public void TestCSSStringEscaper_Transtions() { foreach (var sensitiveCharacter in CSS_STRING_SENSITIVE_CHARS) { Assert.IsFalse(Escape.CssString(sensitiveCharacter).Contains(sensitiveCharacter)); } }
public void TestNestedURLInCSSInHTMLEscaper_String() { // Assume the string is within an HTML style attribute, like so: // <span style="background-image:url('TAINTED_DATA_HERE')">... string beforeEscape = "javascript:alert(1) break child context % close parent context ') escape" + " parent context \" escape parent context </span>"; string afterEscape = Escape.Html(Escape.CssString(Escape.Uri(beforeEscape))); string[] badSequences = { "javascript:", "javascriptA;", // shouldn't occur, in case it did would still fire javascript: uri " % ", "  ", "')", "\n", "\"", "</span>" }; foreach (var badSequence in badSequences) { Assert.IsFalse(afterEscape.Contains(badSequence)); } }
public void TestAllStringEscaper_Transtions() { foreach (var sensitiveCharacter in WEB_NEW_LINES) { Assert.IsFalse(Escape.Html(sensitiveCharacter).Contains(sensitiveCharacter)); Assert.IsFalse(Escape.CssString(sensitiveCharacter).Contains(sensitiveCharacter)); Assert.IsFalse(Escape.JsString(sensitiveCharacter).Contains(sensitiveCharacter)); } }
public void TestForNullInput() { // The test for null inputs is useful to make sure that we do not throw an // exception when receiving an null EL variable (quite common scenario) try { Escape.Html(null); Escape.HtmlText(null); Escape.JsString(null); Escape.JsRegex(null); Escape.CssString(null); Escape.Uri(null); Escape.UriParam(null); Escape.SqlLikeClause(null, '\\'); Escape.SqlLikeClause(null); } catch (Exception ex) { // Test must fail if any exception is thrown Assert.IsTrue(false); } }
public void TestCSSStringEscaper_String() { // Assume the string is within an HTML <style> tag, like so: // <style> li [id *= 'TAINTED_DATA_HERE'] { ... } </style> string beforeEscape = "close context' \" continue context \\ break context \n" + " escape HTML context </style>" + " control chars: \b \t \n \f \r"; string afterEscape = Escape.CssString(beforeEscape); string[] badSequences = { "'", "\\ ", "\n", "\r", "\t", "\f", "\r", "\"", "</style>", }; foreach (var badSequence in badSequences) { Assert.IsFalse(afterEscape.Contains(badSequence)); } }