SafeHtmlTemplatesTest.java example

Explorer
gwt-master
/*
 * Copyright 2009 Google Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License"); you may not
 * use this file except in compliance with the License. You may obtain a copy of
 * the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
 * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the
 * License for the specific language governing permissions and limitations under
 * the License.
 */
package com.google.gwt.safehtml.client;

import com.google.gwt.core.client.GWT;
import com.google.gwt.junit.client.GWTTestCase;
import com.google.gwt.safecss.shared.SafeStyles;
import com.google.gwt.safecss.shared.SafeStylesUtils;
import com.google.gwt.safehtml.shared.SafeHtml;
import com.google.gwt.safehtml.shared.SafeHtmlUtils;
import com.google.gwt.safehtml.shared.SafeUri;
import com.google.gwt.safehtml.shared.UriUtils;

import junit.framework.Assert;

/**
 * Tests the SafeHtmlTemplates compile-time binding mechanism.
 */
public class SafeHtmlTemplatesTest extends GWTTestCase {

  private static final String HTML_MARKUP = "woo <i>whee</i>";

  private static final String GOOD_URL_ESCAPED = "http://foo.com/foo<bar>&baz=dootz";
  private static final String GOOD_URL_ENCODED = "http://foo.com/foo%3Cbar%3E&baz=dootz";
  private static final String GOOD_URL = "http://foo.com/foo<bar>&baz=dootz";
  private static final String BAD_URL = "javascript:evil(1<2)";
  private static final String BAD_URL_ESCAPED = "javascript:evil(1<2)";

  private TestTemplates templates;

  @Override
  public String getModuleName() {
    return "com.google.gwt.safehtml.SafeHtml";
  }

  @Override
  protected void gwtSetUp() throws Exception {
    templates = GWT.create(TestTemplates.class);
  }

  /**
   * A SafeHtmlTemplates interface for testing.
   */
  public interface TestTemplates extends SafeHtmlTemplates {
    @Template("<span><b>{0}</b><span>{1}</span></span>")
    SafeHtml simpleTemplate(String foo, SafeHtml bar);

    @Template("<span><a href=\"{0}\"><b>{1}</b></a></span>")
    SafeHtml templateWithUriAttribute(String url, SafeHtml html);

    @Template("<span><a href=\"{0}\"><b>{1}</b></a></span>")
    SafeHtml templateWithUriAttribute(SafeUri url, SafeHtml html);

    @Template("<div id=\"{0}\">{1}</div>")
    SafeHtml templateWithRegularAttribute(String id, SafeHtml html);

    @Template("<div style=\"{0}\">{1}</div>")
    SafeHtml templateWithSafeStyleAttributeComplete(SafeStyles styles, SafeHtml html);

    @Template("<div style=\"{0}height:{1}px;\">{2}</div>")
    SafeHtml templateWithSafeStyleAttributeStart(SafeStyles styles,
        int height /* generates a compile time warning */, SafeHtml html);

    @Template("<span><img src=\"{0}/{1}\"/></span>")
    SafeHtml templateWithTwoPartUriAttribute(String baseUrl, String urlPart);

    @Template("<span style='{0}; color: green;'></span>")
    SafeHtml templateWithStyleAttribute(String style);
  }

  public void testSimpleTemplate() {
    Assert.assertEquals(
        "<span><b>foo<bar</b><span>woo <i>whee</i></span></span>",
        templates.simpleTemplate("foo<bar",
            SafeHtmlUtils.fromSafeConstant(HTML_MARKUP)).asString());
  }

  public void testTemplateWithUriAttribute() {
    // as String: sanitized by the template
    Assert.assertEquals(
        "<span><a href=\"" + GOOD_URL_ENCODED + "\"><b>" + HTML_MARKUP
            + "</b></a></span>",
        templates.templateWithUriAttribute(
            GOOD_URL, SafeHtmlUtils.fromSafeConstant(HTML_MARKUP)).asString());
    Assert.assertEquals(
        "<span><a href=\"#\"><b>" + HTML_MARKUP + "</b></a></span>",
        templates.templateWithUriAttribute(
            BAD_URL, SafeHtmlUtils.fromSafeConstant(HTML_MARKUP)).asString());
    // UriUtils.fromString: sanitized by fromString
    Assert.assertEquals(
        "<span><a href=\"" + GOOD_URL_ENCODED + "\"><b>" + HTML_MARKUP
            + "</b></a></span>",
        templates.templateWithUriAttribute(
            UriUtils.fromString(GOOD_URL), SafeHtmlUtils.fromSafeConstant(HTML_MARKUP)).asString());
    Assert.assertEquals(
        "<span><a href=\"#\"><b>" + HTML_MARKUP + "</b></a></span>",
        templates.templateWithUriAttribute(
            UriUtils.fromString(BAD_URL), SafeHtmlUtils.fromSafeConstant(HTML_MARKUP)).asString());
    // UriUtils.fromTrustedString: not sanitized
    Assert.assertEquals(
        "<span><a href=\"" + GOOD_URL_ESCAPED + "\"><b>" + HTML_MARKUP
            + "</b></a></span>",
        templates.templateWithUriAttribute(
            UriUtils.fromTrustedString(GOOD_URL),
            SafeHtmlUtils.fromSafeConstant(HTML_MARKUP)).asString());
    Assert.assertEquals(
        "<span><a href=\"" + BAD_URL_ESCAPED + "\"><b>" + HTML_MARKUP + "</b></a></span>",
        templates.templateWithUriAttribute(
            UriUtils.fromTrustedString(BAD_URL),
            SafeHtmlUtils.fromSafeConstant(HTML_MARKUP)).asString());
  }

  public void testTemplateWithRegularAttribute() {
    Assert.assertEquals(
        "<div id=\"" + GOOD_URL_ESCAPED + "\">" + HTML_MARKUP + "</div>",
        templates.templateWithRegularAttribute(
            GOOD_URL, SafeHtmlUtils.fromSafeConstant(HTML_MARKUP)).asString());

    // Values inserted into non-URI-valued attributes should not be sanitized,
    // but still escaped.
    Assert.assertEquals(
        "<div id=\"" + BAD_URL_ESCAPED + "\">" + HTML_MARKUP + "</div>",
        templates.templateWithRegularAttribute(
            BAD_URL, SafeHtmlUtils.fromSafeConstant(HTML_MARKUP)).asString());
  }

  public void testTemplateWithSafeStyleAttributeComplete() {
    Assert.assertEquals("<div style=\"width:10px;\">" + HTML_MARKUP + "</div>",
        templates.templateWithSafeStyleAttributeComplete(
            SafeStylesUtils.fromTrustedString("width:10px;"),
            SafeHtmlUtils.fromSafeConstant(HTML_MARKUP)).asString());
  }

  public void testTemplateWithSafeStyleAttributeStart() {
    Assert.assertEquals("<div style=\"width:10px;height:15px;\">" + HTML_MARKUP + "</div>",
        templates.templateWithSafeStyleAttributeStart(
            SafeStylesUtils.fromTrustedString("width:10px;"), 15,
            SafeHtmlUtils.fromSafeConstant(HTML_MARKUP)).asString());
  }

  public void testTemplateWithTwoPartUriAttribute() {
    // sanitized by the template
    Assert.assertEquals(
        "<span><img src=\"" + GOOD_URL_ENCODED + "/x&y\"/></span>",
        templates.templateWithTwoPartUriAttribute(
            GOOD_URL, "x&y").asString());
    Assert.assertEquals(
        "<span><img src=\"#/x&y\"/></span>",
        templates.templateWithTwoPartUriAttribute(
            BAD_URL, "x&y").asString());
  }

  public void testTemplateWithStyleAttribute() {
    Assert.assertEquals(
        "<span style='background: purple; color: green;'></span>",
        templates.templateWithStyleAttribute("background: purple").asString());
  }
}