1+ component extends = " org.lucee.cfml.test.LuceeTestCase" labels = " guard"
2+
3+ function run ( testResults , testBox ) {
4+ describe ( title = " Guard: Contextual Encoding Suite" body = function () {
5+
6+ // --- OWASP Java Encoder Targets ---
7+
8+ it ( " encodes for HTML" function () {
9+ var raw = ' <b> "Test" & \' Check \ ' </b>'
10+ var expected = ' <b> "Test" & ' ;Check & '
11+ expect ( guardEncode (raw , " html" toBe ( expected );
12+ });
13+
14+ it ( " encodes for HTML Attributes" function () {
15+ var raw = ' "><script>alert(1)</script>'
16+ // Attributes are encoded more aggressively than body HTML
17+ expect ( guardEncode (raw , " html_attr" toInclude ( " ""
18+ expect ( guardEncode (raw , " html_attr" notToInclude ( " >"
19+ });
20+
21+ it ( " encodes for JavaScript" function () {
22+ var raw = " '; alert(1); var x='"
23+ // Should use hex/unicode escapes for quotes and semicolons
24+ var res = guardEncode (raw , " javascript"
25+ expect ( res ).toInclude ( " \x27"
26+ expect ( res ).notToInclude ( " '"
27+ });
28+
29+ it ( " encodes for CSS" function () {
30+ var raw = " background: url('javascript:alert(1)')"
31+ // CSS encoder escapes non-alphanumerics with backslashes/hex
32+ expect ( guardEncode (raw , " css" toInclude ( " \3a "
33+ });
34+
35+ it ( " encodes for URL (URI Component)" function () {
36+ var raw = " John Doe & Sons/Company"
37+ expect ( guardEncode (raw , " url" toBe ( " John%20Doe%20%26%20Sons%2FCompany"
38+ });
39+
40+ it ( " encodes for XML and XML Attributes" function () {
41+ var raw = ' <test value="5"> & '
42+ expect ( guardEncode (raw , " xml" toInclude ( " <"
43+ expect ( guardEncode (raw , " xml_attr" toInclude ( " ""
44+ });
45+
46+ // --- CustomEncoder Targets ---
47+
48+ it ( " encodes for LDAP DN (Distinguished Name)" function () {
49+ var raw = " Doe, John #123"
50+ // Should escape the leading # and the comma
51+ expect ( guardEncode (raw , " dn" toBe ( " \#Doe \ , John \ "
52+ });
53+
54+ it ( " encodes for LDAP Search Filter" function () {
55+ var raw = " admin* (test)"
56+ // Asterisks and parens must be hex-escaped in filters
57+ expect ( guardEncode (raw , " ldap" toBe ( " admin\2a \28test\29"
58+ });
59+
60+ it ( " encodes for XPath" function () {
61+ var raw = " ' or 1=1 "
62+ expect ( guardEncode (raw , " xpath" toBe ( " ' ; or 1 = 1 & "
63+ });
64+
65+ it ( " encodes for VBScript" function () {
66+ var raw = " alert!"
67+ // Custom VBScript encoder hex-escapes punctuation
68+ expect ( guardEncode (raw , " vbscript" toInclude ( " hex(21)"
69+ });
70+
71+ it ( " encodes for SQL (Multi-Dialect)" function () {
72+ var raw = " O'Reilly"
73+ // Test Oracle/Standard (double quote)
74+ expect ( guardEncode (raw , " sql" false , " oracle" toBe ( " O''Reilly"
75+ // Test MySQL (backslash)
76+ expect ( guardEncode (raw , " sql" false , " mysql" toBe ( " O\'Reilly"
77+ });
78+
79+ // --- Utility Flags ---
80+
81+ it ( " canonicalizes before encoding when requested" function () {
82+ // %253c is double encoded '<'
83+ var input = " %253cscript%253e"
84+ // If canonicalize=true, it should resolve to <script> then encode for HTML
85+ var res = guardEncode (input , " html" true );
86+ expect ( res ).toBe ( " <script>"
87+ });
88+
89+ });
90+ }
91+ }
0 commit comments