def __init__(self, codecs=None):
"""
Instantiates a new DefaultEncoder.
@param codecs: : a list of codec instances to use for canonicalization
"""
Encoder.__init__(self)
self.html_codec = HTMLEntityCodec()
self.percent_codec = PercentCodec()
self.javascript_codec = JavascriptCodec()
self.vbscript_codec = VBScriptCodec()
self.css_codec = CSSCodec()
self.ldap_codec = LDAPCodec()
self.ldap_dn_codec = LDAPDNCodec()
self.logger = ESAPI.logger("Encoder")
# Used for canonicalization
self.codecs = []
if codecs is None:
self.codecs.append(self.html_codec)
self.codecs.append(self.percent_codec)
self.codecs.append(self.javascript_codec)
# Leaving out css_codec because it eats / characters
# Leaving out vbscript_codec because it eats " characters
else:
for codec in codecs:
if not isinstance(codec, Codec):
raise TypeError(
_("Codecs in list must be instances of children of Codec"
))
self.codecs.append(codec)
def test_codec_for_javascript(self):
instance = ESAPI.encoder()
### High level
self.assertEquals(None, instance.encode_for_javascript(None))
self.assertEquals("\\x3Cscript\\x3E", instance.encode_for_javascript("<script>"))
self.assertEquals(",.\\x2D_\\x20", instance.encode_for_javascript(",.-_ "))
self.assertEquals("\\x21\\x40\\x24\\x25\\x28\\x29\\x3D\\x2B\\x7B\\x7D\\x5B\\x5D", instance.encode_for_javascript("!@$%()=+{}[]"))
# Unicode
self.assertEquals(unichr(12345), instance.encode_for_javascript(unichr(12345)))
### Low level
codec = JavascriptCodec()
# Bad hex format
self.assertEquals("\\xAQ", codec.decode("\\xAQ"))
self.assertEquals("\\uAAQ", codec.decode("\\uAAQ"))
def __init__(self, logger, extra={}):
self.logger = logger
self.extra = extra
# Enable code for html, JS, url and CSS
codeclist = [HTMLEntityCodec(), JavascriptCodec(), PercentCodec(), CSSCodec()]
self.encoder = SecurityEncoder(codeclist)
def test_canonicalize(self):
codecs = [HTMLEntityCodec(), PercentCodec()]
encoder_class = ESAPI.security_configuration().get_class_for_interface('encoder')
instance = encoder_class(codecs)
# Test None paths
self.assertEquals( None, instance.canonicalize(None))
self.assertEquals( None, instance.canonicalize(None, True))
self.assertEquals( None, instance.canonicalize(None, False))
# test exception paths
self.assertEquals( "%", instance.canonicalize("%25", True))
self.assertEquals( "%", instance.canonicalize("%25", False))
self.assertEquals( "%", instance.canonicalize("%25"))
self.assertEquals( "%F", instance.canonicalize("%25F"))
self.assertEquals( "<", instance.canonicalize("%3c"))
self.assertEquals( "<", instance.canonicalize("%3C"))
self.assertEquals( "%X1", instance.canonicalize("%X1"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "%", instance.canonicalize("%"))
self.assertEquals( "%", instance.canonicalize("%"))
self.assertEquals( "%b", instance.canonicalize("%b"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
# percent encoding
self.assertEquals( "<", instance.canonicalize("%3c"))
self.assertEquals( "<", instance.canonicalize("%3C"))
# html entity encoding
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("&lT"))
self.assertEquals( "<", instance.canonicalize("&Lt"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<", instance.canonicalize("&lT;"))
self.assertEquals( "<", instance.canonicalize("≪"))
self.assertEquals( "<", instance.canonicalize("<"))
self.assertEquals( "<script>alert(\"hello\");</script>", instance.canonicalize("%3Cscript%3Ealert%28%22hello%22%29%3B%3C%2Fscript%3E") )
self.assertEquals( "<script>alert(\"hello\");</script>", instance.canonicalize("%3Cscript>alert%28%22hello"%29%3B%3C%2Fscript%3E", False) )
# javascript escape syntax
js = [JavascriptCodec()]
instance = encoder_class( js )
self.assertEquals( "\0", instance.canonicalize("\\0"))
self.assertEquals( "\b", instance.canonicalize("\\b"))
self.assertEquals( "\t", instance.canonicalize("\\t"))
self.assertEquals( "\n", instance.canonicalize("\\n"))
self.assertEquals( unichr(0x0b), instance.canonicalize("\\v"))
self.assertEquals( "\f", instance.canonicalize("\\f"))
self.assertEquals( "\r", instance.canonicalize("\\r"))
self.assertEquals( "\'", instance.canonicalize("\\'"))
self.assertEquals( "\"", instance.canonicalize("\\\""))
self.assertEquals( "\\", instance.canonicalize("\\\\"))
self.assertEquals( "<", instance.canonicalize("\\<"))
self.assertEquals( "<", instance.canonicalize("\\u003c"))
self.assertEquals( "<", instance.canonicalize("\\U003c"))
self.assertEquals( "<", instance.canonicalize("\\u003C"))
self.assertEquals( "<", instance.canonicalize("\\U003C"))
self.assertEquals( "<", instance.canonicalize("\\x3c"))
self.assertEquals( "<", instance.canonicalize("\\X3c"))
self.assertEquals( "<", instance.canonicalize("\\x3C"))
self.assertEquals( "<", instance.canonicalize("\\X3C"))
# css escape syntax
# be careful because some codecs see \0 as null byte
css = [CSSCodec()]
instance = encoder_class( css )
self.assertEquals( "<", instance.canonicalize("\\3c")); # add strings to prevent null byte
self.assertEquals( "<", instance.canonicalize("\\03c"))
self.assertEquals( "<", instance.canonicalize("\\003c"))
self.assertEquals( "<", instance.canonicalize("\\0003c"))
self.assertEquals( "<", instance.canonicalize("\\00003c"))
self.assertEquals( "<", instance.canonicalize("\\3C"))
self.assertEquals( "<", instance.canonicalize("\\03C"))
self.assertEquals( "<", instance.canonicalize("\\003C"))
self.assertEquals( "<", instance.canonicalize("\\0003C"))
self.assertEquals( "<", instance.canonicalize("\\00003C"))
