2010-11-20 16:25:08 +01:00
< ? php
/* Copyright ( C ) 2010 Laurent Destailleur < eldy @ users . sourceforge . net >
2023-05-07 14:31:35 +02:00
* Copyright ( C ) 2023 Alexandre Janniaux < alexandre . janniaux @ gmail . com >
2010-11-20 16:25:08 +01:00
*
* This program is free software ; you can redistribute it and / or modify
* it under the terms of the GNU General Public License as published by
2013-01-16 15:36:08 +01:00
* the Free Software Foundation ; either version 3 of the License , or
2010-11-20 16:25:08 +01:00
* ( at your option ) any later version .
*
* This program is distributed in the hope that it will be useful ,
* but WITHOUT ANY WARRANTY ; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE . See the
* GNU General Public License for more details .
*
* You should have received a copy of the GNU General Public License
2019-09-23 21:55:30 +02:00
* along with this program . If not , see < https :// www . gnu . org / licenses />.
* or see https :// www . gnu . org /
2010-11-20 16:25:08 +01:00
*/
/**
* \file test / phpunit / SecurityTest . php
* \ingroup test
* \brief PHPUnit test
* \remarks To run this script as CLI : phpunit filename . php
*/
global $conf , $user , $langs , $db ;
//define('TEST_DB_FORCE_TYPE','mysql'); // This is to force using mysql driver
2014-05-01 19:57:53 +02:00
//require_once 'PHPUnit/Autoload.php';
2010-11-20 16:25:08 +01:00
2021-01-14 15:09:08 +01:00
if ( ! defined ( 'NOREQUIRESOC' )) {
define ( 'NOREQUIRESOC' , '1' );
}
if ( ! defined ( 'NOCSRFCHECK' )) {
define ( 'NOCSRFCHECK' , '1' );
}
if ( ! defined ( 'NOTOKENRENEWAL' )) {
define ( 'NOTOKENRENEWAL' , '1' );
}
if ( ! defined ( 'NOREQUIREMENU' )) {
define ( 'NOREQUIREMENU' , '1' ); // If there is no menu to show
}
if ( ! defined ( 'NOREQUIREHTML' )) {
define ( 'NOREQUIREHTML' , '1' ); // If we don't need to load the html.form.class.php
}
if ( ! defined ( 'NOREQUIREAJAX' )) {
define ( 'NOREQUIREAJAX' , '1' );
}
if ( ! defined ( " NOLOGIN " )) {
define ( " NOLOGIN " , '1' ); // If this page is public (can be called outside logged session)
}
if ( ! defined ( " NOSESSION " )) {
define ( " NOSESSION " , '1' );
}
2010-11-20 16:25:08 +01:00
2020-11-27 16:52:52 +01:00
require_once dirname ( __FILE__ ) . '/../../htdocs/main.inc.php' ;
require_once dirname ( __FILE__ ) . '/../../htdocs/core/lib/security.lib.php' ;
require_once dirname ( __FILE__ ) . '/../../htdocs/core/lib/security2.lib.php' ;
2021-01-14 15:09:08 +01:00
if ( empty ( $user -> id )) {
print " Load permissions for admin user nb 1 \n " ;
$user -> fetch ( 1 );
$user -> getrights ();
2012-02-12 18:30:50 +01:00
}
$conf -> global -> MAIN_DISABLE_ALL_MAILS = 1 ;
2010-11-20 16:25:08 +01:00
/**
2011-09-23 14:21:00 +02:00
* Class for PHPUnit tests
2010-11-20 16:25:08 +01:00
*
* @ backupGlobals disabled
* @ backupStaticAttributes enabled
* @ remarks backupGlobals must be disabled to have db , conf , user and lang not erased .
*/
2019-07-05 21:28:27 +02:00
class SecurityTest extends PHPUnit\Framework\TestCase
2010-11-20 16:25:08 +01:00
{
protected $savconf ;
protected $savuser ;
protected $savlangs ;
protected $savdb ;
/**
* Constructor
* We save global variables into local variables
*
2023-05-17 12:27:46 +02:00
* @ param string $name Name
2011-03-29 11:12:18 +02:00
* @ return SecurityTest
2010-11-20 16:25:08 +01:00
*/
2023-05-07 14:31:35 +02:00
public function __construct ( $name = '' )
2010-11-20 16:25:08 +01:00
{
2023-05-07 14:31:35 +02:00
parent :: __construct ( $name );
2018-09-02 14:10:06 +02:00
2010-11-20 16:25:08 +01:00
//$this->sharedFixture
global $conf , $user , $langs , $db ;
$this -> savconf = $conf ;
$this -> savuser = $user ;
$this -> savlangs = $langs ;
$this -> savdb = $db ;
print __METHOD__ . " db->type= " . $db -> type . " user->id= " . $user -> id ;
//print " - db ".$db->db;
print " \n " ;
}
2021-01-14 15:09:08 +01:00
/**
* setUpBeforeClass
*
* @ return void
*/
2022-09-21 17:55:04 +02:00
public static function setUpBeforeClass () : void
2021-01-14 15:09:08 +01:00
{
global $conf , $user , $langs , $db ;
2010-11-20 16:25:08 +01:00
$db -> begin (); // This is to have all actions inside a transaction even if test launched without suite.
2021-01-14 15:09:08 +01:00
print __METHOD__ . " \n " ;
}
/**
* tearDownAfterClass
*
* @ return void
*/
2022-09-21 17:55:04 +02:00
public static function tearDownAfterClass () : void
2021-01-14 15:09:08 +01:00
{
global $conf , $user , $langs , $db ;
2010-11-20 16:25:08 +01:00
$db -> rollback ();
2023-09-09 21:16:58 +02:00
// Restore value to a neutral value (it was set to a test value by some tests)
unset ( $_SERVER [ " PHP_SELF " ]);
2010-11-20 16:25:08 +01:00
print __METHOD__ . " \n " ;
2021-01-14 15:09:08 +01:00
}
2010-11-20 16:25:08 +01:00
/**
2012-02-15 13:41:05 +01:00
* Init phpunit tests
*
* @ return void
2010-11-20 16:25:08 +01:00
*/
2022-09-21 17:55:04 +02:00
protected function setUp () : void
2021-01-14 15:09:08 +01:00
{
global $conf , $user , $langs , $db ;
2010-11-20 16:25:08 +01:00
$conf = $this -> savconf ;
$user = $this -> savuser ;
$langs = $this -> savlangs ;
$db = $this -> savdb ;
print __METHOD__ . " \n " ;
2021-01-14 15:09:08 +01:00
}
2011-09-23 14:21:00 +02:00
2010-11-20 16:25:08 +01:00
/**
2012-02-15 13:41:05 +01:00
* End phpunit tests
*
* @ return void
2010-11-20 16:25:08 +01:00
*/
2022-09-21 17:55:04 +02:00
protected function tearDown () : void
2021-01-14 15:09:08 +01:00
{
print __METHOD__ . " \n " ;
}
/**
* testSetLang
*
* @ return string
*/
public function testSetLang ()
{
global $conf ;
$conf = $this -> savconf ;
$tmplangs = new Translate ( '' , $conf );
$_SERVER [ 'HTTP_ACCEPT_LANGUAGE' ] = " ' malicious text with quote " ;
$tmplangs -> setDefaultLang ( 'auto' );
print __METHOD__ . ' $tmplangs->defaultlang=' . $tmplangs -> defaultlang . " \n " ;
$this -> assertEquals ( $tmplangs -> defaultlang , 'malicioustextwithquote_MALICIOUSTEXTWITHQUOTE' );
}
2023-11-29 20:19:21 +01:00
2021-01-14 15:09:08 +01:00
/**
* testSqlAndScriptInjectWithPHPUnit
*
* @ return void
*/
public function testSqlAndScriptInjectWithPHPUnit ()
{
// Run tests
// More on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
// Should be OK
$expectedresult = 0 ;
2021-03-13 12:33:26 +01:00
/*
$test = '' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( 0 , $result , 'Error on testSqlAndScriptInject kkk' );
*/
2021-03-29 23:43:07 +02:00
$_SERVER [ " PHP_SELF " ] = '/DIR WITH SPACE/htdocs/admin/index.php' ;
2021-01-14 15:09:08 +01:00
$result = testSqlAndScriptInject ( $_SERVER [ " PHP_SELF " ], 2 );
2021-03-14 15:06:40 +01:00
$this -> assertEquals ( $expectedresult , $result , 'Error on testSqlAndScriptInject for PHP_SELF that should be ok' );
2021-01-25 22:46:09 +01:00
$test = 'This is a < inside string with < and > also and tag like <a> before the >' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertEquals ( $expectedresult , $result , 'Error on testSqlAndScriptInject expected 0b' );
2021-01-14 15:09:08 +01:00
2021-06-25 10:47:31 +02:00
$test = 'This is the union of all for the selection of the best' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertEquals ( $expectedresult , $result , 'Error on testSqlAndScriptInject expected 0c' );
2021-05-17 23:47:16 +02:00
2023-06-19 03:17:24 +02:00
$test = '/user/perms.php?id=1&action=addrights&entity=1&rights=123&confirm=yes&token=123456789&updatedmodulename=lmscoursetracking' ;
$result = testSqlAndScriptInject ( $test , 1 );
print " test= " . $test . " result= " . $result . " \n " ;
$this -> assertEquals ( $expectedresult , $result , 'Error on testSqlAndScriptInject with a valid url' );
2021-05-17 23:47:16 +02:00
// Should detect attack
2021-01-14 15:09:08 +01:00
$expectedresult = 1 ;
2021-03-29 23:43:07 +02:00
$_SERVER [ " PHP_SELF " ] = '/DIR WITH SPACE/htdocs/admin/index.php/<svg>' ;
2021-01-14 15:09:08 +01:00
$result = testSqlAndScriptInject ( $_SERVER [ " PHP_SELF " ], 2 );
2021-03-14 15:06:40 +01:00
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject for PHP_SELF that should detect XSS' );
2021-06-25 10:47:31 +02:00
$test = 'select @@version' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertEquals ( $expectedresult , $result , 'Error on testSqlAndScriptInject for SQL1a. Should find an attack on POST param and did not.' );
$test = 'select @@version' ;
$result = testSqlAndScriptInject ( $test , 1 );
$this -> assertEquals ( $expectedresult , $result , 'Error on testSqlAndScriptInject for SQL1b. Should find an attack on GET param and did not.' );
2022-06-29 16:40:19 +02:00
$test = '... update ... set ... =' ;
$result = testSqlAndScriptInject ( $test , 1 );
$this -> assertEquals ( $expectedresult , $result , 'Error on testSqlAndScriptInject for SQL2a. Should find an attack on GET param and did not.' );
2022-12-05 15:05:40 +01:00
$test = " delete \n from " ;
$result = testSqlAndScriptInject ( $test , 1 );
$this -> assertEquals ( $expectedresult , $result , 'Error on testSqlAndScriptInject for SQL2b. Should find an attack on GET param and did not.' );
2022-06-29 16:40:19 +02:00
$test = 'action=update& ... set ... =' ;
$result = testSqlAndScriptInject ( $test , 1 );
$this -> assertEquals ( 0 , $result , 'Error on testSqlAndScriptInject for SQL2b. Should not find an attack on GET param and did.' );
2021-06-25 10:47:31 +02:00
$test = '... union ... selection ' ;
$result = testSqlAndScriptInject ( $test , 1 );
2022-06-29 16:40:19 +02:00
$this -> assertEquals ( $expectedresult , $result , 'Error on testSqlAndScriptInject for SQL2c. Should find an attack on GET param and did not.' );
2021-06-25 10:47:31 +02:00
2021-05-17 23:47:16 +02:00
$test = 'javascript:' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertEquals ( $expectedresult , $result , 'Error on testSqlAndScriptInject for javascript1. Should find an attack and did not.' );
$test = 'javascript:' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertEquals ( $expectedresult , $result , 'Error on testSqlAndScriptInject for javascript2. Should find an attack and did not.' );
2021-03-14 15:06:40 +01:00
$test = 'javascript&colon;alert(1)' ;
$result = testSqlAndScriptInject ( $test , 0 );
2021-05-17 23:47:16 +02:00
$this -> assertEquals ( $expectedresult , $result , 'Error on testSqlAndScriptInject for javascript2' );
2021-01-14 15:09:08 +01:00
$test = " <img src='1.jpg' onerror =javascript:alert('XSS')> " ;
$result = testSqlAndScriptInject ( $test , 0 );
2021-05-17 23:47:16 +02:00
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject aaa1' );
2021-01-14 15:09:08 +01:00
$test = " <img src='1.jpg' onerror =javascript:alert('XSS')> " ;
$result = testSqlAndScriptInject ( $test , 2 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject aaa2' );
$test = '<IMG SRC=# onmouseover="alert(1)">' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject aaa3' );
$test = '<IMG SRC onmouseover="alert(1)">' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject aaa4' );
$test = '<IMG onmouseover="alert(1)">' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject aaa5' );
$test = '<IMG SRC=/ onerror="alert(1)">' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject aaa6' );
$test = '<IMG SRC="  javascript:alert(1);">' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject aaa7' );
$test = '<IMG SRC=javascript:alert('XSS')>' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject bbb' );
$test = '<SCRIPT SRC=http://xss.rocks/xss.js></SCRIPT>' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject ccc' );
$test = '<IMG SRC="javascript:alert(\'XSS\');">' ;
$result = testSqlAndScriptInject ( $test , 1 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject ddd' );
$test = '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject eee' );
$test = ' <!-- Google analytics -->
2020-11-27 16:52:52 +01:00
< script >
( function ( i , s , o , g , r , a , m ){ i [ \ ' GoogleAnalyticsObject\ ' ] = r ; i [ r ] = i [ r ] || function (){
( i [ r ] . q = i [ r ] . q || []) . push ( arguments )}, i [ r ] . l = 1 * new Date (); a = s . createElement ( o ),
m = s . getElementsByTagName ( o )[ 0 ]; a . async = 1 ; a . src = g ; m . parentNode . insertBefore ( a , m )
})( window , document , \ ' script\ ' , \ ' https :// www . google - analytics . com / analytics . js\ ' , \ ' ga\ ' );
ga ( \ ' create\ ' , \ ' UA - 99999999 - 9 \ ' , \ ' auto\ ' );
ga ( \ ' send\ ' , \ ' pageview\ ' );
</ script > ' ;
2021-01-14 15:09:08 +01:00
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject eee' );
$test = " <IMG SRC= \" jav \t ascript:alert('XSS'); \" > " ; // Is locked by some browser like chrome because the default directive no-referrer-when-downgrade is sent when requesting the SRC and then refused because of browser protection on img src load without referrer.
$test = " <IMG SRC= \" jav
ascript:alert('XSS'); \" > " ; // Same
$test = '<SCRIPT/XSS SRC="http://xss.rocks/xss.js"></SCRIPT>' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject fff1' );
$test = '<SCRIPT/SRC="http://xss.rocks/xss.js"></SCRIPT>' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject fff2' );
// This case seems to be filtered by browsers now.
$test = '<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert(1)>' ;
//$result=testSqlAndScriptInject($test, 0);
//$this->assertGreaterThanOrEqual($expectedresult, $result, 'Error on testSqlAndScriptInject ggg');
$test = '<iframe src=http://xss.rocks/scriptlet.html <' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject hhh' );
$test = 'Set.constructor`alert\x281\x29```' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject iii' );
$test = " on<!-- ab \n c -->error=alert(1) " ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject jjj' );
2021-01-25 22:46:09 +01:00
$test = " <img src=x one<a>rror=alert(document.location) " ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject kkk' );
2021-05-21 12:17:56 +02:00
$test = " <a onpointerdown=alert(document.domain)>XSS</a> " ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject lll' );
2021-07-05 16:08:47 +02:00
2023-08-13 15:45:45 +02:00
$test = '<a onscrollend=alert(1) style="display:block;overflow:auto;border:1px+dashed;width:500px;height:100px;"><br><br><br><br><br><span+id=x>test</span></a>' ; // Add the char %F6 into the variable
$result = testSqlAndScriptInject ( $test , 0 );
//print "test=".$test." result=".$result."\n";
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject mmm' );
2021-07-05 16:08:47 +02:00
$test = " Text with ' encoded with the numeric html entity converted into text entity ' (like when submited by CKEditor) " ;
2021-07-05 17:34:25 +02:00
$result = testSqlAndScriptInject ( $test , 0 ); // result must be 0
2022-12-05 15:05:40 +01:00
$this -> assertEquals ( 0 , $result , 'Error on testSqlAndScriptInject mmm, result should be 0 and is not' );
$test = '<a href="j	a	v	asc
ri	pt:(a	l	e	r	t	(document.cookie))">XSS</a>' ;
$result = testSqlAndScriptInject ( $test , 0 );
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject nnn, result should be >= 1 and is not' );
2022-04-02 14:32:53 +02:00
$test = " /dolibarr/htdocs/index.php/ " . chr ( '246' ) . " abc " ; // Add the char %F6 into the variable
$result = testSqlAndScriptInject ( $test , 2 );
//print "test=".$test." result=".$result."\n";
$this -> assertGreaterThanOrEqual ( $expectedresult , $result , 'Error on testSqlAndScriptInject with a non valid UTF8 char' );
2021-01-14 15:09:08 +01:00
}
/**
* testGETPOST
*
* @ return string
*/
public function testGETPOST ()
{
global $conf , $user , $langs , $db ;
2010-11-20 16:25:08 +01:00
$conf = $this -> savconf ;
$user = $this -> savuser ;
$langs = $this -> savlangs ;
$db = $this -> savdb ;
2021-07-06 01:44:05 +02:00
// Force default mode
$conf -> global -> MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0 ;
2023-11-29 20:19:21 +01:00
$conf -> global -> MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 0 ;
2021-07-06 01:44:05 +02:00
$conf -> global -> MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = 0 ;
2023-12-10 16:19:05 +01:00
$conf -> global -> MAIN_DISALLOW_URL_INTO_DESCRIPTIONS = 0 ;
2021-07-06 01:44:05 +02:00
2021-01-14 15:09:08 +01:00
$_COOKIE [ " id " ] = 111 ;
2023-11-29 20:19:21 +01:00
$_POST [ " param0 " ] = 'A real string with <a href="rrr" title="aa"bb">aaa</a> and " and \' and & inside content' ;
2010-11-20 16:25:08 +01:00
$_GET [ " param1 " ] = " 222 " ;
2021-01-14 15:09:08 +01:00
$_POST [ " param1 " ] = " 333 " ;
2010-11-20 16:25:08 +01:00
$_GET [ " param2 " ] = 'a/b#e(pr)qq-rr\cc' ;
2021-01-14 15:09:08 +01:00
$_GET [ " param3 " ] = '"na/b#e(pr)qq-rr\cc' ; // Same than param2 + " and n
2021-08-23 15:47:18 +02:00
$_GET [ " param4a " ] = '../../dir' ;
$_GET [ " param4b " ] = '..\..\dirwindows' ;
2021-01-14 15:09:08 +01:00
$_GET [ " param5 " ] = " a_1-b " ;
$_POST [ " param6 " ] = " "><svg onload='console.log("123")'> " ;
2021-03-29 14:11:51 +02:00
$_POST [ " param6b " ] = '<<<../>../>../svg><<<../>../>../animate =alert(1)>abc' ;
2021-06-29 18:17:27 +02:00
$_GET [ " param7 " ] = '"c:\this is a path~1\aaan &#x110;" abc<bad>def</bad>' ;
2021-01-25 22:46:09 +01:00
$_POST [ " param8a " ] = " Hacker<svg onload='console.log("123")' " ; // html tag is not closed so it is not detected as html tag but is still harmfull
$_POST [ 'param8b' ] = '<img src=x onerror=alert(document.location) t=' ; // this is html obfuscated by non closing tag
$_POST [ 'param8c' ] = '< with space after is ok' ;
2021-02-04 23:38:42 +01:00
$_POST [ 'param8d' ] = '<abc123 is html to clean' ;
2022-01-26 12:39:41 +01:00
$_POST [ 'param8e' ] = '<123abc is not html to clean' ; // other similar case: '<2021-12-12'
2021-03-14 15:38:10 +01:00
$_POST [ 'param8f' ] = 'abc<<svg <><<animate onbegin=alert(document.domain) a' ;
2020-12-06 17:30:27 +01:00
$_POST [ " param9 " ] = 'is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'objnotdefined\'' ;
$_POST [ " param10 " ] = 'is_object($object) ? ($object->id < 10 ? round($object->id / 2, 2) : (2 * $user->id) * (int) substr($mysoc->zip, 1, 2)) : \'<abc>objnotdefined\'' ;
2021-01-12 21:06:02 +01:00
$_POST [ " param11 " ] = ' Name <email@email.com> ' ;
2021-02-23 12:58:43 +01:00
$_POST [ " param12 " ] = '<!DOCTYPE html><html>aaa</html>' ;
2021-05-17 23:47:16 +02:00
$_POST [ " param13 " ] = 'n n > < " <a href=\"javascript:alert(document.domain)\">XSS</a>' ;
$_POST [ " param13b " ] = 'n n > < " <a href=\"javascript:alert(document.domain)\">XSS</a>' ;
2021-07-05 16:08:47 +02:00
$_POST [ " param14 " ] = " Text with ' encoded with the numeric html entity converted into text entity ' (like when submited by CKEditor) " ;
2021-07-06 00:47:43 +02:00
$_POST [ " param15 " ] = " <img onerror<=alert(document.domain)> src=>0xbeefed " ;
2023-04-25 15:31:14 +02:00
//$_POST["param15b"]="<html><head><title>Example HTML</title></head><body><div><p>This is a paragraph.</div><ul><li>Item 1</li><li>Item 2</li></ol></body><html>";
2022-08-10 20:18:36 +02:00
$_POST [ " param16 " ] = '<a style="z-index: 1000">abc</a>' ;
$_POST [ " param17 " ] = '<span style="background-image: url(logout.php)">abc</span>' ;
$_POST [ " param18 " ] = '<span style="background-image: url(...?...action=aaa)">abc</span>' ;
2022-12-05 15:05:40 +01:00
$_POST [ " param19 " ] = '<a href="j	a	v	asc
ri	pt:(alert(document.cookie))">XSS</a>' ;
//$_POST["param19"]='<a href="javascript:alert(document.cookie)">XSS</a>';
2021-05-17 23:47:16 +02:00
2023-11-29 20:19:21 +01:00
2020-12-06 17:30:27 +01:00
$result = GETPOST ( 'id' , 'int' ); // Must return nothing
2021-01-14 15:09:08 +01:00
print __METHOD__ . " result= " . $result . " \n " ;
2023-11-29 20:19:21 +01:00
$this -> assertEquals ( '' , $result );
2021-01-14 15:09:08 +01:00
$result = GETPOST ( " param1 " , 'int' );
print __METHOD__ . " result= " . $result . " \n " ;
2023-11-29 20:19:21 +01:00
$this -> assertEquals ( 222 , $result , 'Test on param1 with no 3rd param' );
2021-01-14 15:09:08 +01:00
$result = GETPOST ( " param1 " , 'int' , 2 );
print __METHOD__ . " result= " . $result . " \n " ;
2023-11-29 20:19:21 +01:00
$this -> assertEquals ( 333 , $result , 'Test on param1 with 3rd param = 2' );
2021-01-14 15:09:08 +01:00
2021-05-17 23:47:16 +02:00
// Test with alpha
2021-03-14 12:58:37 +01:00
2023-11-29 20:19:21 +01:00
$result = GETPOST ( " param0 " , 'alpha' ); // a simple format, so " completely removed
$resultexpected = 'A real string with aaa and and \' and & inside content' ;
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( $resultexpected , $result , 'Test on param0' );
2021-01-14 15:09:08 +01:00
$result = GETPOST ( " param2 " , 'alpha' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( $result , $_GET [ " param2 " ], 'Test on param2' );
$result = GETPOST ( " param3 " , 'alpha' ); // Must return string sanitized from char "
print __METHOD__ . " result= " . $result . " \n " ;
2021-01-16 17:58:01 +01:00
$this -> assertEquals ( $result , 'na/b#e(pr)qq-rr\cc' , 'Test on param3' );
2021-01-14 15:09:08 +01:00
2021-08-23 15:47:18 +02:00
$result = GETPOST ( " param4a " , 'alpha' ); // Must return string sanitized from ../
2021-01-14 15:09:08 +01:00
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( $result , 'dir' );
2021-08-23 15:47:18 +02:00
$result = GETPOST ( " param4b " , 'alpha' ); // Must return string sanitized from ../
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( $result , 'dirwindows' );
2021-05-17 23:47:16 +02:00
// Test with aZ09
2021-03-14 12:58:37 +01:00
2021-01-14 15:09:08 +01:00
$result = GETPOST ( " param1 " , 'aZ09' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( $result , $_GET [ " param1 " ]);
$result = GETPOST ( " param2 " , 'aZ09' ); // Must return '' as string contains car not in aZ09 definition
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( $result , '' );
$result = GETPOST ( " param3 " , 'aZ09' ); // Must return '' as string contains car not in aZ09 definition
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( $result , '' );
2021-08-23 15:47:18 +02:00
$result = GETPOST ( " param4a " , 'aZ09' ); // Must return '' as string contains car not in aZ09 definition
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( '' , $result );
$result = GETPOST ( " param4b " , 'aZ09' ); // Must return '' as string contains car not in aZ09 definition
2021-01-14 15:09:08 +01:00
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( '' , $result );
$result = GETPOST ( " param5 " , 'aZ09' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( $_GET [ " param5 " ], $result );
2021-05-17 23:47:16 +02:00
// Test with nohtml
2021-01-14 15:16:27 +01:00
2021-01-14 15:09:08 +01:00
$result = GETPOST ( " param6 " , 'nohtml' );
2023-11-29 20:19:21 +01:00
print __METHOD__ . " result6= " . $result . " \n " ;
2021-01-14 15:09:08 +01:00
$this -> assertEquals ( '">' , $result );
2021-05-17 23:47:16 +02:00
// Test with alpha = alphanohtml. We must convert the html entities like n and disable all entities
2021-03-29 14:11:51 +02:00
2021-05-17 23:47:16 +02:00
$result = GETPOST ( " param6 " , 'alphanohtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( '>' , $result );
2021-03-14 12:58:37 +01:00
2021-05-17 23:47:16 +02:00
$result = GETPOST ( " param6b " , 'alphanohtml' );
2021-01-14 15:09:08 +01:00
print __METHOD__ . " result= " . $result . " \n " ;
2021-05-17 23:47:16 +02:00
$this -> assertEquals ( 'abc' , $result );
2021-01-14 15:09:08 +01:00
2021-01-25 22:46:09 +01:00
$result = GETPOST ( " param8a " , 'alphanohtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( " Hackersvg onload='console.log(123)' " , $result );
$result = GETPOST ( " param8b " , 'alphanohtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( 'img src=x onerror=alert(document.location) t=' , $result , 'Test a string with non closing html tag with alphanohtml' );
$result = GETPOST ( " param8c " , 'alphanohtml' );
2021-01-14 15:09:08 +01:00
print __METHOD__ . " result= " . $result . " \n " ;
2021-01-25 22:46:09 +01:00
$this -> assertEquals ( $_POST [ 'param8c' ], $result , 'Test a string with non closing html tag with alphanohtml' );
2021-01-14 15:09:08 +01:00
2021-03-01 00:19:52 +01:00
$result = GETPOST ( " param8d " , 'alphanohtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( 'abc123 is html to clean' , $result , 'Test a string with non closing html tag with alphanohtml' );
2021-01-25 22:46:09 +01:00
2021-03-01 00:19:52 +01:00
$result = GETPOST ( " param8e " , 'alphanohtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( $_POST [ 'param8e' ], $result , 'Test a string with non closing html tag with alphanohtml' );
2021-01-25 22:46:09 +01:00
2021-03-14 15:38:10 +01:00
$result = GETPOST ( " param8f " , 'alphanohtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( 'abcsvg animate onbegin=alert(document.domain) a' , $result , 'Test a string with html tag open with several <' );
2021-03-01 00:19:52 +01:00
$result = GETPOST ( " param9 " , 'alphanohtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( $_POST [ " param9 " ], $result );
2021-01-14 15:09:08 +01:00
$result = GETPOST ( " param10 " , 'alphanohtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( $_POST [ " param9 " ], $result , 'We should get param9 after processing param10' );
2021-01-14 15:16:27 +01:00
$result = GETPOST ( " param11 " , 'alphanohtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( " Name " , $result , 'Test an email string with alphanohtml' );
2021-05-17 23:47:16 +02:00
$result = GETPOST ( " param13 " , 'alphanohtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( 'n n > < XSS' , $result , 'Test that html entities are decoded with alpha' );
2023-11-29 20:19:21 +01:00
2021-05-17 23:47:16 +02:00
// Test with alphawithlgt
2021-01-14 15:16:27 +01:00
$result = GETPOST ( " param11 " , 'alphawithlgt' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( trim ( $_POST [ " param11 " ]), $result , 'Test an email string with alphawithlgt' );
2023-11-29 20:19:21 +01:00
2022-12-05 15:05:40 +01:00
// Test with restricthtml: we must remove html open/close tag and content but not htmlentities (we can decode html entities for ascii chars like n)
2021-05-17 23:47:16 +02:00
2023-11-29 20:19:21 +01:00
$result = GETPOST ( " param0 " , 'restricthtml' );
$resultexpected = 'A real string with <a href="rrr" title="aa"bb">aaa</a> and " and \' and & inside content' ;
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( $resultexpected , $result , 'Test on param0' );
2021-05-17 23:47:16 +02:00
$result = GETPOST ( " param6 " , 'restricthtml' );
2023-11-29 20:19:21 +01:00
print __METHOD__ . " result for param6= " . $result . " - before= " . $_POST [ " param6 " ] . " \n " ;
2021-05-17 23:47:16 +02:00
$this -> assertEquals ( '">' , $result );
$result = GETPOST ( " param7 " , 'restricthtml' );
2021-06-29 18:17:27 +02:00
print __METHOD__ . " result param7 = " . $result . " \n " ;
$this -> assertEquals ( '"c:\this is a path~1\aaan &#x;;;;" abcdef' , $result );
2021-05-17 23:47:16 +02:00
2022-01-26 12:39:41 +01:00
$result = GETPOST ( " param8e " , 'restricthtml' );
print __METHOD__ . " result param8e = " . $result . " \n " ;
$this -> assertEquals ( '' , $result );
2021-03-01 00:19:52 +01:00
$result = GETPOST ( " param12 " , 'restricthtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( trim ( $_POST [ " param12 " ]), $result , 'Test a string with DOCTYPE and restricthtml' );
2021-02-23 12:58:43 +01:00
2021-05-17 23:47:16 +02:00
$result = GETPOST ( " param13 " , 'restricthtml' );
2021-03-14 18:57:18 +01:00
print __METHOD__ . " result= " . $result . " \n " ;
2021-06-29 18:17:27 +02:00
$this -> assertEquals ( 'n n > < " <a href=\"alert(document.domain)\">XSS</a>' , $result , 'Test 13 that HTML entities are decoded with restricthtml, but only for common alpha chars' );
2021-03-14 18:57:18 +01:00
2021-05-17 23:47:16 +02:00
$result = GETPOST ( " param13b " , 'restricthtml' );
2021-03-14 18:57:18 +01:00
print __METHOD__ . " result= " . $result . " \n " ;
2021-06-29 18:17:27 +02:00
$this -> assertEquals ( 'n n > < " <a href=\"alert(document.domain)\">XSS</a>' , $result , 'Test 13b that HTML entities are decoded with restricthtml, but only for common alpha chars' );
2021-03-14 18:57:18 +01:00
2021-07-05 16:08:47 +02:00
$result = GETPOST ( " param14 " , 'restricthtml' );
print __METHOD__ . " result= " . $result . " \n " ;
2021-08-22 01:20:25 +02:00
$this -> assertEquals ( " Text with ' encoded with the numeric html entity converted into text entity ' (like when submited by CKEditor) " , $result , 'Test 14' );
2021-07-05 16:08:47 +02:00
2022-11-28 16:54:34 +01:00
$result = GETPOST ( " param15 " , 'restricthtml' ); // param15 = <img onerror<=alert(document.domain)> src=>0xbeefed that is a dangerous string
2021-07-06 00:47:43 +02:00
print __METHOD__ . " result= " . $result . " \n " ;
2022-01-26 12:39:41 +01:00
$this -> assertEquals ( " <img onerror=alert(document.domain) src=>0xbeefed " , $result , 'Test 15' ); // The GETPOST return a harmull string
2021-07-06 00:47:43 +02:00
2022-12-05 15:05:40 +01:00
$result = GETPOST ( " param19 " , 'restricthtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( '<a href="(alert(document.cookie))">XSS</a>' , $result , 'Test 19' );
2023-11-29 20:19:21 +01:00
// Test with restricthtml + MAIN_RESTRICTHTML_ONLY_VALID_HTML only to test disabling of bad atrributes
2021-07-06 00:47:43 +02:00
$conf -> global -> MAIN_RESTRICTHTML_ONLY_VALID_HTML = 1 ;
2023-11-29 20:19:21 +01:00
$conf -> global -> MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 0 ;
2021-07-06 00:47:43 +02:00
2023-11-29 20:19:21 +01:00
//$_POST["param0"] = 'A real string with <a href="rrr" title="aabb">aaa</a> and " inside content';
$result = GETPOST ( " param0 " , 'restricthtml' );
$resultexpected = 'A real string with <a href="rrr" title=\'aa"bb\'>aaa</a> and " and \' and & inside content' ;
print __METHOD__ . " result for param0= " . $result . " \n " ;
$this -> assertEquals ( $resultexpected , $result , 'Test on param0' );
2022-11-28 16:54:34 +01:00
$result = GETPOST ( " param15 " , 'restricthtml' ); // param15 = <img onerror<=alert(document.domain)> src=>0xbeefed that is a dangerous string
2023-11-29 20:19:21 +01:00
print __METHOD__ . " result for param15= " . $result . " \n " ;
2023-11-29 20:32:03 +01:00
//$this->assertEquals('InvalidHTMLStringCantBeCleaned', $result, 'Test 15b'); // With some PHP and libxml version, we got this result when parsing invalid HTML, but ...
2023-08-13 15:45:45 +02:00
//$this->assertEquals('<img onerror> src=>0xbeefed', $result, 'Test 15b'); // ... on other PHP and libxml versions, we got a HTML that has been cleaned
2022-11-28 16:54:34 +01:00
2023-11-29 20:32:03 +01:00
$result = GETPOST ( " param6 " , 'restricthtml' ); // param6 = ""><svg onload='console.log("123")'>"
2023-11-29 20:19:21 +01:00
print __METHOD__ . " result for param6= " . $result . " - before= " . $_POST [ " param6 " ] . " \n " ;
2023-11-29 20:32:03 +01:00
//$this->assertEquals('InvalidHTMLStringCantBeCleaned', $result, 'Test 15b'); // With some PHP and libxml version, we got this result when parsing invalid HTML, but ...
//$this->assertEquals('">', $result); // ... on other PHP and libxml versions, we got a HTML that has been cleaned
2023-11-29 20:19:21 +01:00
$result = GETPOST ( " param7 " , 'restricthtml' ); // param7 = "c:\this is a path~1\aaan &#x110;" abc<bad>def</bad>
print __METHOD__ . " result param7 = " . $result . " \n " ;
2023-11-29 22:02:10 +01:00
//$this->assertEquals('InvalidHTMLStringCantBeCleaned', $result, 'Test 15b'); // With some PHP and libxml version, we got this result when parsing invalid HTML, but ...
//$this->assertEquals('"c:\this is a path~1\aaan 110;" abcdef', $result); // ... on other PHP and libxml versions, we got a HTML that has been cleaned
2023-11-29 20:19:21 +01:00
// Test with restricthtml + MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY only to test disabling of bad atrributes
if ( extension_loaded ( 'tidy' ) && class_exists ( " tidy " )) {
$conf -> global -> MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0 ;
$conf -> global -> MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 1 ;
$result = GETPOST ( " param0 " , 'restricthtml' );
$resultexpected = 'A real string with <a href="rrr" title="aa"bb">aaa</a> and " and \' and & inside content' ;
print __METHOD__ . " result for param0= " . $result . " \n " ;
$this -> assertEquals ( $resultexpected , $result , 'Test on param0' );
$result = GETPOST ( " param15 " , 'restricthtml' ); // param15 = <img onerror<=alert(document.domain)> src=>0xbeefed that is a dangerous string
print __METHOD__ . " result= " . $result . " \n " ;
$result = GETPOST ( " param6 " , 'restricthtml' );
print __METHOD__ . " result for param6= " . $result . " - before= " . $_POST [ " param6 " ] . " \n " ;
$this -> assertEquals ( '">' , $result );
$result = GETPOST ( " param7 " , 'restricthtml' );
print __METHOD__ . " result param7 = " . $result . " \n " ;
$this -> assertEquals ( '"c:\this is a path~1\aaan &#x110;" abcdef' , $result );
}
// Test with restricthtml + MAIN_RESTRICTHTML_ONLY_VALID_HTML + MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY to test disabling of bad atrributes
if ( extension_loaded ( 'tidy' ) && class_exists ( " tidy " )) {
$conf -> global -> MAIN_RESTRICTHTML_ONLY_VALID_HTML = 1 ;
$conf -> global -> MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 1 ;
$result = GETPOST ( " param0 " , 'restricthtml' );
$resultexpected = 'A real string with <a href="rrr" title=\'aa"bb\'>aaa</a> and " and \' and & inside content' ;
print __METHOD__ . " result for param0= " . $result . " \n " ;
$this -> assertEquals ( $resultexpected , $result , 'Test on param0' );
$result = GETPOST ( " param15 " , 'restricthtml' ); // param15 = <img onerror<=alert(document.domain)> src=>0xbeefed that is a dangerous string
print __METHOD__ . " result= " . $result . " \n " ;
$result = GETPOST ( " param6 " , 'restricthtml' );
print __METHOD__ . " result for param6= " . $result . " - before= " . $_POST [ " param6 " ] . " \n " ;
$this -> assertEquals ( '">' , $result );
$result = GETPOST ( " param7 " , 'restricthtml' );
print __METHOD__ . " result param7 = " . $result . " \n " ;
$this -> assertEquals ( '"c:\this is a path~1\aaan 110;" abcdef' , $result );
}
2021-07-06 00:47:43 +02:00
// Test with restricthtml + MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES to test disabling of bad atrributes
2023-11-29 20:19:21 +01:00
unset ( $conf -> global -> MAIN_RESTRICTHTML_ONLY_VALID_HTML );
unset ( $conf -> global -> MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY );
2021-07-06 00:47:43 +02:00
$conf -> global -> MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = 1 ;
$result = GETPOST ( " param15 " , 'restricthtml' );
print __METHOD__ . " result= " . $result . " \n " ;
2022-11-28 16:54:34 +01:00
$this -> assertEquals ( '<img src="">0xbeefed' , $result , 'Test 15c' );
2021-07-06 00:47:43 +02:00
2022-08-10 20:18:36 +02:00
$result = GETPOST ( 'param16' , 'restricthtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( '<a style=" 1000">abc</a>' , $result , 'Test tag a with forbidden attribute z-index' );
$result = GETPOST ( 'param17' , 'restricthtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( '<span style="background-image: url()">abc</span>' , $result , 'Test anytag with a forbidden value for attribute' );
$result = GETPOST ( 'param18' , 'restricthtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( '<span style="background-image: url(...?...aaa)">abc</span>' , $result , 'Test anytag with a forbidden value for attribute' );
2021-07-06 00:47:43 +02:00
unset ( $conf -> global -> MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES );
2021-05-17 23:47:16 +02:00
// Special test for GETPOST of backtopage, backtolist or backtourl parameter
2021-03-14 12:58:37 +01:00
2021-03-14 11:38:42 +01:00
$_POST [ " backtopage " ] = '//www.google.com' ;
$result = GETPOST ( " backtopage " );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( 'www.google.com' , $result , 'Test for backtopage param' );
$_POST [ " backtopage " ] = 'https:https://www.google.com' ;
$result = GETPOST ( " backtopage " );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( 'www.google.com' , $result , 'Test for backtopage param' );
2021-03-14 15:06:40 +01:00
$_POST [ " backtolist " ] = '::HTTPS://www.google.com' ;
$result = GETPOST ( " backtolist " );
2021-03-14 11:38:42 +01:00
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( 'www.google.com' , $result , 'Test for backtopage param' );
2021-03-14 12:58:37 +01:00
$_POST [ " backtopage " ] = 'http:www.google.com' ;
$result = GETPOST ( " backtopage " );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( 'httpwww.google.com' , $result , 'Test for backtopage param' );
2021-03-14 11:38:42 +01:00
$_POST [ " backtopage " ] = '/mydir/mypage.php?aa=a%10a' ;
$result = GETPOST ( " backtopage " );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( '/mydir/mypage.php?aa=a%10a' , $result , 'Test for backtopage param' );
2021-03-14 18:57:18 +01:00
$_POST [ " backtopage " ] = 'javascripT&javascript#javascriptxjavascript3a alert(1)' ;
$result = GETPOST ( " backtopage " );
print __METHOD__ . " result= " . $result . " \n " ;
2022-02-22 23:44:56 +01:00
$this -> assertEquals ( 'x3aalert(1)' , $result , 'Test for backtopage param' );
2021-03-14 18:57:18 +01:00
2022-08-10 23:03:42 +02:00
$conf -> global -> MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT = 3 ;
2023-12-10 16:19:05 +01:00
$_POST [ " pagecontentwithlinks " ] = '<img src="aaa"><img src="bbb"><img src="/ccc"><span style="background: url(/ddd)"></span>' ;
2022-08-10 23:03:42 +02:00
$result = GETPOST ( " pagecontentwithlinks " , 'restricthtml' );
print __METHOD__ . " result= " . $result . " \n " ;
2023-11-14 12:02:09 +01:00
$this -> assertEquals ( 'ErrorTooManyLinksIntoHTMLString' , $result , 'Test on limit on GETPOST fails' );
// Test that img src="data:..." is excluded from the count of external links
$conf -> global -> MAIN_SECURITY_MAX_IMG_IN_HTML_CONTENT = 3 ;
2023-12-10 16:19:05 +01:00
$_POST [ " pagecontentwithlinks " ] = '<img src="data:abc"><img src="bbb"><img src="/ccc"><span style="background: url(/ddd)"></span>' ;
2023-11-14 12:02:09 +01:00
$result = GETPOST ( " pagecontentwithlinks " , 'restricthtml' );
print __METHOD__ . " result= " . $result . " \n " ;
2023-12-10 16:19:05 +01:00
$this -> assertEquals ( '<img src="data:abc"><img src="bbb"><img src="/ccc"><span style="background: url(/ddd)"></span>' , $result , 'Test on limit on GETPOST fails' );
$conf -> global -> MAIN_DISALLOW_URL_INTO_DESCRIPTIONS = 2 ;
2023-11-14 12:02:09 +01:00
// Test that no links is allowed
2023-12-10 16:19:05 +01:00
$_POST [ " pagecontentwithlinks " ] = '<img src="data:abc"><img src="bbb"><img src="/ccc"><span style="background: url(/ddd)"></span>' ;
2023-11-14 12:02:09 +01:00
$result = GETPOST ( " pagecontentwithlinks " , 'restricthtml' );
print __METHOD__ . " result= " . $result . " \n " ;
2023-12-10 16:19:05 +01:00
$this -> assertEquals ( 'ErrorHTMLLinksNotAllowed' , $result , 'Test on limit on MAIN_DISALLOW_URL_INTO_DESCRIPTIONS = 2 (no links allowed)' );
2023-11-14 12:02:09 +01:00
2023-12-10 16:19:05 +01:00
$conf -> global -> MAIN_DISALLOW_URL_INTO_DESCRIPTIONS = 1 ;
// Test that links on wrapper or local url are allowed
$_POST [ " pagecontentwithnowrapperlinks " ] = '<img src="data:abc"><img src="bbb"><img src="/ccc"><span style="background: url(/ddd)"></span>' ;
$result = GETPOST ( " pagecontentwithnowrapperlinks " , 'restricthtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( '<img src="data:abc"><img src="bbb"><img src="/ccc"><span style="background: url(/ddd)"></span>' , $result , 'Test on MAIN_DISALLOW_URL_INTO_DESCRIPTIONS = 1 (links on data or relative links ar allowed)' );
// Test that links not on wrapper and not data are disallowed
$_POST [ " pagecontentwithnowrapperlinks " ] = '<img src="https://aaa">' ;
$result = GETPOST ( " pagecontentwithnowrapperlinks " , 'restricthtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( 'ErrorHTMLExternalLinksNotAllowed' , $result , 'Test on MAIN_DISALLOW_URL_INTO_DESCRIPTIONS = 1 (no links to http allowed)' );
// Test that links not on wrapper and not data are disallowed
$_POST [ " pagecontentwithnowrapperlinks " ] = '<span style="background: url(http://ddd)"></span>' ;
$result = GETPOST ( " pagecontentwithnowrapperlinks " , 'restricthtml' );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( 'ErrorHTMLExternalLinksNotAllowed' , $result , 'Test on MAIN_DISALLOW_URL_INTO_DESCRIPTIONS = 1 (no links to http allowed)' );
2022-08-10 23:03:42 +02:00
2021-03-01 00:19:52 +01:00
return $result ;
}
2021-01-14 15:09:08 +01:00
/**
* testEncodeDecode
*
2023-11-29 20:19:21 +01:00
* @ return int
2021-01-14 15:09:08 +01:00
*/
public function testEncodeDecode ()
{
$stringtotest = " This is a string to test encode/decode. This is a string to test encode/decode. This is a string to test encode/decode. " ;
$encodedstring = dol_encode ( $stringtotest );
$decodedstring = dol_decode ( $encodedstring );
print __METHOD__ . " encodedstring= " . $encodedstring . " " . base64_encode ( $stringtotest ) . " \n " ;
$this -> assertEquals ( $stringtotest , $decodedstring , 'Use dol_encode/decode with no parameter' );
$encodedstring = dol_encode ( $stringtotest , 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' );
$decodedstring = dol_decode ( $encodedstring , 'abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ' );
print __METHOD__ . " encodedstring= " . $encodedstring . " " . base64_encode ( $stringtotest ) . " \n " ;
$this -> assertEquals ( $stringtotest , $decodedstring , 'Use dol_encode/decode with a key parameter' );
return 0 ;
}
/**
* testDolStringOnlyTheseHtmlTags
*
2023-11-29 20:19:21 +01:00
* @ return int
2021-01-14 15:09:08 +01:00
*/
public function testDolHTMLEntityDecode ()
{
$stringtotest = 'a : b " c ' d ' e é' ;
$decodedstring = dol_html_entity_decode ( $stringtotest , ENT_QUOTES );
$this -> assertEquals ( 'a : b " c \' d ' e é' , $decodedstring , 'Function did not sanitize correclty' );
$stringtotest = 'a : b " c ' d ' e é' ;
$decodedstring = dol_html_entity_decode ( $stringtotest , ENT_QUOTES | ENT_HTML5 );
$this -> assertEquals ( 'a : b " c \' d \' e é' , $decodedstring , 'Function did not sanitize correclty' );
return 0 ;
}
/**
* testDolStringOnlyTheseHtmlTags
*
2023-11-29 20:19:21 +01:00
* @ return int
2021-01-14 15:09:08 +01:00
*/
public function testDolStringOnlyTheseHtmlTags ()
{
$stringtotest = '<a href="javascript:aaa">bbbڴ' ;
$decodedstring = dol_string_onlythesehtmltags ( $stringtotest , 1 , 1 , 1 );
$this -> assertEquals ( '<a href="aaa">bbbڴ' , $decodedstring , 'Function did not sanitize correclty with test 1' );
$stringtotest = '<a href="java' . chr ( 0 ) . 'script:aaa">bbbڴ' ;
$decodedstring = dol_string_onlythesehtmltags ( $stringtotest , 1 , 1 , 1 );
$this -> assertEquals ( '<a href="aaa">bbbڴ' , $decodedstring , 'Function did not sanitize correclty with test 2' );
$stringtotest = '<a href="javascript:aaa">bbbڴ' ;
$decodedstring = dol_string_onlythesehtmltags ( $stringtotest , 1 , 1 , 1 );
$this -> assertEquals ( '<a href="aaa">bbbڴ' , $decodedstring , 'Function did not sanitize correclty with test 3' );
2023-06-03 13:56:06 +02:00
$stringtotest = 'text <link href="aaa"> text' ;
$decodedstring = dol_string_onlythesehtmltags ( $stringtotest , 1 , 1 , 1 , 0 , array (), 0 );
$this -> assertEquals ( 'text text' , $decodedstring , 'Function did not sanitize correclty with test 4a' );
$stringtotest = 'text <link href="aaa"> text' ;
$decodedstring = dol_string_onlythesehtmltags ( $stringtotest , 1 , 1 , 1 , 0 , array (), 1 );
$this -> assertEquals ( 'text <link href="aaa"> text' , $decodedstring , 'Function did not sanitize correclty with test 4b' );
2021-01-14 15:09:08 +01:00
return 0 ;
}
2021-03-17 21:36:20 +01:00
/**
* testDolStringOnlyTheseHtmlAttributes
*
2023-11-29 20:19:21 +01:00
* @ return int
2021-03-17 21:36:20 +01:00
*/
public function testDolStringOnlyTheseHtmlAttributes ()
{
2021-12-17 12:01:25 +01:00
$stringtotest = 'eée' ;
$decodedstring = dol_string_onlythesehtmlattributes ( $stringtotest );
$this -> assertEquals ( 'eée' , $decodedstring , 'Function did not sanitize correclty with test 1' );
2021-03-17 21:36:20 +01:00
$stringtotest = '<div onload="ee"><a href="123"><span class="abc">abc</span></a></div>' ;
$decodedstring = dol_string_onlythesehtmlattributes ( $stringtotest );
$decodedstring = preg_replace ( " / \n $ / " , " " , $decodedstring );
2021-12-17 12:01:25 +01:00
$this -> assertEquals ( '<div><a href="123"><span class="abc">abc</span></a></div>' , $decodedstring , 'Function did not sanitize correclty with test 2' );
2021-03-17 21:36:20 +01:00
return 0 ;
}
2021-01-14 15:09:08 +01:00
/**
* testGetRandomPassword
*
2023-11-29 20:19:21 +01:00
* @ return int
2021-01-14 15:09:08 +01:00
*/
public function testGetRandomPassword ()
{
global $conf ;
$genpass1 = getRandomPassword ( true ); // Should be a string return by dol_hash (if no option set, will be md5)
print __METHOD__ . " genpass1= " . $genpass1 . " \n " ;
$this -> assertEquals ( strlen ( $genpass1 ), 32 );
$genpass1 = getRandomPassword ( true , array ( 'I' )); // Should be a string return by dol_hash (if no option set, will be md5)
print __METHOD__ . " genpass1= " . $genpass1 . " \n " ;
$this -> assertEquals ( strlen ( $genpass1 ), 32 );
$conf -> global -> USER_PASSWORD_GENERATED = 'None' ;
$genpass2 = getRandomPassword ( false ); // Should return an empty string
print __METHOD__ . " genpass2= " . $genpass2 . " \n " ;
$this -> assertEquals ( $genpass2 , '' );
$conf -> global -> USER_PASSWORD_GENERATED = 'Standard' ;
2021-04-19 20:25:22 +02:00
$genpass3 = getRandomPassword ( false ); // Should return a password of 12 chars
2021-01-14 15:09:08 +01:00
print __METHOD__ . " genpass3= " . $genpass3 . " \n " ;
2021-04-19 20:25:22 +02:00
$this -> assertEquals ( strlen ( $genpass3 ), 12 );
2021-01-14 15:09:08 +01:00
return 0 ;
}
/**
* testRestrictedArea
*
* @ return void
*/
public function testRestrictedArea ()
{
global $conf , $user , $langs , $db ;
2012-02-12 18:30:50 +01:00
$conf = $this -> savconf ;
$user = $this -> savuser ;
$langs = $this -> savlangs ;
$db = $this -> savdb ;
2012-02-12 17:41:28 +01:00
2012-02-12 18:30:50 +01:00
//$dummyuser=new User($db);
//$result=restrictedArea($dummyuser,'societe');
2012-02-12 17:41:28 +01:00
2019-01-27 13:07:22 +01:00
$result = restrictedArea ( $user , 'societe' );
$this -> assertEquals ( 1 , $result );
2021-01-14 15:09:08 +01:00
}
/**
* testGetRandomPassword
*
2023-11-29 20:19:21 +01:00
* @ return int
2021-01-14 15:09:08 +01:00
*/
public function testGetURLContent ()
{
global $conf ;
include_once DOL_DOCUMENT_ROOT . '/core/lib/geturl.lib.php' ;
$url = 'ftp://mydomain.com' ;
$tmp = getURLContent ( $url );
print __METHOD__ . " url= " . $url . " \n " ;
$this -> assertGreaterThan ( 0 , strpos ( $tmp [ 'curl_error_msg' ], 'not supported' )); // Test error if return does not contains 'not supported'
$url = 'https://www.dolibarr.fr' ; // This is a redirect 301 page
$tmp = getURLContent ( $url , 'GET' , '' , 0 ); // We do NOT follow
print __METHOD__ . " url= " . $url . " \n " ;
2023-05-25 17:46:36 +02:00
$this -> assertEquals ( 301 , $tmp [ 'http_code' ], 'Should GET url 301 response and stop here' );
2021-01-14 15:09:08 +01:00
$url = 'https://www.dolibarr.fr' ; // This is a redirect 301 page
2021-11-27 15:13:36 +01:00
$tmp = getURLContent ( $url ); // We DO follow a page with return 300 so result should be 200
2021-01-14 15:09:08 +01:00
print __METHOD__ . " url= " . $url . " \n " ;
2023-04-25 15:31:14 +02:00
$this -> assertEquals ( 200 , $tmp [ 'http_code' ], 'Should GET url 301 with a follow -> 200 but we get ' . $tmp [ 'http_code' ]);
2021-01-14 15:09:08 +01:00
$url = 'http://localhost' ;
$tmp = getURLContent ( $url , 'GET' , '' , 0 , array (), array ( 'http' , 'https' ), 0 ); // Only external URL
print __METHOD__ . " url= " . $url . " \n " ;
2021-11-27 15:13:36 +01:00
$this -> assertEquals ( 400 , $tmp [ 'http_code' ], 'Should GET url to ' . $url . ' that resolves to a local URL' ); // Test we receive an error because localtest.me is not an external URL
2021-01-14 15:09:08 +01:00
$url = 'http://127.0.0.1' ;
$tmp = getURLContent ( $url , 'GET' , '' , 0 , array (), array ( 'http' , 'https' ), 0 ); // Only external URL
print __METHOD__ . " url= " . $url . " \n " ;
2021-11-27 15:13:36 +01:00
$this -> assertEquals ( 400 , $tmp [ 'http_code' ], 'Should GET url to ' . $url . ' that is a local URL' ); // Test we receive an error because 127.0.0.1 is not an external URL
2021-06-09 12:41:53 +02:00
$url = 'http://127.0.2.1' ;
$tmp = getURLContent ( $url , 'GET' , '' , 0 , array (), array ( 'http' , 'https' ), 0 ); // Only external URL
print __METHOD__ . " url= " . $url . " \n " ;
2021-11-27 15:13:36 +01:00
$this -> assertEquals ( 400 , $tmp [ 'http_code' ], 'Should GET url to ' . $url . ' that is a local URL' ); // Test we receive an error because 127.0.2.1 is not an external URL
2021-01-14 15:09:08 +01:00
$url = 'https://169.254.0.1' ;
$tmp = getURLContent ( $url , 'GET' , '' , 0 , array (), array ( 'http' , 'https' ), 0 ); // Only external URL
print __METHOD__ . " url= " . $url . " \n " ;
2021-11-27 15:13:36 +01:00
$this -> assertEquals ( 400 , $tmp [ 'http_code' ], 'Should GET url to ' . $url . ' that is a local URL' ); // Test we receive an error because 169.254.0.1 is not an external URL
2021-01-14 15:09:08 +01:00
$url = 'http://[::1]' ;
$tmp = getURLContent ( $url , 'GET' , '' , 0 , array (), array ( 'http' , 'https' ), 0 ); // Only external URL
print __METHOD__ . " url= " . $url . " \n " ;
2021-11-27 15:13:36 +01:00
$this -> assertEquals ( 400 , $tmp [ 'http_code' ], 'Should GET url to ' . $url . ' that is a local URL' ); // Test we receive an error because [::1] is not an external URL
2021-01-14 15:09:08 +01:00
/* $url = 'localtest.me' ;
2021-01-26 12:12:35 +01:00
$tmp = getURLContent ( $url , 'GET' , '' , 0 , array (), array ( 'http' , 'https' ), 0 ); // Only external URL
print __METHOD__ . " url= " . $url . " \n " ;
2021-11-27 15:13:36 +01:00
$this -> assertEquals ( 400 , $tmp [ 'http_code' ], 'Should GET url to ' . $url . ' that resolves to a local URL' ); // Test we receive an error because localtest.me is not an external URL
2021-01-26 12:12:35 +01:00
*/
2020-10-27 18:02:05 +01:00
2022-01-19 16:40:48 +01:00
$url = 'http://192.0.0.192' ;
$tmp = getURLContent ( $url , 'GET' , '' , 0 , array (), array ( 'http' , 'https' ), 0 ); // Only external URL but on an IP in blacklist
print __METHOD__ . " url= " . $url . " tmp['http_code'] = " . $tmp [ 'http_code' ] . " \n " ;
$this -> assertEquals ( 400 , $tmp [ 'http_code' ], 'Access should be refused and was not' ); // Test we receive an error because ip is in blacklist
2021-01-14 15:09:08 +01:00
return 0 ;
}
2021-03-14 16:13:03 +01:00
/**
* testDolSanitizeUrl
*
* @ return void
*/
public function testDolSanitizeUrl ()
{
global $conf , $user , $langs , $db ;
$conf = $this -> savconf ;
$user = $this -> savuser ;
$langs = $this -> savlangs ;
$db = $this -> savdb ;
2021-03-14 18:57:18 +01:00
$test = 'javascripT&javascript#x3a alert(1)' ;
$result = dol_sanitizeUrl ( $test );
2021-03-14 20:37:59 +01:00
$this -> assertEquals ( 'x3a alert(1)' , $result , 'Test on dol_sanitizeUrl A' );
2021-03-14 18:57:18 +01:00
2021-03-14 16:13:03 +01:00
$test = 'javajavascriptscript&cjavascriptolon;alert(1)' ;
$result = dol_sanitizeUrl ( $test );
2021-03-14 18:57:18 +01:00
$this -> assertEquals ( 'alert(1)' , $result , 'Test on dol_sanitizeUrl B' );
2021-03-14 16:13:03 +01:00
$test = '/javas:cript/google.com' ;
$result = dol_sanitizeUrl ( $test );
2021-03-14 18:57:18 +01:00
$this -> assertEquals ( 'google.com' , $result , 'Test on dol_sanitizeUrl C' );
2021-03-14 16:13:03 +01:00
}
2022-11-28 16:54:34 +01:00
/**
* testDolSanitizeEmail
*
* @ return void
*/
public function testDolSanitizeEmail ()
{
global $conf , $user , $langs , $db ;
$conf = $this -> savconf ;
$user = $this -> savuser ;
$langs = $this -> savlangs ;
$db = $this -> savdb ;
$test = 'aaa@mycompany.com <My name>, bbb@mycompany.com <Another name>' ;
$result = dol_sanitizeEmail ( $test );
$this -> assertEquals ( $test , $result , 'Test on dol_sanitizeEmail A' );
$test = " aaa@mycompany.com <My name>, \n bbb@mycompany.com <Another name> " ;
$result = dol_sanitizeEmail ( $test );
$this -> assertEquals ( 'aaa@mycompany.com <My name>,bbb@mycompany.com <Another name>' , $result , 'Test on dol_sanitizeEmail B' );
$test = 'aaa@mycompany.com <My name>,\nbbb@mycompany.com <Another name>' ;
$result = dol_sanitizeEmail ( $test );
$this -> assertEquals ( 'aaa@mycompany.com <My name>,nbbb@mycompany.com <Another name>' , $result , 'Test on dol_sanitizeEmail C' );
$test = 'aaa@mycompany.com <My name>, "bcc:bbb"@mycompany.com <Another name>' ;
$result = dol_sanitizeEmail ( $test );
$this -> assertEquals ( 'aaa@mycompany.com <My name>, bccbbb@mycompany.com <Another name>' , $result , 'Test on dol_sanitizeEmail D' );
}
2021-01-14 15:09:08 +01:00
/**
* testDolSanitizeFileName
*
* @ return void
*/
public function testDolSanitizeFileName ()
{
global $conf , $user , $langs , $db ;
$conf = $this -> savconf ;
$user = $this -> savuser ;
$langs = $this -> savlangs ;
$db = $this -> savdb ;
//$dummyuser=new User($db);
//$result=restrictedArea($dummyuser,'societe');
$result = dol_sanitizeFileName ( 'bad file | evilaction' );
$this -> assertEquals ( 'bad file _ evilaction' , $result );
2021-07-05 22:26:38 +02:00
$result = dol_sanitizeFileName ( 'bad file -evilparam --evilparam ---evilparam ----evilparam' );
2021-07-05 22:57:27 +02:00
$this -> assertEquals ( 'bad file _evilparam _evilparam _evilparam _evilparam' , $result );
2021-01-14 15:09:08 +01:00
}
2021-06-09 17:44:42 +02:00
/**
* testDolEval
*
* @ return void
*/
public function testDolEval ()
{
global $conf , $user , $langs , $db ;
$conf = $this -> savconf ;
$user = $this -> savuser ;
$langs = $this -> savlangs ;
$db = $this -> savdb ;
$result = dol_eval ( '1==1' , 1 , 0 );
2023-09-08 14:12:12 +02:00
print " result1 = " . $result . " \n " ;
2021-06-09 17:44:42 +02:00
$this -> assertTrue ( $result );
$result = dol_eval ( '1==2' , 1 , 0 );
2023-09-08 14:12:12 +02:00
print " result2 = " . $result . " \n " ;
2021-06-09 17:44:42 +02:00
$this -> assertFalse ( $result );
include_once DOL_DOCUMENT_ROOT . '/projet/class/project.class.php' ;
include_once DOL_DOCUMENT_ROOT . '/projet/class/task.class.php' ;
2022-03-01 16:38:06 +01:00
2022-03-01 18:14:24 +01:00
$s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : "Parent project not found"' ;
2022-03-03 01:59:31 +01:00
$result = dol_eval ( $s , 1 , 1 , '2' );
2023-09-08 14:12:12 +02:00
print " result3 = " . $result . " \n " ;
2022-03-01 16:38:06 +01:00
$this -> assertEquals ( 'Parent project not found' , $result );
2022-03-01 18:14:24 +01:00
$s = '(($reloadedobj = new Task($db)) && ($reloadedobj->fetchNoCompute($object->id) > 0) && ($secondloadedobj = new Project($db)) && ($secondloadedobj->fetchNoCompute($reloadedobj->fk_project) > 0)) ? $secondloadedobj->ref : \'Parent project not found\'' ;
2023-09-08 19:10:44 +02:00
$result = ( string ) dol_eval ( $s , 1 , 1 , '2' );
2023-09-08 14:12:12 +02:00
print " result4 = " . $result . " \n " ;
2021-06-09 17:44:42 +02:00
$this -> assertEquals ( 'Parent project not found' , $result );
2023-09-08 19:10:44 +02:00
$result = ( string ) dol_eval ( '$a=function() { }; $a;' , 1 , 1 , '0' );
2023-09-08 14:12:12 +02:00
print " result5 = " . $result . " \n " ;
2023-09-08 19:10:44 +02:00
$this -> assertStringContainsString ( 'Bad string syntax to evaluate' , $result );
2023-09-08 14:12:12 +02:00
2023-09-08 19:10:44 +02:00
$result = ( string ) dol_eval ( '$a=function() { }; $a;' , 1 , 1 , '1' );
2023-09-08 14:12:12 +02:00
print " result6 = " . $result . " \n " ;
2023-09-08 19:10:44 +02:00
$this -> assertStringContainsString ( 'Bad string syntax to evaluate' , $result );
2021-06-09 17:44:42 +02:00
2023-09-08 19:10:44 +02:00
$result = ( string ) dol_eval ( '$a=exec("ls");' , 1 , 1 );
2023-09-08 14:12:12 +02:00
print " result7 = " . $result . " \n " ;
2023-09-08 19:10:44 +02:00
$this -> assertStringContainsString ( 'Bad string syntax to evaluate' , $result );
2021-06-09 17:44:42 +02:00
2023-09-08 19:10:44 +02:00
$result = ( string ) dol_eval ( '$a=exec ("ls")' , 1 , 1 );
2023-09-08 14:12:12 +02:00
print " result8 = " . $result . " \n " ;
2023-09-08 19:10:44 +02:00
$this -> assertStringContainsString ( 'Bad string syntax to evaluate' , $result );
2021-10-31 15:59:03 +01:00
2023-09-08 19:10:44 +02:00
$result = ( string ) dol_eval ( '$a="test"; $$a;' , 1 , 0 );
2023-09-08 14:12:12 +02:00
print " result9 = " . $result . " \n " ;
2023-09-08 19:10:44 +02:00
$this -> assertStringContainsString ( 'Bad string syntax to evaluate' , $result );
2021-06-09 17:44:42 +02:00
2023-09-08 19:10:44 +02:00
$result = ( string ) dol_eval ( '`ls`' , 1 , 0 );
2023-09-08 14:12:12 +02:00
print " result10 = " . $result . " \n " ;
2023-09-08 19:10:44 +02:00
$this -> assertStringContainsString ( 'Bad string syntax to evaluate' , $result );
2022-03-01 16:38:06 +01:00
2023-09-08 19:10:44 +02:00
$result = ( string ) dol_eval ( " ('ex'.'ec')('echo abc') " , 1 , 0 );
2023-09-08 14:12:12 +02:00
print " result11 = " . $result . " \n " ;
2023-09-08 19:10:44 +02:00
$this -> assertStringContainsString ( 'Bad string syntax to evaluate' , $result );
2022-03-01 16:38:06 +01:00
2023-09-08 19:10:44 +02:00
$result = ( string ) dol_eval ( " sprintf( \" %s%s \" , \" ex \" , \" ec \" )('echo abc') " , 1 , 0 );
2023-09-08 14:12:12 +02:00
print " result12 = " . $result . " \n " ;
2023-09-08 19:10:44 +02:00
$this -> assertStringContainsString ( 'Bad string syntax to evaluate' , $result );
2022-03-01 18:14:24 +01:00
2022-05-09 21:56:21 +02:00
$result = dol_eval ( " 90402.38+267678+0 " , 1 , 1 , 1 );
2023-09-08 14:12:12 +02:00
print " result13 = " . $result . " \n " ;
2022-05-09 21:56:21 +02:00
$this -> assertEquals ( '358080.38' , $result );
2022-03-03 01:59:31 +01:00
global $leftmenu ; // Used into strings to eval
$leftmenu = 'AAA' ;
2022-03-03 02:17:53 +01:00
$result = dol_eval ( '$conf->currency && preg_match(\'/^(AAA|BBB)/\',$leftmenu)' , 1 , 1 , '1' );
2022-03-03 01:17:44 +01:00
print " result = " . $result . " \n " ;
$this -> assertTrue ( $result );
2023-09-08 05:51:06 +02:00
// Same with a value that does not match
2022-03-03 01:59:31 +01:00
$leftmenu = 'XXX' ;
2022-03-03 09:51:12 +01:00
$result = dol_eval ( '$conf->currency && preg_match(\'/^(AAA|BBB)/\',$leftmenu)' , 1 , 1 , '1' );
2023-09-08 14:12:12 +02:00
print " result14 = " . $result . " \n " ;
2022-03-03 01:59:31 +01:00
$this -> assertFalse ( $result );
2023-09-08 05:51:06 +02:00
$leftmenu = 'AAA' ;
$result = dol_eval ( '$conf->currency && isStringVarMatching(\'leftmenu\', \'(AAA|BBB)\')' , 1 , 1 , '1' );
2023-09-08 14:12:12 +02:00
print " result15 = " . $result . " \n " ;
2023-09-08 05:51:06 +02:00
$this -> assertTrue ( $result );
$leftmenu = 'XXX' ;
$result = dol_eval ( '$conf->currency && isStringVarMatching(\'leftmenu\', \'(AAA|BBB)\')' , 1 , 1 , '1' );
2023-09-08 14:12:12 +02:00
print " result16 = " . $result . " \n " ;
2023-09-08 05:51:06 +02:00
$this -> assertFalse ( $result );
2023-09-08 14:12:12 +02:00
$string = '(isModEnabled("agenda") || isModEnabled("resource")) && getDolGlobalInt("MAIN_FEATURES_LEVEL") >= 0 && preg_match(\'/^(admintools|all|XXX)/\', $leftmenu)' ;
$result = dol_eval ( $string , 1 , 1 , '1' );
print " result17 = " . $result . " \n " ;
$this -> assertTrue ( $result );
2022-03-03 01:17:44 +01:00
2022-03-01 18:22:09 +01:00
$result = dol_eval ( '1 && getDolGlobalInt("doesnotexist1") && $conf->global->MAIN_FEATURES_LEVEL' , 1 , 0 ); // Should return false and not a 'Bad string syntax to evaluate ...'
2023-09-08 14:12:12 +02:00
print " result18 = " . $result . " \n " ;
2022-03-01 16:38:06 +01:00
$this -> assertFalse ( $result );
2023-09-10 15:23:32 +02:00
$a = 'ab' ;
$result = ( string ) dol_eval ( " ( \$ a.'s') " , 1 , 0 );
2023-09-08 14:12:12 +02:00
print " result19 = " . $result . " \n " ;
2023-09-08 19:10:44 +02:00
$this -> assertStringContainsString ( 'Bad string syntax to evaluate' , $result );
2023-09-08 05:51:06 +02:00
2023-09-08 19:10:44 +02:00
$leftmenu = 'abs' ;
$result = ( string ) dol_eval ( '$leftmenu(-5)' , 1 , 0 );
2023-09-08 14:12:12 +02:00
print " result20 = " . $result . " \n " ;
2023-09-08 19:10:44 +02:00
$this -> assertStringContainsString ( 'Bad string syntax to evaluate' , $result );
2021-06-09 17:44:42 +02:00
}
2022-05-09 21:56:21 +02:00
2023-11-29 20:19:21 +01:00
/**
* testDolPrintHTML .
* This method include calls to dol_htmlwithnojs ()
*
* @ return int
*/
public function testDolPrintHTML ()
{
global $conf ;
// Set options for cleaning data
2023-11-30 00:06:05 +01:00
$conf -> global -> MAIN_RESTRICTHTML_ONLY_VALID_HTML = 0 ; // disabled, does not work on HTML5 and some libxml versions
2023-11-29 20:19:21 +01:00
// Enabled option MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY if possible
if ( extension_loaded ( 'tidy' ) && class_exists ( " tidy " )) {
$conf -> global -> MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY = 1 ;
}
2023-11-30 00:06:05 +01:00
$conf -> global -> MAIN_RESTRICTHTML_REMOVE_ALSO_BAD_ATTRIBUTES = 0 ; // disabled, does not work on HTML5 and some libxml versions
2023-11-29 20:19:21 +01:00
// For a string that is already HTML (contains HTML tags) with special tags but badly formated
$stringtotest = " "> " ;
$stringfixed = " "> " ;
//$result = dol_htmlentitiesbr($stringtotest);
//$result = dol_string_onlythesehtmltags(dol_htmlentitiesbr($stringtotest), 1, 1, 1, 0);
//$result = dol_htmlwithnojs(dol_string_onlythesehtmltags(dol_htmlentitiesbr($stringtotest), 1, 1, 1, 0));
//$result = dol_escape_htmltag(dol_htmlwithnojs(dol_string_onlythesehtmltags(dol_htmlentitiesbr($stringtotest), 1, 1, 1, 0)), 1, 1, 'common', 0, 1);
$result = dolPrintHTML ( $stringtotest );
print __METHOD__ . " result= " . $result . " \n " ;
$this -> assertEquals ( $stringfixed , $result , 'Error' ); // Expected '' because should failed because login 'auto' does not exists
// For a string that is already HTML (contains HTML tags) with special tags but badly formated
$stringtotest = " testA \n <h1>hhhh</h1><z>ddd</z><header>aaa</header><footer>bbb</footer> " ;
if ( getDolGlobalString ( " MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY " )) {
2023-11-30 00:06:05 +01:00
$stringfixed = " testA \n <h1>hhhh</h1> \n ddd \n <header>aaa</header> \n <footer>bbb</footer> \n " ;
2023-11-29 20:19:21 +01:00
} else {
$stringfixed = " testA \n <h1>hhhh</h1>ddd<header>aaa</header><footer>bbb</footer> " ;
}
//$result = dol_htmlentitiesbr($stringtotest);
//$result = dol_string_onlythesehtmltags(dol_htmlentitiesbr($stringtotest), 1, 1, 1, 0);
//$result = dol_htmlwithnojs(dol_string_onlythesehtmltags(dol_htmlentitiesbr($stringtotest), 1, 1, 1, 0));
//$result = dol_escape_htmltag(dol_htmlwithnojs(dol_string_onlythesehtmltags(dol_htmlentitiesbr($stringtotest), 1, 1, 1, 0)), 1, 1, 'common', 0, 1);
$result = dolPrintHTML ( $stringtotest );
print __METHOD__ . " result= " . $result . " \n " ;
2023-11-30 00:06:05 +01:00
$this -> assertEquals ( $stringfixed , $result , 'Error' );
2023-11-29 20:19:21 +01:00
// For a string that is already HTML (contains HTML tags) but badly formated
$stringtotest = " testB \n <h1>hhh</h1> \n <td>td alone</td><h1>iii</h1> " ;
if ( getDolGlobalString ( " MAIN_RESTRICTHTML_ONLY_VALID_HTML_TIDY " )) {
2023-11-30 00:06:05 +01:00
$stringfixed = " testB \n <h1>hhh</h1> \n <h1>iii</h1> \n <table> \n <tr> \n <td>td alone</td> \n </tr> \n </table> \n " ;
2023-11-29 20:19:21 +01:00
} else {
$stringfixed = " testB \n <h1>hhh</h1> \n <td>td alone</td><h1>iii</h1> " ;
}
$result = dolPrintHTML ( $stringtotest );
print __METHOD__ . " result= " . $result . " \n " ;
2023-11-30 00:06:05 +01:00
$this -> assertEquals ( $stringfixed , $result , 'Error' );
2023-11-29 20:19:21 +01:00
// For a string with no HTML tags
$stringtotest = " testC \n test " ;
$stringfixed = " testC<br> \n test " ;
$result = dolPrintHTML ( $stringtotest );
print __METHOD__ . " result= " . $result . " \n " ;
2023-11-30 00:06:05 +01:00
$this -> assertEquals ( $stringfixed , $result , 'Error' );
2023-11-29 20:19:21 +01:00
return 0 ;
}
2022-05-09 21:56:21 +02:00
/**
* testCheckLoginPassEntity
*
* @ return void
*/
public function testCheckLoginPassEntity ()
{
$login = checkLoginPassEntity ( 'loginbidon' , 'passwordbidon' , 1 , array ( 'dolibarr' ));
print __METHOD__ . " login= " . $login . " \n " ;
$this -> assertEquals ( $login , '' );
$login = checkLoginPassEntity ( 'admin' , 'passwordbidon' , 1 , array ( 'dolibarr' ));
print __METHOD__ . " login= " . $login . " \n " ;
$this -> assertEquals ( $login , '' );
$login = checkLoginPassEntity ( 'admin' , 'admin' , 1 , array ( 'dolibarr' )); // Should works because admin/admin exists
print __METHOD__ . " login= " . $login . " \n " ;
$this -> assertEquals ( $login , 'admin' , 'The test to check if pass of user "admin" is "admin" has failed' );
$login = checkLoginPassEntity ( 'admin' , 'admin' , 1 , array ( 'http' , 'dolibarr' )); // Should work because of second authentication method
print __METHOD__ . " login= " . $login . " \n " ;
$this -> assertEquals ( $login , 'admin' );
$login = checkLoginPassEntity ( 'admin' , 'admin' , 1 , array ( 'forceuser' ));
print __METHOD__ . " login= " . $login . " \n " ;
2022-05-09 22:04:36 +02:00
$this -> assertEquals ( '' , $login , 'Error' ); // Expected '' because should failed because login 'auto' does not exists
2022-05-09 21:56:21 +02:00
}
2010-11-20 16:25:08 +01:00
}
