Sanitize.php: ALLBUT failed to detect '\'.

6d75b28b · Carsten Rose · b331c952 · 6d75b28b · 6d75b28b
Commit 6d75b28b authored 8 years ago by Carsten Rose
--- a/extension/qfq/qfq/helper/Sanitize.php
+++ b/extension/qfq/qfq/helper/Sanitize.php
@@ -143,7 +143,7 @@ class Sanitize {
            SANITIZE_ALLOW_MIN_MAX => '',
            SANITIZE_ALLOW_MIN_MAX_DATE => '',
            SANITIZE_ALLOW_PATTERN => '',
-            SANITIZE_ALLOW_ALLBUT => '^[^\[\]{}%&\\#]*$',
+            SANITIZE_ALLOW_ALLBUT => '^[^\[\]{}%&\\\\#]*$',
            SANITIZE_ALLOW_ALL => '.*'
        ];
    }

--- a/extension/qfq/tests/phpunit/SanitizeTest.php
+++ b/extension/qfq/tests/phpunit/SanitizeTest.php
@@ -30,6 +30,7 @@ class SanitizeTest extends \PHPUnit_Framework_TestCase {
        $this->assertEquals('', Sanitize::sanitize('', SANITIZE_ALLOW_EMAIL), "SANITIZE_EMAIL fails");
        $this->assertEquals('', Sanitize::sanitize('', SANITIZE_ALLOW_PATTERN, '.*'), "SANITIZE_PATTERN fails");
        $this->assertEquals('', Sanitize::sanitize('', SANITIZE_ALLOW_ALL), "SANITIZE_ALL fails");
+        $this->assertEquals('', Sanitize::sanitize('', SANITIZE_ALLOW_ALLBUT), "SANITIZE_ALLBUT fails");

        # Check '1'
        $this->assertEquals('1', Sanitize::sanitize('1', SANITIZE_ALLOW_ALNUMX), "SANITIZE_ALNUMX fails");
@@ -38,6 +39,7 @@ class SanitizeTest extends \PHPUnit_Framework_TestCase {
        $this->assertEquals('', Sanitize::sanitize('1', SANITIZE_ALLOW_EMAIL), "SANITIZE_EMAIL fails");
        $this->assertEquals('1', Sanitize::sanitize('1', SANITIZE_ALLOW_PATTERN, '.*'), "SANITIZE_PATTERN fails");
        $this->assertEquals('1', Sanitize::sanitize('1', SANITIZE_ALLOW_ALL), "SANITIZE_ALL fails");
+        $this->assertEquals('1', Sanitize::sanitize('1', SANITIZE_ALLOW_ALLBUT), "SANITIZE_ALLBUT fails");

        # Check '-3'
        $this->assertEquals('-3', Sanitize::sanitize('-3', SANITIZE_ALLOW_ALNUMX), "SANITIZE_ALNUMX fails");
@@ -46,6 +48,7 @@ class SanitizeTest extends \PHPUnit_Framework_TestCase {
        $this->assertEquals('', Sanitize::sanitize('-3', SANITIZE_ALLOW_EMAIL), "SANITIZE_EMAIL fails");
        $this->assertEquals('-3', Sanitize::sanitize('-3', SANITIZE_ALLOW_PATTERN, '.*'), "SANITIZE_PATTERN fails");
        $this->assertEquals('-3', Sanitize::sanitize('-3', SANITIZE_ALLOW_ALL), "SANITIZE_ALL fails");
+        $this->assertEquals('-3', Sanitize::sanitize('-3', SANITIZE_ALLOW_ALLBUT), "SANITIZE_ALLBUT fails");

        # Check 'a'
        $this->assertEquals('a', Sanitize::sanitize('a', SANITIZE_ALLOW_ALNUMX), "SANITIZE_ALNUMX fails");
@@ -54,6 +57,7 @@ class SanitizeTest extends \PHPUnit_Framework_TestCase {
        $this->assertEquals('', Sanitize::sanitize('a', SANITIZE_ALLOW_EMAIL), "SANITIZE_EMAIL fails");
        $this->assertEquals('a', Sanitize::sanitize('a', SANITIZE_ALLOW_PATTERN, '.*'), "SANITIZE_PATTERN fails");
        $this->assertEquals('a', Sanitize::sanitize('a', SANITIZE_ALLOW_ALL), "SANITIZE_ALL fails");
+        $this->assertEquals('a', Sanitize::sanitize('a', SANITIZE_ALLOW_ALLBUT), "SANITIZE_ALLBUT fails");


        # Check 'a@-_.,;Z09'
@@ -64,6 +68,7 @@ class SanitizeTest extends \PHPUnit_Framework_TestCase {
        $this->assertEquals('', Sanitize::sanitize($val, SANITIZE_ALLOW_EMAIL), "SANITIZE_EMAIL fails");
        $this->assertEquals($val, Sanitize::sanitize($val, SANITIZE_ALLOW_PATTERN, '.*'), "SANITIZE_PATTERN fails");
        $this->assertEquals($val, Sanitize::sanitize($val, SANITIZE_ALLOW_ALL), "SANITIZE_ALL fails");
+        $this->assertEquals($val, Sanitize::sanitize($val, SANITIZE_ALLOW_ALLBUT), "SANITIZE_ALLBUT fails");

        # Check 'a+Z09'
        $val = 'a+Z09';
@@ -73,6 +78,7 @@ class SanitizeTest extends \PHPUnit_Framework_TestCase {
        $this->assertEquals('', Sanitize::sanitize($val, SANITIZE_ALLOW_EMAIL), "SANITIZE_EMAIL fails");
        $this->assertEquals($val, Sanitize::sanitize($val, SANITIZE_ALLOW_PATTERN, '.*'), "SANITIZE_PATTERN fails");
        $this->assertEquals($val, Sanitize::sanitize($val, SANITIZE_ALLOW_ALL), "SANITIZE_ALL fails");
+        $this->assertEquals($val, Sanitize::sanitize($val, SANITIZE_ALLOW_ALLBUT), "SANITIZE_ALLBUT fails");
    }

    /**
@@ -184,6 +190,29 @@ class SanitizeTest extends \PHPUnit_Framework_TestCase {
        $this->assertEquals($val, Sanitize::sanitize($val, SANITIZE_ALLOW_PATTERN, '(John)*'), "SANITIZE_ALLOW_PATTERN fails");
    }

+    //[ ]  { } % & \ #
+    /**
+     */
+    public function testSanitizeExceptionAllBut() {
+        $bad = "[]{}%&\\#";
+        $good = 'abCD01`~!@$^*()_+=-|":;.,<>/?\'';
+
+        // Single
+        $this->assertEquals('', Sanitize::sanitize('[', SANITIZE_ALLOW_ALLBUT), "SANITIZE_ALLOW_ALLBUT fails");
+        $this->assertEquals('a', Sanitize::sanitize('a', SANITIZE_ALLOW_ALLBUT), "SANITIZE_ALLOW_ALLBUT fails");
+
+
+        for ($i = 0; $i < strlen($bad); $i++) {
+            $str = '-' . substr($bad, $i, 1) . '-';
+            $this->assertEquals('', Sanitize::sanitize($str, SANITIZE_ALLOW_ALLBUT), "SANITIZE_ALLOW_ALLBUT fails");
+        }
+
+        for ($i = 0; $i < strlen($good); $i++) {
+            $str = '-' . substr($good, $i, 1) . '-';
+            $this->assertEquals($str, Sanitize::sanitize($str, SANITIZE_ALLOW_ALLBUT), "SANITIZE_ALLOW_ALLBUT fails");
+        }
+    }
+
    /**
     * @expectedException \qfq\CodeException
     */
@@ -225,5 +254,4 @@ class SanitizeTest extends \PHPUnit_Framework_TestCase {
    public function testSanitizeExceptionCheckFailed() {
        Sanitize::sanitize('string', SANITIZE_ALLOW_DIGIT, '', SANATIZE_EXCEPTION);
    }
-
 }