From 2077464d464e485a978166604faf158b654fb0cb Mon Sep 17 00:00:00 2001
From: Christian Weiske <cweiske@cweiske.de>
Date: Tue, 3 May 2011 09:14:32 +0200
Subject: begin bookmark model class with URL validation method

---
 tests/Model/BookmarkTest.php | 65 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 65 insertions(+)
 create mode 100644 tests/Model/BookmarkTest.php

(limited to 'tests')

diff --git a/tests/Model/BookmarkTest.php b/tests/Model/BookmarkTest.php
new file mode 100644
index 0000000..9f55143
--- /dev/null
+++ b/tests/Model/BookmarkTest.php
@@ -0,0 +1,65 @@
+<?php
+/**
+ * SemanticScuttle - your social bookmark manager.
+ *
+ * PHP version 5.
+ *
+ * @category Bookmarking
+ * @package  SemanticScuttle
+ * @author   Christian Weiske <cweiske@cweiske.de>
+ * @license  GPL http://www.gnu.org/licenses/gpl.html
+ * @link     http://sourceforge.net/projects/semanticscuttle
+ */
+
+/**
+ * Unit tests for the SemanticScuttle Bookmark model
+ *
+ * @category Bookmarking
+ * @package  SemanticScuttle
+ * @author   Christian Weiske <cweiske@cweiske.de>
+ * @license  GPL http://www.gnu.org/licenses/gpl.html
+ * @link     http://sourceforge.net/projects/semanticscuttle
+ */
+class Model_BookmarkTest extends TestBase
+{
+    public function testIsValidUrlValid()
+    {
+        $this->assertTrue(
+            SemanticScuttle_Model_Bookmark::isValidUrl(
+                'http://example.org/foo/bar?baz=foorina'
+            )
+        );
+        $this->assertTrue(
+            SemanticScuttle_Model_Bookmark::isValidUrl(
+                'https://example.org/'
+            )
+        );
+        $this->assertTrue(
+            SemanticScuttle_Model_Bookmark::isValidUrl(
+                'ftp://user:pass@example.org/'
+            )
+        );
+        $this->assertTrue(
+            SemanticScuttle_Model_Bookmark::isValidUrl(
+                'mailto:cweiske@example.org'
+            )
+        );
+    }
+
+    public function testIsValidUrlInvalid()
+    {
+        $this->assertFalse(
+            SemanticScuttle_Model_Bookmark::isValidUrl(
+                'javascript:alert("foo")'
+            )
+        );
+        $this->assertFalse(
+            SemanticScuttle_Model_Bookmark::isValidUrl(
+                'foo://example.org/foo/bar'
+            )
+        );
+    }
+
+}
+
+?>
\ No newline at end of file
-- 
cgit v1.2.3


From fb11021ed7eadf7443755e936cbad34fbfec7d4c Mon Sep 17 00:00:00 2001
From: Christian Weiske <cweiske@cweiske.de>
Date: Tue, 3 May 2011 19:10:12 +0200
Subject: do not add bookmarks with an invalid URL

---
 src/SemanticScuttle/Service/Bookmark.php | 10 +++++++++-
 tests/BookmarkTest.php                   | 11 ++++++++++-
 2 files changed, 19 insertions(+), 2 deletions(-)

(limited to 'tests')

diff --git a/src/SemanticScuttle/Service/Bookmark.php b/src/SemanticScuttle/Service/Bookmark.php
index a30ad5f..919ca7a 100644
--- a/src/SemanticScuttle/Service/Bookmark.php
+++ b/src/SemanticScuttle/Service/Bookmark.php
@@ -435,6 +435,10 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService
     /**
      * Adds a bookmark to the database.
      *
+     * Security checks are being made here, but no error reasons will be
+     * returned. It is the responsibility of the code that calls
+     * addBookmark() to verify the data.
+     *
      * @param string  $address     Full URL of the bookmark
      * @param string  $title       Bookmark title
      * @param string  $description Long bookmark description
@@ -453,7 +457,8 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService
      * @param boolean $fromImport  True when the bookmark is from an import.
      * @param integer $sId         ID of user who creates the bookmark.
      *
-     * @return integer Bookmark ID
+     * @return mixed Integer bookmark ID if saving succeeded, false in
+     *               case of an error. Error reasons are not returned.
      */
     public function addBookmark(
         $address, $title, $description, $privateNote, $status, $tags,
@@ -466,6 +471,9 @@ class SemanticScuttle_Service_Bookmark extends SemanticScuttle_DbService
         }
 
         $address = $this->normalize($address);
+        if (!SemanticScuttle_Model_Bookmark::isValidUrl($address)) {
+            return false;
+        }
 
         /*
          * Note that if date is NULL, then it's added with a date and
diff --git a/tests/BookmarkTest.php b/tests/BookmarkTest.php
index e7ce488..7533f3a 100644
--- a/tests/BookmarkTest.php
+++ b/tests/BookmarkTest.php
@@ -65,7 +65,16 @@ class BookmarkTest extends TestBase
         $this->assertEquals('myShortName', $bm['bShort']);
     }
 
-    public function testHardCharactersInBookmarks()
+    public function testAddBookmarkInvalidUrl()
+    {
+        $retval = $this->bs->addBookmark(
+            'javascript:alert(123)', 'title', 'desc', 'priv',
+            0, array()
+        );
+        $this->assertFalse($retval, 'Bookmark with invalid URL was accepted');
+    }
+
+    public function testAddBookmarkWithSpecialCharacters()
     {
         $bs = $this->bs;
         $title = "title&é\"'(-è_çà)=";
-- 
cgit v1.2.3


From 4a3fdcc4dd5e1298ec701817ae7041e9992a8ff8 Mon Sep 17 00:00:00 2001
From: Christian Weiske <cweiske@cweiske.de>
Date: Tue, 3 May 2011 19:10:30 +0200
Subject: rename test method

---
 tests/BookmarkTest.php | 4 +---
 1 file changed, 1 insertion(+), 3 deletions(-)

(limited to 'tests')

diff --git a/tests/BookmarkTest.php b/tests/BookmarkTest.php
index 7533f3a..b50dab2 100644
--- a/tests/BookmarkTest.php
+++ b/tests/BookmarkTest.php
@@ -50,8 +50,6 @@ class BookmarkTest extends TestBase
     /**
      * Tests if adding a bookmark with short url name
      * saves it in the database.
-     *
-     * @return void
      */
     public function testAddBookmarkShort()
     {
@@ -104,7 +102,7 @@ class BookmarkTest extends TestBase
         );
     }
 
-    public function testUnificationOfBookmarks()
+    public function testAddBookmarkUnification()
     {
         $bs = $this->bs;
 
-- 
cgit v1.2.3


From aea9c9ddbb1c0fd51192ebdcb1d1dfa258298e8c Mon Sep 17 00:00:00 2001
From: Christian Weiske <cweiske@cweiske.de>
Date: Thu, 12 May 2011 19:09:30 +0200
Subject: fix a test that failed when using a base URL without protocol

---
 tests/Api/OpenSearchTest.php |  2 +-
 tests/TestBaseApi.php        | 17 +++++++++++++++++
 2 files changed, 18 insertions(+), 1 deletion(-)

(limited to 'tests')

diff --git a/tests/Api/OpenSearchTest.php b/tests/Api/OpenSearchTest.php
index 050713b..f438b46 100644
--- a/tests/Api/OpenSearchTest.php
+++ b/tests/Api/OpenSearchTest.php
@@ -27,7 +27,7 @@ class Api_OpenSearchTest extends TestBaseApi
             1, count($arElements),
             'OpenSearch link in HTML is missing'
         );
-        $searchDescUrl = (string)$arElements[0]['href'];
+        $searchDescUrl = $this->completeUrl((string)$arElements[0]['href']);
         $this->assertNotNull($searchDescUrl, 'Search description URL is empty');
 
         $req = new HTTP_Request2($searchDescUrl);
diff --git a/tests/TestBaseApi.php b/tests/TestBaseApi.php
index 8ed41cd..036ab6b 100644
--- a/tests/TestBaseApi.php
+++ b/tests/TestBaseApi.php
@@ -92,6 +92,23 @@ class TestBaseApi extends TestBase
     }
 
 
+    /**
+     * Completes an URL that's missing the protocol.
+     * Useful when re-using URLs extracted from HTML
+     *
+     * @param string $url Potentially partial URL
+     *
+     * @return string Full URL
+     */
+    protected function completeUrl($url)
+    {
+        if (substr($url, 0, 2) == '//') {
+            $url = 'http:' . $url;
+        }
+        return $url;
+    }
+
+
 
     /**
      * Creates a user and a HTTP request object and prepares
-- 
cgit v1.2.3