/**
* Test that xss() removes any XSS attack vectors and escapes content.
*/
public function testXss()
{
$test = 'Test string <script>alert("XSS!");</script> with attack <div onclick="javascript:alert(\'XSS!\')">vectors</div>';
// remove HTML tags and escape
$this->assertEquals('Test string alert("XSS!"); with attack vectors', Sanitize::xss($test));
// remove on attributes and escape
$this->assertEquals('Test string alert("XSS!"); with attack <div>vectors</div>', Sanitize::xss($test, array('strip' => false)));
// remove xmlns and escape
$this->assertEquals('<html>', Sanitize::xss('<html xmlns="http://www.w3.org/1999/xhtml">', array('strip' => false)));
// remove namespaced tags and escape
$this->assertEquals('Content', Sanitize::xss('<ns:tag>Content</ns:tag>', array('strip' => false)));
$this->assertEquals('Content', Sanitize::xss('<ns:tag attr="foo">Content</ns:tag>', array('strip' => false)));
// remove unwanted tags
$this->assertEquals('A string full of unwanted tags.', Sanitize::xss('<audio>A</audio> <script type="text/javascript">string</script> <iframe>full</iframe> <applet>of</applet> <object>unwanted</object> <style>tags</style>.', array('strip' => false)));
}
function xss($value, array $options = array())
{
return Sanitize::xss($value, $options);
}
/**
* Run the filters before each save.
*
* @param \Titon\Event\Event $event
* @param \Titon\Db\Query $query
* @param int|int[] $id
* @param array $data
* @return bool
*/
public function preSave(Event $event, Query $query, $id, array &$data)
{
$filters = $this->getFilters();
foreach ($data as $key => $value) {
if (empty($filters[$key])) {
continue;
}
$filter = $filters[$key];
// HTML escape
if (isset($filter['html'])) {
$value = Sanitize::html($value, $filter['html']);
}
// Newlines
if (isset($filter['newlines'])) {
$value = Sanitize::newlines($value, $filter['newlines']);
}
// Whitespace
if (isset($filter['whitespace'])) {
$value = Sanitize::whitespace($value, $filter['whitespace']);
}
// XSS
if (isset($filter['xss'])) {
$value = Sanitize::xss($value, $filter['xss']);
}
$data[$key] = $value;
}
return true;
}
