root/trunk/trax/test/InputFilterTest.php

<?php
/**
 *  File for the InputFilterTest class
 *
 * (PHP 5)
 *
 * @package PHPonTraxTest
 * @license http://opensource.org/licenses/gpl-license.php GNU Public License
 * @copyright (c) Walter O. Haas 2006
 * @version $Id$
 * @author Walt Haas <haas@xmission.com>
 */

echo "testing InputFilter\n";
require_once 'testenv.php';

// Call InputFilterTest::main() if this source file is executed directly.
if (!defined("PHPUnit2_MAIN_METHOD")) {
    define("PHPUnit2_MAIN_METHOD", "InputFilterTest::main");
}

require_once "PHPUnit2/Framework/TestCase.php";
require_once "PHPUnit2/Framework/TestSuite.php";

// You may remove the following line when all tests have been implemented.
require_once "PHPUnit2/Framework/IncompleteTestError.php";

require_once "input_filter.php";

/**
 * Test class for InputFilter.
 * Generated by PHPUnit2_Util_Skeleton on 2006-02-28 at 11:52:31.
 */
class InputFilterTest extends PHPUnit2_Framework_TestCase {

    /**
     * Runs the test methods of this class.
     *
     * @access public
     * @static
     */
    public static function main() {
        require_once "PHPUnit2/TextUI/TestRunner.php";

        $suite  = new PHPUnit2_Framework_TestSuite("InputFilterTest");
        $result = PHPUnit2_TextUI_TestRunner::run($suite);
    }

    /**
     * Sets up the fixture, for example, open a network connection.
     * This method is called before a test is executed.
     *
     * @access protected
     */
    protected function setUp() {
    }

    /**
     * Tears down the fixture, for example, close a network connection.
     * This method is called after a test is executed.
     *
     * @access protected
     */
    protected function tearDown() {
    }

    /**
     * Test the process() method
     */
    public function testProcess() {
        //  Trivial case, nothing to clean
        @new InputFilter();
        $this->assertEquals(InputFilter::process('foo'),'foo');
        $this->assertEquals(InputFilter::process(array('foo','bar')),
                            array('foo','bar'));
        //  Default constructor removes all tags
        $this->assertEquals(InputFilter::process('<ok>foobar</ok>'),
                            'foobar');        
        //  Allow all but blacklisted tags and attributes
        @new InputFilter(array(),array(),1,1,1);
        //  Irregular tag names are always filtered out
        $this->assertEquals(InputFilter::process('foo<#$>bar</#$>mumble'),
                            'foobarmumble');        
        //  $xssAuto=1 filters blacklisted tags and attributes
        $this->assertEquals(InputFilter::process('<body>foobar</body>'),
                            'foobar');        
        $this->assertEquals(InputFilter::process('<ok action="yes">foobar</ok>'),
                            '<ok>foobar</ok>');        
        //  With $xssAuto off, blacklisted tags and attributes are allowed
        @new InputFilter(array(),array(),1,1,0);
        $this->assertEquals(InputFilter::process('<body>foobar</body>'),
                            '<body>foobar</body>');        
        $this->assertEquals(InputFilter::process('<ok action="yes">foobar</ok>'),
                            '<ok action="yes">foobar</ok>');        
        //  tagMethod=1 permits all but listed tags
        @new InputFilter(array('foo'),array(),1,1,0);
        $this->assertEquals(
                InputFilter::process('<foo>mumble</foo><bar>grumble</bar>'),
                'mumble<bar>grumble</bar>');        
        //  tagMethod=0 permits only listed tags
        @new InputFilter(array('foo'),array(),0,1,0);
        $this->assertEquals(
                InputFilter::process('<foo>mumble</foo><bar>grumble</bar>'),
                '<foo>mumble</foo>grumble');        
        //  attrMethod=1 permits all but listed attributes
        @new InputFilter(array(),array('dangerous'),1,1,0);
        $this->assertEquals(
              InputFilter::process('<foo safe="1" dangerous="1">mumble</foo>'),
              '<foo safe="1">mumble</foo>');        
        //  attrMethod=0 permits only listed tags
        @new InputFilter(array(),array('dangerous'),1,0,0);
        $this->assertEquals(
              InputFilter::process('<foo safe="1" dangerous="1">mumble</foo>'),
              '<foo dangerous="1">mumble</foo>');        
        //  accept only know safe tags
        @new InputFilter(array('div','span','strong','em'),
                  array('id','class'),0,0,0);
        $this->assertEquals(
                            InputFilter::process(
         '<body class="full">mumble<span class="error" color="red">'
        .'grumble</span>burfl</body>'),
         'mumble<span class="error">grumble</span>burfl');
    }

    /**
     * Test process_all() method
     */
    public function testProcess_all() {
        $_GET = array('<tag1>foo</tag1>');
        $_POST = array('<tag2>bar</tag2>');
        $_REQUEST = array('<tag3>mumble</tag3>');

        //  Default is to remove all tags
        InputFilter::process_all();
        $this->assertEquals($_GET,array('foo'));
        $this->assertEquals($_POST,array('bar'));
        $this->assertEquals($_REQUEST,array('mumble'));
    }

    /**
     *  Test saveSQL()
     *  @todo Figure out problem w/ mysql_real_escape_string()
     *  @todo Figure out how to test with magic quotes either on or off
     */
    public function testSafeSQL() {
        $rs = mysql_connect();
        if ($rs == false) {
            PHPUnit2_Framework_Assert::fail("InputFilterTest:"
                                     ." unable to open a connction to MySQL");
        }
        //  Trivial case, nothing to clean
        $this->assertEquals(InputFilter::safeSQL('foo',$rs),'foo');
        $this->assertEquals(InputFilter::safeSQL(array('foo','bar'),$rs),
                            array('foo','bar'));
        if (get_magic_quotes_gpc()) {
            // verify stripping of magic quotes
            //  FIXME: figure out how to test this case
            $this->assertEquals(
            InputFilter::safeSQL('a\\\'b\\"c\\\\d\\\x00e\\\nf\\\rg\\\x1a',$rs),
                                 'a\\\'b\\"c\\\\d\\\x00e\\\nf\\\rg\\\x1a');
        }
        else {
            // verify magic quotes aren't there
            $pattern = "a'b\"c\\d\x00e\nf\rg\x1ah";
            $non_zero_pattern = "a'b\"c\\de\nf\rg\x1ah";
            $quoted_pattern = "a\\'b\\\"c\\\\de\\\nf\\\rg\\\x1ah";
            $quoted_non_zero_pattern = "a\\'b\\\"c\\\\de\\\nf\\\rg\\\x1ah";
//            echo "\nIf this fails it means mysql_real_escape_string() is broken: ";
//            $this->assertEquals(mysql_real_escape_string($non_zero_pattern),
//                                $quoted_non_zero_pattern);
//            echo "\nIf this fails it means mysql_real_escape_string() is broken: ";
//            $this->assertEquals(mysql_real_escape_string($pattern),
//                                $quoted_pattern);
//            $this->assertEquals(
//                   InputFilter::safeSQL($pattern,$rs),$quoted_pattern);
        }
        // Remove the following line when you complete this test.
        throw new PHPUnit2_Framework_IncompleteTestError;
    }
}

// Call InputFilterTest::main() if this source file is executed directly.
if (PHPUnit2_MAIN_METHOD == "InputFilterTest::main") {
    InputFilterTest::main();
}

// -- set Emacs parameters --
// Local variables:
// tab-width: 4
// c-basic-offset: 4
// c-hanging-comment-ender-p: nil
// indent-tabs-mode: nil
// End:
?>