public void TestCSSStringEscaper_Transtions()
{
foreach (var sensitiveCharacter in CSS_STRING_SENSITIVE_CHARS)
{
Assert.IsFalse(Escape.CssString(sensitiveCharacter).Contains(sensitiveCharacter));
}
}
public void TestNestedURLInCSSInHTMLEscaper_String()
{
// Assume the string is within an HTML style attribute, like so:
// <span style="background-image:url('TAINTED_DATA_HERE')">...
string beforeEscape = "javascript:alert(1) break child context % close parent context ') escape"
+ " parent context \" escape parent context </span>";
string afterEscape = Escape.Html(Escape.CssString(Escape.Uri(beforeEscape)));
string[] badSequences =
{
"javascript:",
"javascriptA;", // shouldn't occur, in case it did would still fire javascript: uri
" % ",
"  ",
"')",
"\n",
"\"",
"</span>"
};
foreach (var badSequence in badSequences)
{
Assert.IsFalse(afterEscape.Contains(badSequence));
}
}
public void TestAllStringEscaper_Transtions()
{
foreach (var sensitiveCharacter in WEB_NEW_LINES)
{
Assert.IsFalse(Escape.Html(sensitiveCharacter).Contains(sensitiveCharacter));
Assert.IsFalse(Escape.CssString(sensitiveCharacter).Contains(sensitiveCharacter));
Assert.IsFalse(Escape.JsString(sensitiveCharacter).Contains(sensitiveCharacter));
}
}
public void TestForNullInput()
{
// The test for null inputs is useful to make sure that we do not throw an
// exception when receiving an null EL variable (quite common scenario)
try
{
Escape.Html(null);
Escape.HtmlText(null);
Escape.JsString(null);
Escape.JsRegex(null);
Escape.CssString(null);
Escape.Uri(null);
Escape.UriParam(null);
Escape.SqlLikeClause(null, '\\');
Escape.SqlLikeClause(null);
}
catch (Exception ex)
{
// Test must fail if any exception is thrown
Assert.IsTrue(false);
}
}
public void TestCSSStringEscaper_String()
{
// Assume the string is within an HTML <style> tag, like so:
// <style> li [id *= 'TAINTED_DATA_HERE'] { ... } </style>
string beforeEscape = "close context' \" continue context \\ break context \n"
+ " escape HTML context </style>"
+ " control chars: \b \t \n \f \r";
string afterEscape = Escape.CssString(beforeEscape);
string[] badSequences =
{
"'",
"\\ ",
"\n", "\r", "\t", "\f", "\r",
"\"",
"</style>",
};
foreach (var badSequence in badSequences)
{
Assert.IsFalse(afterEscape.Contains(badSequence));
}
}
