Java tutorial
/* * Copyright 2005-2008 hdiv.org * * Licensed under the Apache License, Version 2.0 (the "License"); * you may not use this file except in compliance with the License. * You may obtain a copy of the License at * * http://www.apache.org/licenses/LICENSE-2.0 * * Unless required by applicable law or agreed to in writing, software * distributed under the License is distributed on an "AS IS" BASIS, * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. * See the License for the specific language governing permissions and * limitations under the License. */ package org.hdiv.web.servlet.tags.form; import javax.servlet.jsp.PageContext; import javax.servlet.jsp.tagext.Tag; import org.springframework.core.Conventions; import org.springframework.mock.web.MockHttpServletRequest; import org.springframework.test.AssertThrows; import org.springframework.web.servlet.tags.form.AbstractFormTag; import org.springframework.web.servlet.tags.form.TagWriter; import org.springframework.web.util.HtmlUtils; /** * @author Gorka Vicente * @since 2.0.6 */ public class FormTagTests extends AbstractHtmlElementTagTests { /** * The name of the {@link javax.servlet.jsp.PageContext} attribute under which the * form object name is exposed. */ static final String MODEL_ATTRIBUTE_VARIABLE_NAME = Conventions.getQualifiedAttributeName(AbstractFormTag.class, "modelAttribute"); private static final String REQUEST_URI = "/my/form"; private FormTagHDIV tag; private MockHttpServletRequest request; private boolean confidentiality; private String queryString; protected void onSetUp() { String hdivParameter = (String) super.getHdivContext().getBean("hdivParameter"); getPageContext().getSession().setAttribute("HDIVParameter", hdivParameter); this.tag = new FormTagHDIV() { protected TagWriter createTagWriter() { return new TagWriter(getWriter()); } }; this.tag.setPageContext(getPageContext()); this.confidentiality = ((Boolean) getHdivContext().getBean("confidentiality")).booleanValue(); String fooValue = this.confidentiality ? "0" : "bar"; queryString = "foo=" + fooValue; } protected void extendRequest(MockHttpServletRequest request) { request.setRequestURI(REQUEST_URI); request.setQueryString("foo=bar"); this.request = request; } public void testWriteForm() throws Exception { String action = "/form.html"; String commandName = "myCommand"; String name = "formName"; String enctype = "my/enctype"; String method = "POST"; String onsubmit = "onsubmit"; String onreset = "onreset"; String cssClass = "myClass"; String cssStyle = "myStyle"; this.tag.setName(name); this.tag.setCssClass(cssClass); this.tag.setCssStyle(cssStyle); this.tag.setAction(action); this.tag.setCommandName(commandName); this.tag.setEnctype(enctype); this.tag.setMethod(method); this.tag.setOnsubmit(onsubmit); this.tag.setOnreset(onreset); int result = this.tag.doStartTag(); assertEquals(Tag.EVAL_BODY_INCLUDE, result); assertEquals("Command name not exposed", commandName, getPageContext().getRequest().getAttribute(MODEL_ATTRIBUTE_VARIABLE_NAME)); result = this.tag.doEndTag(); assertEquals(Tag.EVAL_PAGE, result); this.tag.doFinally(); assertNull("Command name not cleared after tag ends", getPageContext().getRequest().getAttribute(MODEL_ATTRIBUTE_VARIABLE_NAME)); String output = getWriter().toString(); assertFormTagOpened(output); assertFormTagClosed(output); assertContainsAttribute(output, "class", cssClass); assertContainsAttribute(output, "style", cssStyle); assertContainsAttribute(output, "action", action); assertContainsAttribute(output, "enctype", enctype); assertContainsAttribute(output, "method", method); assertContainsAttribute(output, "onsubmit", onsubmit); assertContainsAttribute(output, "onreset", onreset); assertContainsAttribute(output, "id", commandName); assertContainsAttribute(output, "name", name); } public void testWithActionFromRequest() throws Exception { String fooValue = this.confidentiality ? "0" : "bar"; queryString = "foo=" + fooValue; request.setQueryString(queryString); request.addParameter("foo", "bar"); String commandName = "myCommand"; String enctype = "my/enctype"; String method = "POST"; String onsubmit = "onsubmit"; String onreset = "onreset"; this.tag.setCommandName(commandName); this.tag.setEnctype(enctype); this.tag.setMethod(method); this.tag.setOnsubmit(onsubmit); this.tag.setOnreset(onreset); int result = this.tag.doStartTag(); assertEquals(Tag.EVAL_BODY_INCLUDE, result); assertEquals("Command name not exposed", commandName, getPageContext().getAttribute(MODEL_ATTRIBUTE_VARIABLE_NAME, PageContext.REQUEST_SCOPE)); result = this.tag.doEndTag(); assertEquals(Tag.EVAL_PAGE, result); this.tag.doFinally(); assertNull("Command name not cleared after tag ends", getPageContext().getAttribute(MODEL_ATTRIBUTE_VARIABLE_NAME, PageContext.REQUEST_SCOPE)); String output = getWriter().toString(); assertFormTagOpened(output); assertFormTagClosed(output); assertContainsAttribute(output, "action", REQUEST_URI + "?" + queryString); assertContainsAttribute(output, "enctype", enctype); assertContainsAttribute(output, "method", method); assertContainsAttribute(output, "onsubmit", onsubmit); assertContainsAttribute(output, "onreset", onreset); } public void testWithNullResolvedCommand() throws Exception { new AssertThrows(IllegalArgumentException.class, "Must not be able to have a command name that resolves to null") { public void test() throws Exception { tag.setCommandName("${null}"); tag.doStartTag(); } }.runTest(); } /* * See http://opensource.atlassian.com/projects/spring/browse/SPR-2645 */ public void testXSSScriptingExploitWhenActionIsResolvedFromQueryString() throws Exception { String xssQueryString = queryString + "&stuff=\"><script>alert('XSS!')</script>"; request.setQueryString(xssQueryString); request.addParameter("foo", "bar"); request.addParameter("stuff", ""><script>alert('XSS!')</script>"); tag.doStartTag(); String foo = this.confidentiality ? "0" : "bar"; String stuff = this.confidentiality ? "0" : HtmlUtils.htmlEscape(""><script>alert('XSS!')</script>"); assertEquals( "<form id=\"command\" action=\"/my/form?foo=" + foo + "&stuff=" + stuff + "\" method=\"post\">", getWriter().toString()); } private static void assertFormTagOpened(String output) { assertTrue(output.startsWith("<form ")); } private static void assertFormTagClosed(String output) { assertTrue(output.endsWith("</form>")); } }