def __init__(self, codecs=None): """ Instantiates a new DefaultEncoder. @param codecs: : a list of codec instances to use for canonicalization """ Encoder.__init__(self) self.html_codec = HTMLEntityCodec() self.percent_codec = PercentCodec() self.javascript_codec = JavascriptCodec() self.vbscript_codec = VBScriptCodec() self.css_codec = CSSCodec() self.ldap_codec = LDAPCodec() self.ldap_dn_codec = LDAPDNCodec() self.logger = ESAPI.logger("Encoder") # Used for canonicalization self.codecs = [] if codecs is None: self.codecs.append(self.html_codec) self.codecs.append(self.percent_codec) self.codecs.append(self.javascript_codec) # Leaving out css_codec because it eats / characters # Leaving out vbscript_codec because it eats " characters else: for codec in codecs: if not isinstance(codec, Codec): raise TypeError( _("Codecs in list must be instances of children of Codec" )) self.codecs.append(codec)
def test_codec_for_javascript(self): instance = ESAPI.encoder() ### High level self.assertEquals(None, instance.encode_for_javascript(None)) self.assertEquals("\\x3Cscript\\x3E", instance.encode_for_javascript("<script>")) self.assertEquals(",.\\x2D_\\x20", instance.encode_for_javascript(",.-_ ")) self.assertEquals("\\x21\\x40\\x24\\x25\\x28\\x29\\x3D\\x2B\\x7B\\x7D\\x5B\\x5D", instance.encode_for_javascript("!@$%()=+{}[]")) # Unicode self.assertEquals(unichr(12345), instance.encode_for_javascript(unichr(12345))) ### Low level codec = JavascriptCodec() # Bad hex format self.assertEquals("\\xAQ", codec.decode("\\xAQ")) self.assertEquals("\\uAAQ", codec.decode("\\uAAQ"))
def __init__(self, logger, extra={}): self.logger = logger self.extra = extra # Enable code for html, JS, url and CSS codeclist = [HTMLEntityCodec(), JavascriptCodec(), PercentCodec(), CSSCodec()] self.encoder = SecurityEncoder(codeclist)
def test_canonicalize(self): codecs = [HTMLEntityCodec(), PercentCodec()] encoder_class = ESAPI.security_configuration().get_class_for_interface('encoder') instance = encoder_class(codecs) # Test None paths self.assertEquals( None, instance.canonicalize(None)) self.assertEquals( None, instance.canonicalize(None, True)) self.assertEquals( None, instance.canonicalize(None, False)) # test exception paths self.assertEquals( "%", instance.canonicalize("%25", True)) self.assertEquals( "%", instance.canonicalize("%25", False)) self.assertEquals( "%", instance.canonicalize("%25")) self.assertEquals( "%F", instance.canonicalize("%25F")) self.assertEquals( "<", instance.canonicalize("%3c")) self.assertEquals( "<", instance.canonicalize("%3C")) self.assertEquals( "%X1", instance.canonicalize("%X1")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "%", instance.canonicalize("%")) self.assertEquals( "%", instance.canonicalize("%")) self.assertEquals( "%b", instance.canonicalize("%b")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) # percent encoding self.assertEquals( "<", instance.canonicalize("%3c")) self.assertEquals( "<", instance.canonicalize("%3C")) # html entity encoding self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("&lT")) self.assertEquals( "<", instance.canonicalize("&Lt")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<", instance.canonicalize("&lT;")) self.assertEquals( "<", instance.canonicalize("≪")) self.assertEquals( "<", instance.canonicalize("<")) self.assertEquals( "<script>alert(\"hello\");</script>", instance.canonicalize("%3Cscript%3Ealert%28%22hello%22%29%3B%3C%2Fscript%3E") ) self.assertEquals( "<script>alert(\"hello\");</script>", instance.canonicalize("%3Cscript>alert%28%22hello"%29%3B%3C%2Fscript%3E", False) ) # javascript escape syntax js = [JavascriptCodec()] instance = encoder_class( js ) self.assertEquals( "\0", instance.canonicalize("\\0")) self.assertEquals( "\b", instance.canonicalize("\\b")) self.assertEquals( "\t", instance.canonicalize("\\t")) self.assertEquals( "\n", instance.canonicalize("\\n")) self.assertEquals( unichr(0x0b), instance.canonicalize("\\v")) self.assertEquals( "\f", instance.canonicalize("\\f")) self.assertEquals( "\r", instance.canonicalize("\\r")) self.assertEquals( "\'", instance.canonicalize("\\'")) self.assertEquals( "\"", instance.canonicalize("\\\"")) self.assertEquals( "\\", instance.canonicalize("\\\\")) self.assertEquals( "<", instance.canonicalize("\\<")) self.assertEquals( "<", instance.canonicalize("\\u003c")) self.assertEquals( "<", instance.canonicalize("\\U003c")) self.assertEquals( "<", instance.canonicalize("\\u003C")) self.assertEquals( "<", instance.canonicalize("\\U003C")) self.assertEquals( "<", instance.canonicalize("\\x3c")) self.assertEquals( "<", instance.canonicalize("\\X3c")) self.assertEquals( "<", instance.canonicalize("\\x3C")) self.assertEquals( "<", instance.canonicalize("\\X3C")) # css escape syntax # be careful because some codecs see \0 as null byte css = [CSSCodec()] instance = encoder_class( css ) self.assertEquals( "<", instance.canonicalize("\\3c")); # add strings to prevent null byte self.assertEquals( "<", instance.canonicalize("\\03c")) self.assertEquals( "<", instance.canonicalize("\\003c")) self.assertEquals( "<", instance.canonicalize("\\0003c")) self.assertEquals( "<", instance.canonicalize("\\00003c")) self.assertEquals( "<", instance.canonicalize("\\3C")) self.assertEquals( "<", instance.canonicalize("\\03C")) self.assertEquals( "<", instance.canonicalize("\\003C")) self.assertEquals( "<", instance.canonicalize("\\0003C")) self.assertEquals( "<", instance.canonicalize("\\00003C"))