GLOBALS['lang']);
42 '<a href="./url.php?url=https%3A%2F%2Fwww.phpmyadmin.net%2F" target="target">link</a>',
43 Sanitize
::sanitizeMessage('[a@https://www.phpmyadmin.net/@target]link[/a]')
46 $GLOBALS['lang'] = $lang;
50 * Tests links to documentation.
52 * @param string $link link
53 * @param string $expected expected result
55 * @dataProvider docLinks
57 public function testDoc(string $link, string $expected): void
60 '<a href="./url.php?url=https%3A%2F%2Fdocs.phpmyadmin.net%2Fen%2Flatest%2F'
61 . $expected . '" target="documentation">doclink</a>',
62 Sanitize
::sanitizeMessage('[doc@' . $link . ']doclink[/doc]')
67 * Data provider for sanitize [doc@foo] markup
71 public function docLinks(): array
80 'config.html%23cfg_TitleTable',
94 * Tests link target validation.
96 public function testInvalidTarget(): void
99 '[a@./Documentation.html@INVALID9]doc</a>',
100 Sanitize
::sanitizeMessage('[a@./Documentation.html@INVALID9]doc[/a]')
105 * Tests XSS escaping after valid link.
107 public function testLinkDocXss(): void
110 '[a@./Documentation.html" onmouseover="alert(foo)"]doc</a>',
111 Sanitize
::sanitizeMessage('[a@./Documentation.html" onmouseover="alert(foo)"]doc[/a]')
116 * Tests proper handling of multi link code.
118 public function testLinkAndXssInHref(): void
121 '<a href="./url.php?url=https%3A%2F%2Fdocs.phpmyadmin.net%2F">doc</a>'
122 . '[a@javascript:alert(\'XSS\');@target]link</a>',
123 Sanitize
::sanitizeMessage(
124 '[a@https://docs.phpmyadmin.net/]doc[/a][a@javascript:alert(\'XSS\');@target]link[/a]'
130 * Test escaping of HTML tags
132 public function testHtmlTags(): void
135 '<div onclick="">',
136 Sanitize
::sanitizeMessage('<div onclick="">')
141 * Tests basic BB code.
143 public function testBBCode(): void
146 '<strong>strong</strong>',
147 Sanitize
::sanitizeMessage('[strong]strong[/strong]')
152 * Tests output escaping.
154 public function testEscape(): void
157 '<strong>strong</strong>',
158 Sanitize
::sanitizeMessage('[strong]strong[/strong]', true)
163 * Test for Sanitize::sanitizeFilename
165 public function testSanitizeFilename(): void
169 Sanitize
::sanitizeFilename('File_name 123')
174 * Test for Sanitize::getJsValue
176 * @param string $key Key
177 * @param string|bool|int $value Value
178 * @param string $expected Expected output
180 * @dataProvider variables
182 public function testGetJsValue(string $key, $value, string $expected): void
184 $this->assertEquals($expected, Sanitize
::getJsValue($key, $value));
185 $this->assertEquals('foo = 100', Sanitize
::getJsValue('foo', '100', false));
192 "foo = [\"1\",\"2\",\"3\",];\n",
193 Sanitize
::getJsValue('foo', $array)
196 "foo = \"bar\\\"baz\";\n",
197 Sanitize
::getJsValue('foo', 'bar"baz')
202 * Test for Sanitize::jsFormat
204 public function testJsFormat(): void
206 $this->assertEquals('`foo`', Sanitize
::jsFormat('foo'));
210 * Provider for testFormat
214 public function variables(): array
245 "foo = \"quote\\\"\";\n",
250 "foo = \"apostroph\\'\";\n",
256 * Sanitize::escapeJsString tests
258 * @param string $target expected output
259 * @param string $source string to be escaped
261 * @dataProvider escapeDataProvider
263 public function testEscapeJsString(string $target, string $source): void
265 $this->assertEquals($target, Sanitize
::escapeJsString($source));
269 * Data provider for testEscape
271 * @return array data for testEscape test case
273 public function escapeDataProvider(): array
281 '\r\n\\\'<scrIpt></\' + \'script>',
282 "\r\n'<scrIpt></sCRIPT>",
289 '</\' + \'script></head><body>[HTML]',
290 '</SCRIPT></head><body>[HTML]',
297 "\\\\\'\'\'\'\'\'\'\'\'\'\'\'\\\\",
304 * Test for removeRequestVars
306 public function testRemoveRequestVars(): void
308 $GLOBALS['_POST'] = [];
309 $_REQUEST['foo'] = 'bar';
310 $_REQUEST['allow'] = 'all';
311 $_REQUEST['second'] = 1;
316 Sanitize
::removeRequestVars($allow_list);
317 $this->assertArrayNotHasKey('foo', $_REQUEST);
318 $this->assertArrayNotHasKey('second', $_REQUEST);
319 $this->assertArrayHasKey('allow', $_REQUEST);