1<?php 2 3/** 4 * webtrees: online genealogy 5 * Copyright (C) 2023 webtrees development team 6 * This program is free software: you can redistribute it and/or modify 7 * it under the terms of the GNU General Public License as published by 8 * the Free Software Foundation, either version 3 of the License, or 9 * (at your option) any later version. 10 * This program is distributed in the hope that it will be useful, 11 * but WITHOUT ANY WARRANTY; without even the implied warranty of 12 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 13 * GNU General Public License for more details. 14 * You should have received a copy of the GNU General Public License 15 * along with this program. If not, see <https://www.gnu.org/licenses/>. 16 */ 17 18declare(strict_types=1); 19 20namespace Fisharebest\Webtrees\Elements; 21 22use Fisharebest\Webtrees\Contracts\ElementInterface; 23use Fisharebest\Webtrees\TestCase; 24use Fisharebest\Webtrees\Tree; 25 26abstract class AbstractElementTestCase extends TestCase 27{ 28 private const string EVIL_VALUE = '<script>evil()</script>'; 29 private const string TEST_VALUE = '01 JAN 1970'; 30 31 protected static ElementInterface $element; 32 33 public function testCanonical(): void 34 { 35 self::assertSame('Foo bAr baZ', self::$element->canonical('Foo bAr baZ')); 36 self::assertSame('Foo bAr baZ', self::$element->canonical("\t Foo\t bAr \tbaZ\t ")); 37 self::assertSame('Foo bAr baZ', self::$element->canonical("\nFoo \n\r bAr \r\n baZ\r")); 38 } 39 40 public function testEscapeAtSigns(): void 41 { 42 if (static::$element instanceof AbstractXrefElement) { 43 self::assertSame('@X123@', static::$element->escape('@X123@')); 44 } else { 45 self::assertSame('@@X123@@', static::$element->escape('@X123@')); 46 } 47 } 48 49 public function testXssInValue(): void 50 { 51 $tree = $this->createMock(Tree::class); 52 $html = static::$element->value(self::EVIL_VALUE, $tree); 53 $message = 'XSS vulnerability in value()'; 54 55 self::assertStringNotContainsStringIgnoringCase(self::EVIL_VALUE, $html, $message); 56 } 57 58 public function testXssInLabelValue(): void 59 { 60 $tree = $this->createMock(Tree::class); 61 $html = static::$element->labelValue(self::EVIL_VALUE, $tree); 62 $message = 'XSS vulnerability in labelValue()'; 63 64 self::assertStringNotContainsStringIgnoringCase(self::EVIL_VALUE, $html, $message); 65 } 66 67 public function testXssInEdit(): void 68 { 69 $tree = $this->createMock(Tree::class); 70 $html = static::$element->edit('id', 'name', self::EVIL_VALUE, $tree); 71 $message = 'XSS vulnerability in edit()'; 72 73 self::assertStringNotContainsStringIgnoringCase(self::EVIL_VALUE, $html, $message); 74 } 75 76 public function testValidHtmlInValue(): void 77 { 78 $tree = $this->createMock(Tree::class); 79 $html = static::$element->value(self::TEST_VALUE, $tree); 80 81 $this->validateHtml($html); 82 } 83 84 public function testValidHtmlInEdit(): void 85 { 86 $tree = $this->createMock(Tree::class); 87 $html = static::$element->edit('id', 'name', self::TEST_VALUE, $tree); 88 89 $this->validateHtml($html); 90 } 91} 92