/** * Tests isUrlAllowed() function for various urls and configuration */ public function testisURLallowed() { csrfprotector::$config['verifyGetFor'] = array('http://test/delete*', 'https://test/*'); $_SERVER['PHP_SELF'] = '/nodelete.php'; $this->assertTrue(csrfprotector::isURLallowed()); $_SERVER['PHP_SELF'] = '/index.php'; $this->assertTrue(csrfprotector::isURLallowed('http://test/index.php')); $_SERVER['PHP_SELF'] = '/delete.php'; $this->assertFalse(csrfprotector::isURLallowed('http://test/delete.php')); $_SERVER['PHP_SELF'] = '/delete_user.php'; $this->assertFalse(csrfprotector::isURLallowed('http://test/delete_users.php')); $_SERVER['REQUEST_SCHEME'] = 'https'; $_SERVER['PHP_SELF'] = '/index.php'; $this->assertFalse(csrfprotector::isURLallowed('https://test/index.php')); $_SERVER['PHP_SELF'] = '/delete_user.php'; $this->assertFalse(csrfprotector::isURLallowed('https://test/delete_users.php')); }
/** * function to test modifyURL() */ public function testModifyURL() { $token = 'abcxxcd'; // Url already contains token $url = 'http://test/test.php?csrfp_token=' . $token; $url_ = csrfprotector::modifyURL($url, $token); $this->assertSame($url, $url_); // Url without argument $url = 'http://test/test.php'; $url_ = csrfprotector::modifyURL($url, $token); $this->assertTrue(strpos($url_, "?" . CSRFP_TOKEN . "=" . $token) != false); // Url with argument $url = 'http://test/test.php?a=1&b=2'; $url_ = csrfprotector::modifyURL($url, $token); $this->assertTrue(strpos($url_, "&" . CSRFP_TOKEN . "=" . $token) != false); }