[SECURITY] XSS in exception handler
[Packages/TYPO3.CMS.git] / tests / t3lib / error / class.t3lib_error_debugexceptionhandlerTest.php
1 <?php
2 /***************************************************************
3 * Copyright notice
4 *
5 * (c) 2012 Oliver Klee <typo3-coding@oliverklee.de>
6 * All rights reserved
7 *
8 * This script is part of the TYPO3 project. The TYPO3 project is
9 * free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * The GNU General Public License can be found at
15 * http://www.gnu.org/copyleft/gpl.html.
16 *
17 * This script is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * This copyright notice MUST APPEAR in all copies of the script!
23 ***************************************************************/
24
25 /**
26 * testcase for the t3lib_error_DebugExceptionHandler class.
27 *
28 * @author Oliver Klee <typo3-coding@oliverklee.de>
29 * @package TYPO3
30 * @subpackage t3lib_error
31 */
32 class t3lib_error_DebugExceptionHandlerTest extends Tx_Phpunit_TestCase {
33 /**
34 * @var t3lib_error_DebugExceptionHandler|PHPUnit_Framework_MockObject_MockObject
35 */
36 private $fixture = NULL;
37
38 /**
39 * Sets up this test case.
40 */
41 protected function setUp() {
42 $this->fixture = $this->getMock(
43 't3lib_error_DebugExceptionHandler',
44 array('sendStatusHeaders', 'writeLogEntries'),
45 array(), '', FALSE
46 );
47 $this->fixture->expects($this->any())->method('discloseExceptionInformation')->will($this->returnValue(TRUE));
48 }
49
50 /**
51 * Tears down this test case.
52 */
53 protected function tearDown() {
54 unset($this->fixture);
55 }
56
57 /**
58 * @test
59 */
60 public function echoExceptionWebEscapesExceptionMessage() {
61 $message = '<b>b</b><script>alert(1);</script>';
62 $exception = new Exception($message);
63
64 ob_start();
65 $this->fixture->echoExceptionWeb($exception);
66 $output = ob_get_contents();
67 ob_end_clean();
68
69 $this->assertContains(
70 htmlspecialchars($message),
71 $output
72 );
73 $this->assertNotContains(
74 $message,
75 $output
76 );
77 }
78 }
79 ?>