2 /*********************************************************************************
3 * SugarCRM Community Edition is a customer relationship management program developed by
4 * SugarCRM, Inc. Copyright (C) 2004-2012 SugarCRM Inc.
6 * This program is free software; you can redistribute it and/or modify it under
7 * the terms of the GNU Affero General Public License version 3 as published by the
8 * Free Software Foundation with the addition of the following permission added
9 * to Section 15 as permitted in Section 7(a): FOR ANY PART OF THE COVERED WORK
10 * IN WHICH THE COPYRIGHT IS OWNED BY SUGARCRM, SUGARCRM DISCLAIMS THE WARRANTY
11 * OF NON INFRINGEMENT OF THIRD PARTY RIGHTS.
13 * This program is distributed in the hope that it will be useful, but WITHOUT
14 * ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS
15 * FOR A PARTICULAR PURPOSE. See the GNU Affero General Public License for more
18 * You should have received a copy of the GNU Affero General Public License along with
19 * this program; if not, see http://www.gnu.org/licenses or write to the Free
20 * Software Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA
23 * You can contact SugarCRM, Inc. headquarters at 10050 North Wolfe Road,
24 * SW2-130, Cupertino, CA 95014, USA. or at email address contact@sugarcrm.com.
26 * The interactive user interfaces in modified source and object code versions
27 * of this program must display Appropriate Legal Notices, as required under
28 * Section 5 of the GNU Affero General Public License version 3.
30 * In accordance with Section 7(b) of the GNU Affero General Public License version 3,
31 * these Appropriate Legal Notices must retain the display of the "Powered by
32 * SugarCRM" logo. If the display of the logo is not reasonably feasible for
33 * technical reasons, the Appropriate Legal Notices must display the words
34 * "Powered by SugarCRM".
35 ********************************************************************************/
42 * This is a simple test to assert that we can correctly remove the XSS attack strings set in the help field
47 class Bug49939Test extends Sugar_PHPUnit_Framework_TestCase {
51 * This is the provider function for testPopulateFromPostWithXSSHelpField
54 public function xssFields() {
56 array(htmlentities('<script>alert(50);</script>'), 'alert(50);'),
57 array(htmlentities('This is some help text'), 'This is some help text'),
58 array(htmlentities('???'), '???'),
59 array(htmlentities('Foo Foo<script type="text/javascript">alert(50);</script>Poo Poo'), 'Foo Fooalert(50);Poo Poo'),
60 array(htmlentities('I am trying to <b>Bold</b> this!'), 'I am trying to <b>Bold</b> this!'),
61 array(htmlentities(''), ''),
67 * testPopulateFromPostWithXSSHelpField
68 * @dataProvider xssFields
69 * @param string $badXSS The bad XSS script
70 * @param string $expectedValue The expected output
72 public function testPopulateFromPostWithXSSHelpField($badXSS, $expectedValue)
74 $tf = new Bug49939TemplateFieldMock();
75 $_REQUEST['help'] = $badXSS;
76 $tf->vardef_map = array('help'=>'help');
77 $tf->populateFromPost();
78 $this->assertEquals($expectedValue, $tf->help, 'Unable to remove XSS from help field');
85 require_once('modules/DynamicFields/templates/Fields/TemplateField.php');
86 class Bug49939TemplateFieldMock extends TemplateField {
88 public function applyVardefRules()
90 //no-opt function called at the end of populateFromPost method in TemplateField