Source code

001package de.cuioss.test.jsf.converter;
002
003import static org.junit.jupiter.api.Assertions.assertFalse;
004
005import javax.faces.convert.Converter;
006
007import org.junit.jupiter.api.Test;
008
009/**
010 * Extension of {@linkplain AbstractConverterTest} to also test the sanitizing
011 * inside the getAsString function.
012 *
013 * @param <C> identifying the concrete {@link Converter} to be tested.
014 * @param <T> identifying the type of elements to be used for values to be given
015 *            to the {@link Converter}
016 */
017public abstract class AbstractSanitizingConverterTest<C extends Converter<T>, T> extends AbstractConverterTest<C, T> {
018
019    /**
020     * Create an instance of the object containing a given malicious content that is
021     * to be converted into a string by this converter.
022     *
023     * @param content
024     * @return
025     */
026    protected abstract T createTestObjectWithMaliciousContent(String content);
027
028    @Test
029    protected void shouldSanitizeJavaScript() {
030        var toConvert = createTestObjectWithMaliciousContent("<script>");
031        var result = getConverter().getAsString(getFacesContext(), getComponent(), toConvert);
032        assertFalse(result.contains("<script"));
033    }
034
035}