[SECURITY] XSS in exception handler
[Packages/TYPO3.CMS.git] / tests / t3lib / error / class.t3lib_error_productionexceptionhandlerTest.php
1 <?php
2 /***************************************************************
3 * Copyright notice
4 *
5 * (c) 2012 Oliver Klee <typo3-coding@oliverklee.de>
6 * All rights reserved
7 *
8 * This script is part of the TYPO3 project. The TYPO3 project is
9 * free software; you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation; either version 2 of the License, or
12 * (at your option) any later version.
13 *
14 * The GNU General Public License can be found at
15 * http://www.gnu.org/copyleft/gpl.html.
16 *
17 * This script is distributed in the hope that it will be useful,
18 * but WITHOUT ANY WARRANTY; without even the implied warranty of
19 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
20 * GNU General Public License for more details.
21 *
22 * This copyright notice MUST APPEAR in all copies of the script!
23 ***************************************************************/
24
25 /**
26 * testcase for the t3lib_error_ProductionExceptionHandler class.
27 *
28 * @author Oliver Klee <typo3-coding@oliverklee.de>
29 * @package TYPO3
30 * @subpackage t3lib_error
31 */
32 class t3lib_error_ProductionExceptionHandlerTest extends Tx_Phpunit_TestCase {
33 /**
34 * @var t3lib_error_ProductionExceptionHandler|PHPUnit_Framework_MockObject_MockObject
35 */
36 private $fixture = NULL;
37
38 /**
39 * Sets up this test case.
40 */
41 protected function setUp() {
42 $this->fixture = $this->getMock(
43 't3lib_error_ProductionExceptionHandler',
44 array('discloseExceptionInformation', 'sendStatusHeaders', 'writeLogEntries'),
45 array(), '', FALSE
46 );
47 $this->fixture->expects($this->any())->method('discloseExceptionInformation')->will($this->returnValue(TRUE));
48 }
49
50 /**
51 * Tears down this test case.
52 */
53 protected function tearDown() {
54 unset($this->fixture);
55 }
56
57 /**
58 * @test
59 */
60 public function echoExceptionWebEscapesExceptionMessage() {
61 $message = '<b>b</b><script>alert(1);</script>';
62 $exception = new Exception($message);
63
64 ob_start();
65 $this->fixture->echoExceptionWeb($exception);
66 $output = ob_get_contents();
67 ob_end_clean();
68
69 $this->assertContains(
70 htmlspecialchars($message),
71 $output
72 );
73 $this->assertNotContains(
74 $message,
75 $output
76 );
77 }
78
79 /**
80 * @test
81 */
82 public function echoExceptionWebEscapesExceptionTitle() {
83 $title = '<b>b</b><script>alert(1);</script>';
84 /** @var $exception Exception|PHPUnit_Framework_MockObject_MockObject */
85 $exception = $this->getMock('Exception', array('getTitle'), array('some message'));
86 $exception->expects($this->any())->method('getTitle')->will($this->returnValue($title));
87
88 ob_start();
89 $this->fixture->echoExceptionWeb($exception);
90 $output = ob_get_contents();
91 ob_end_clean();
92
93 $this->assertNotContains(
94 $title,
95 $output
96 );
97 }
98 }
99 ?>