email_xss = $sugar_config['email_xss']; $sugar_config['email_xss'] = ''; } if(isset($GLOBALS['sugar_config']['html_allow_objects'])) { $this->allow_objects = $GLOBALS['sugar_config']['html_allow_objects']; } $GLOBALS['sugar_config']['html_allow_objects'] = true; SugarCleaner::$instance = null; } public function tearDown() { if(!empty($this->email_xss)) { global $sugar_config; $sugar_config['email_xss'] = $this->email_xss; } } public function xssData() { return array( // before, after array("some data", "some data"), // a href array("test link", "test link"), // xss array("some data", "some data"), // script with src array("some data and more", "some data and more"), // applet & script array("some data and more data", "some data and more data"), // onload array('some data before<script>some data after', 'some data before<script>some data after'), // JS array('some data beforesome data after', 'some data beforepeace-sign-2.jpgsome data after'), array('some data beforesome data after', 'some data beforepeace-sign-2.jpgsome data after'), array('
Roger Smith
', '
Roger Smith
'), array('some data beforesome data after', 'some data beforeSymbol.jpgsome data after'), // xmp array('some data', '
some data
'), // youtube video array('', ''), // another youtube video array('', ''), // stuff inside iframe array('', ''), // body/html/head array("My PageMy Content", "My Content"), // link array('', '' ), // international array('в чащах юга жил-был фикус - דג סקרן שט בים מאוכזב ולפתע מצא חברה', 'в чащах юга жил-был фикус - דג סקרן שט בים מאוכזב ולפתע מצא חברה') ); } protected function clean($str) { return SugarCleaner::cleanHtml($str, false); } /** * @dataProvider xssData */ public function testXssFilter($before, $after) { $this->assertEquals($after, $this->clean($before)); } /** * @dataProvider xssData */ public function testXssFilterBean($before, $after) { $bean = new EmailTemplate(); $bean->body_html = to_html($before); $bean->cleanBean(); $this->assertEquals(to_html($after), $bean->body_html); } }