/** * OWASP Enterprise Security API (ESAPI) * * This file is part of the Open Web Application Security Project (OWASP) * Enterprise Security API (ESAPI) project. For details, please see * http://www.owasp.org/index.php/ESAPI. * * Copyright (c) 2007 - The OWASP Foundation * * The ESAPI is published by OWASP under the BSD license. You should read and accept the * LICENSE before you use, modify, and/or redistribute this software. * * @author Jeff Williams Aspect Security * @created 2007 */ package org.owasp.esapi.codecs; import junit.framework.Test; import junit.framework.TestCase; import junit.framework.TestSuite; /** * @author Jeff Williams (jeff.williams .at. aspectsecurity.com) Aspect Security * @since June 1, 2007 */ public class CodecTest extends TestCase { private static final char[] EMPTY_CHAR_ARRAY = new char[0]; private static final Character LESS_THAN = Character.valueOf('<'); private static final Character SINGLE_QUOTE = Character.valueOf('\''); private HTMLEntityCodec htmlCodec = new HTMLEntityCodec(); private PercentCodec percentCodec = new PercentCodec(); private JavaScriptCodec javaScriptCodec = new JavaScriptCodec(); private VBScriptCodec vbScriptCodec = new VBScriptCodec(); private CSSCodec cssCodec = new CSSCodec(); private MySQLCodec mySQLCodecANSI = new MySQLCodec( MySQLCodec.ANSI_MODE ); private MySQLCodec mySQLCodecStandard = new MySQLCodec( MySQLCodec.MYSQL_MODE ); private OracleCodec oracleCodec = new OracleCodec(); private UnixCodec unixCodec = new UnixCodec(); private WindowsCodec windowsCodec = new WindowsCodec(); /** * Instantiates a new access reference map test. * * @param testName * the test name */ public CodecTest(String testName) { super(testName); } /** * {@inheritDoc} * @throws Exception */ protected void setUp() throws Exception { // none } /** * {@inheritDoc} * @throws Exception */ protected void tearDown() throws Exception { // none } /** * Suite. * * @return the test */ public static Test suite() { TestSuite suite = new TestSuite(CodecTest.class); return suite; } public void testHtmlEncode() { assertEquals( "test", htmlCodec.encode( EMPTY_CHAR_ARRAY, "test") ); } public void testPercentEncode() { assertEquals( "%3C", percentCodec.encode(EMPTY_CHAR_ARRAY, "<") ); } public void testJavaScriptEncode() { assertEquals( "\\x3C", javaScriptCodec.encode(EMPTY_CHAR_ARRAY, "<") ); } public void testVBScriptEncode() { assertEquals( "chrw(60)", vbScriptCodec.encode(EMPTY_CHAR_ARRAY, "<") ); } public void testCSSEncode() { assertEquals( "\\3c ", cssCodec.encode(EMPTY_CHAR_ARRAY, "<") ); } public void testCSSInvalidCodepointDecode() { assertEquals("\uFFFDg", cssCodec.decode("\\abcdefg") ); } public void testMySQLANSCIEncode() { assertEquals( "\'\'", mySQLCodecANSI.encode(EMPTY_CHAR_ARRAY, "\'") ); } public void testMySQLStandardEncode() { assertEquals( "\\<", mySQLCodecStandard.encode(EMPTY_CHAR_ARRAY, "<") ); } public void testOracleEncode() { assertEquals( "\'\'", oracleCodec.encode(EMPTY_CHAR_ARRAY, "\'") ); } public void testUnixEncode() { assertEquals( "\\<", unixCodec.encode(EMPTY_CHAR_ARRAY, "<") ); } public void testWindowsEncode() { assertEquals( "^<", windowsCodec.encode(EMPTY_CHAR_ARRAY, "<") ); } public void testHtmlEncodeChar() { assertEquals( "<", htmlCodec.encodeCharacter(EMPTY_CHAR_ARRAY, LESS_THAN) ); } public void testHtmlEncodeChar0x100() { char in = 0x100; String inStr = Character.toString(in); String expected = "Ā"; String result; result = htmlCodec.encodeCharacter(EMPTY_CHAR_ARRAY, in); // this should be escaped assertFalse(inStr.equals(result)); // UTF-8 encoded and then percent escaped assertEquals(expected, result); } public void testHtmlEncodeStr0x100() { char in = 0x100; String inStr = Character.toString(in); String expected = "Ā"; String result; result = htmlCodec.encode(EMPTY_CHAR_ARRAY, inStr); // this should be escaped assertFalse(inStr.equals(result)); // UTF-8 encoded and then percent escaped assertEquals(expected, result); } public void testPercentEncodeChar() { assertEquals( "%3C", percentCodec.encodeCharacter(EMPTY_CHAR_ARRAY, LESS_THAN) ); } public void testPercentEncodeChar0x100() { char in = 0x100; String inStr = Character.toString(in); String expected = "%C4%80"; String result; result = percentCodec.encodeCharacter(EMPTY_CHAR_ARRAY, in); // this should be escaped assertFalse(inStr.equals(result)); // UTF-8 encoded and then percent escaped assertEquals(expected, result); } public void testPercentEncodeStr0x100() { char in = 0x100; String inStr = Character.toString(in); String expected = "%C4%80"; String result; result = percentCodec.encode(EMPTY_CHAR_ARRAY, inStr); // this should be escaped assertFalse(inStr.equals(result)); // UTF-8 encoded and then percent escaped assertEquals(expected, result); } public void testJavaScriptEncodeChar() { assertEquals( "\\x3C", javaScriptCodec.encodeCharacter(EMPTY_CHAR_ARRAY, LESS_THAN) ); } public void testJavaScriptEncodeChar0x100() { char in = 0x100; String inStr = Character.toString(in); String expected = "\\u0100"; String result; result = javaScriptCodec.encodeCharacter(EMPTY_CHAR_ARRAY, in); // this should be escaped assertFalse(inStr.equals(result)); assertEquals(expected,result); } public void testJavaScriptEncodeStr0x100() { char in = 0x100; String inStr = Character.toString(in); String expected = "\\u0100"; String result; result = javaScriptCodec.encode(EMPTY_CHAR_ARRAY, inStr); // this should be escaped assertFalse(inStr.equals(result)); assertEquals(expected,result); } public void testVBScriptEncodeChar() { assertEquals( "chrw(60)", vbScriptCodec.encodeCharacter(EMPTY_CHAR_ARRAY, LESS_THAN) ); } public void testVBScriptEncodeChar0x100() { char in = 0x100; String inStr = Character.toString(in); // FIXME I don't know vb... // String expected = "\\u0100"; String result; result = vbScriptCodec.encodeCharacter(EMPTY_CHAR_ARRAY, in); // this should be escaped assertFalse(inStr.equals(result)); //assertEquals(expected,result); } public void testVBScriptEncodeStr0x100() { char in = 0x100; String inStr = Character.toString(in); // FIXME I don't know vb... // String expected = "chrw(0x100)"; String result; result = vbScriptCodec.encode(EMPTY_CHAR_ARRAY, inStr); // this should be escaped assertFalse(inStr.equals(result)); // assertEquals(expected,result); } public void testCSSEncodeChar() { assertEquals( "\\3c ", cssCodec.encodeCharacter(EMPTY_CHAR_ARRAY, LESS_THAN) ); } public void testCSSEncodeChar0x100() { char in = 0x100; String inStr = Character.toString(in); String expected = "\\100 "; String result; result = cssCodec.encodeCharacter(EMPTY_CHAR_ARRAY, in); // this should be escaped assertFalse(inStr.equals(result)); assertEquals(expected,result); } public void testCSSEncodeStr0x100() { char in = 0x100; String inStr = Character.toString(in); String expected = "\\100 "; String result; result = cssCodec.encode(EMPTY_CHAR_ARRAY, inStr); // this should be escaped assertFalse(inStr.equals(result)); assertEquals(expected,result); } public void testMySQLANSIEncodeChar() { assertEquals( "\'\'", mySQLCodecANSI.encodeCharacter(EMPTY_CHAR_ARRAY, SINGLE_QUOTE)); } public void testMySQLStandardEncodeChar0x100() { char in = 0x100; String inStr = Character.toString(in); String expected = "\\" + in; String result; result = mySQLCodecStandard.encodeCharacter(EMPTY_CHAR_ARRAY, in); // this should be escaped assertFalse(inStr.equals(result)); assertEquals(expected,result); } public void testMySQLStandardEncodeStr0x100() { char in = 0x100; String inStr = Character.toString(in); String expected = "\\" + in; String result; result = mySQLCodecStandard.encode(EMPTY_CHAR_ARRAY, inStr); // this should be escaped assertFalse(inStr.equals(result)); assertEquals(expected,result); } public void testMySQLStandardEncodeChar() { assertEquals( "\\<", mySQLCodecStandard.encodeCharacter(EMPTY_CHAR_ARRAY, LESS_THAN) ); } public void testOracleEncodeChar() { assertEquals( "\'\'", oracleCodec.encodeCharacter(EMPTY_CHAR_ARRAY, SINGLE_QUOTE) ); } public void testUnixEncodeChar() { assertEquals( "\\<", unixCodec.encodeCharacter(EMPTY_CHAR_ARRAY, LESS_THAN) ); } public void testUnixEncodeChar0x100() { char in = 0x100; String inStr = Character.toString(in); String expected = "\\" + in; String result; result = unixCodec.encodeCharacter(EMPTY_CHAR_ARRAY, in); // this should be escaped assertFalse(inStr.equals(result)); assertEquals(expected,result); } public void testUnixEncodeStr0x100() { char in = 0x100; String inStr = Character.toString(in); String expected = "\\" + in; String result; result = unixCodec.encode(EMPTY_CHAR_ARRAY, inStr); // this should be escaped assertFalse(inStr.equals(result)); assertEquals(expected,result); } public void testWindowsEncodeChar() { assertEquals( "^<", windowsCodec.encodeCharacter(EMPTY_CHAR_ARRAY, LESS_THAN) ); } public void testWindowsEncodeChar0x100() { char in = 0x100; String inStr = Character.toString(in); String expected = "^" + in; String result; result = windowsCodec.encodeCharacter(EMPTY_CHAR_ARRAY, in); // this should be escaped assertFalse(inStr.equals(result)); assertEquals(expected,result); } public void testWindowsEncodeStr0x100() { char in = 0x100; String inStr = Character.toString(in); String expected = "^" + in; String result; result = windowsCodec.encode(EMPTY_CHAR_ARRAY, inStr); // this should be escaped assertFalse(inStr.equals(result)); assertEquals(expected,result); } public void testHtmlDecodeDecimalEntities() { assertEquals( "test!", htmlCodec.decode("test!") ); } public void testHtmlDecodeHexEntitites() { assertEquals( "test!", htmlCodec.decode("test!") ); } public void testHtmlDecodeInvalidAttribute() { assertEquals( "&jeff;", htmlCodec.decode("&jeff;") ); } public void testHtmlDecodeAmp() { assertEquals("&", htmlCodec.decode("&")); assertEquals("&X", htmlCodec.decode("&X")); assertEquals("&", htmlCodec.decode("&")); assertEquals("&X", htmlCodec.decode("&X")); } public void testHtmlDecodeLt() { assertEquals("<", htmlCodec.decode("<")); assertEquals("