move sanitation of urls to the serverside code to also provide security for clients, fix #151

3 files changed, 30 insertions, 8 deletions

diff --git a/tests/unit/businesslayer/FeedBusinessLayerTest.php b/tests/unit/businesslayer/FeedBusinessLayerTest.php
index c16a8c4ae..8fce4ce9d 100644
--- a/tests/unit/businesslayer/FeedBusinessLayerTest.php
+++ b/tests/unit/businesslayer/FeedBusinessLayerTest.php
@@ -113,7 +113,7 @@ class FeedBusinessLayerTest extends \OCA\AppFramework\Utility\TestUtility {
 	}
 
 	public function testCreate(){
-		$url = 'test';
+		$url = 'http://test';
 		$folderId = 10;
 		$createdFeed = new Feed();
 		$ex = new DoesNotExistException('yo');
@@ -168,7 +168,7 @@ class FeedBusinessLayerTest extends \OCA\AppFramework\Utility\TestUtility {
 
 
 	public function testCreateItemGuidExistsAlready(){
-		$url = 'test';
+		$url = 'http://test';
 		$folderId = 10;
 		$createdFeed = new Feed();
 		$ex = new DoesNotExistException('yo');
diff --git a/tests/unit/db/FeedTest.php b/tests/unit/db/FeedTest.php
index 57b739bfb..10c2350f9 100644
--- a/tests/unit/db/FeedTest.php
+++ b/tests/unit/db/FeedTest.php
@@ -34,24 +34,39 @@ class FeedTest extends \PHPUnit_Framework_TestCase {
 	public function testToAPI() {
 		$feed = new Feed();
 		$feed->setId(3);
-		$feed->setUrl('url');
+		$feed->setUrl('http://google');
 		$feed->setTitle('title');
 		$feed->setFaviconLink('favicon');
 		$feed->setAdded(123);
 		$feed->setFolderId(1);
 		$feed->setUnreadCount(321);
-		$feed->setLink('link');
+		$feed->setLink('https://google');
 
 		$this->assertEquals(array(
 			'id' => 3,
-			'url' => 'url',
+			'url' => 'http://google',
 			'title' => 'title',
 			'faviconLink' => 'favicon',
 			'added' => 123,
 			'folderId' => 1,
 			'unreadCount' => 321,
-			'link' => 'link'
+			'link' => 'https://google'
 			), $feed->toAPI());
 	}
 
+
+	public function testSetXSSUrl() {
+		$feed = new Feed();
+		$feed->setUrl('javascript:alert()');
+		$this->assertEquals('', $feed->getUrl());
+	}
+
+
+	public function testSetXSSLink() {
+		$feed = new Feed();
+		$feed->setLink('javascript:alert()');
+		$this->assertEquals('', $feed->getLink());
+	}
+
+
 }
\ No newline at end of file
diff --git a/tests/unit/db/ItemTest.php b/tests/unit/db/ItemTest.php
index d48c8da12..971d808f0 100644
--- a/tests/unit/db/ItemTest.php
+++ b/tests/unit/db/ItemTest.php
@@ -71,7 +71,7 @@ class ItemTest extends \PHPUnit_Framework_TestCase {
 		$item->setId(3);
 		$item->setGuid('guid');
 		$item->setGuidHash('hash');
-		$item->setUrl('url');
+		$item->setUrl('https://google');
 		$item->setTitle('title');
 		$item->setAuthor('author');
 		$item->setPubDate(123);
@@ -88,7 +88,7 @@ class ItemTest extends \PHPUnit_Framework_TestCase {
 			'id' => 3,
 			'guid' => 'guid',
 			'guidHash' => 'hash',
-			'url' => 'url',
+			'url' => 'https://google',
 			'title' => 'title',
 			'author' => 'author',
 			'pubDate' => 123,
@@ -119,4 +119,11 @@ class ItemTest extends \PHPUnit_Framework_TestCase {
 	}
 
 
+	public function testSetXSSUrl() {
+		$item = new Item();
+		$item->setUrl('javascript:alert()');
+		$this->assertEquals('', $item->getUrl());
+	}
+
+
 }
\ No newline at end of file