Unit testing: url\encode() should not be used as an expected result

entermotion / eurl

This package aims to deliver a good set of functions to easily escape URLs that will be used on HTML

2 stars 1 forks source link

Unit testing: url\encode() should not be used as an expected result #3

Closed enricodias closed 5 years ago

enricodias commented 5 years ago

Some tests uses url\encode() function on the expected results. This defeats the purpose of the tests since the behavior of url\encode() itself will not be tested. We should assume that every function may fail. The expected string should be placed as string instead.

Example:

"expectedResult" => 'http://example.com/'.url\encode('"><script>alert("xss")</script>')

Should be:

"expectedResult" => 'http://example.com/%22%3E%3Cscript%3Ealert(%22xss%22)%3C/script%3E'

enricodias commented 5 years ago

I'm currently working on the unit tests and my next PR should fix this issue.