4 * @todo Tests covering decodeCharReferences can be refactored into a single
5 * method and dataprovider.
9 class SanitizerTest
extends MediaWikiTestCase
{
11 protected function tearDown() {
12 MWTidy
::destroySingleton();
17 * @covers Sanitizer::decodeCharReferences
19 public function testDecodeNamedEntities() {
22 Sanitizer
::decodeCharReferences( 'école' ),
23 'decode named entities'
28 * @covers Sanitizer::decodeCharReferences
30 public function testDecodeNumericEntities() {
32 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
33 Sanitizer
::decodeCharReferences( "Ĉio bonas dans l'école!" ),
34 'decode numeric entities'
39 * @covers Sanitizer::decodeCharReferences
41 public function testDecodeMixedEntities() {
43 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
44 Sanitizer
::decodeCharReferences( "Ĉio bonas dans l'école!" ),
45 'decode mixed numeric/named entities'
50 * @covers Sanitizer::decodeCharReferences
52 public function testDecodeMixedComplexEntities() {
54 "\xc4\x88io bonas dans l'\xc3\xa9cole! (mais pas Ĉio dans l'école)",
55 Sanitizer
::decodeCharReferences(
56 "Ĉio bonas dans l'école! (mais pas Ĉio dans l'école)"
58 'decode mixed complex entities'
63 * @covers Sanitizer::decodeCharReferences
65 public function testInvalidAmpersand() {
68 Sanitizer
::decodeCharReferences( 'a & b' ),
74 * @covers Sanitizer::decodeCharReferences
76 public function testInvalidEntities() {
79 Sanitizer
::decodeCharReferences( '&foo;' ),
80 'Invalid named entity'
85 * @covers Sanitizer::decodeCharReferences
87 public function testInvalidNumberedEntities() {
89 UtfNormal\Constants
::UTF8_REPLACEMENT
,
90 Sanitizer
::decodeCharReferences( "�" ),
91 'Invalid numbered entity'
96 * @covers Sanitizer::removeHTMLtags
97 * @dataProvider provideHtml5Tags
99 * @param string $tag Name of an HTML5 element (ie: 'video')
100 * @param bool $escaped Whether sanitizer let the tag in or escape it (ie: '<video>')
102 public function testRemovehtmltagsOnHtml5Tags( $tag, $escaped ) {
103 MWTidy
::setInstance( false );
106 $this->assertEquals( "<$tag>",
107 Sanitizer
::removeHTMLtags( "<$tag>" )
110 $this->assertEquals( "<$tag></$tag>\n",
111 Sanitizer
::removeHTMLtags( "<$tag>" )
119 public static function provideHtml5Tags() {
120 $ESCAPED = true; # We want tag to be escaped
121 $VERBATIM = false; # We want to keep the tag
123 [ 'data', $VERBATIM ],
124 [ 'mark', $VERBATIM ],
125 [ 'time', $VERBATIM ],
126 [ 'video', $ESCAPED ],
130 function dataRemoveHTMLtags() {
132 // former testSelfClosingTag
134 '<div>Hello world</div />',
135 '<div>Hello world</div>',
136 'Self-closing closing div'
138 // Make sure special nested HTML5 semantics are not broken
139 // https://html.spec.whatwg.org/multipage/semantics.html#the-kbd-element
141 '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
142 '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
145 // https://html.spec.whatwg.org/multipage/semantics.html#the-sub-and-sup-elements
147 '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
148 '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
151 // https://html.spec.whatwg.org/multipage/semantics.html#the-dfn-element
153 '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
154 '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
155 '<abbr> inside <dfn>',
161 * @dataProvider dataRemoveHTMLtags
162 * @covers Sanitizer::removeHTMLtags
164 public function testRemoveHTMLtags( $input, $output, $msg = null ) {
165 MWTidy
::setInstance( false );
166 $this->assertEquals( $output, Sanitizer
::removeHTMLtags( $input ), $msg );
170 * @dataProvider provideTagAttributesToDecode
171 * @covers Sanitizer::decodeTagAttributes
173 public function testDecodeTagAttributes( $expected, $attributes, $message = '' ) {
174 $this->assertEquals( $expected,
175 Sanitizer
::decodeTagAttributes( $attributes ),
180 public static function provideTagAttributesToDecode() {
182 [ [ 'foo' => 'bar' ], 'foo=bar', 'Unquoted attribute' ],
183 [ [ 'עברית' => 'bar' ], 'עברית=bar', 'Non-Latin attribute' ],
184 [ [ '६' => 'bar' ], '६=bar', 'Devanagari number' ],
185 [ [ '搭𨋢' => 'bar' ], '搭𨋢=bar', 'Non-BMP character' ],
186 [ [], 'ńgh=bar', 'Combining accent is not allowed' ],
187 [ [ 'foo' => 'bar' ], ' foo = bar ', 'Spaced attribute' ],
188 [ [ 'foo' => 'bar' ], 'foo="bar"', 'Double-quoted attribute' ],
189 [ [ 'foo' => 'bar' ], 'foo=\'bar\'', 'Single-quoted attribute' ],
191 [ 'foo' => 'bar', 'baz' => 'foo' ],
192 'foo=\'bar\' baz="foo"',
196 [ 'foo' => 'bar', 'baz' => 'foo' ],
197 'foo=\'bar\' baz="foo"',
201 [ 'foo' => 'bar', 'baz' => 'foo' ],
202 'foo=\'bar\' baz="foo"',
205 [ [ ':foo' => 'bar' ], ':foo=\'bar\'', 'Leading :' ],
206 [ [ '_foo' => 'bar' ], '_foo=\'bar\'', 'Leading _' ],
207 [ [ 'foo' => 'bar' ], 'Foo=\'bar\'', 'Leading capital' ],
208 [ [ 'foo' => 'BAR' ], 'FOO=BAR', 'Attribute keys are normalized to lowercase' ],
211 [ [], '-foo=bar', 'Leading - is forbidden' ],
212 [ [], '.foo=bar', 'Leading . is forbidden' ],
213 [ [ 'foo-bar' => 'bar' ], 'foo-bar=bar', 'A - is allowed inside the attribute' ],
214 [ [ 'foo-' => 'bar' ], 'foo-=bar', 'A - is allowed inside the attribute' ],
215 [ [ 'foo.bar' => 'baz' ], 'foo.bar=baz', 'A . is allowed inside the attribute' ],
216 [ [ 'foo.' => 'baz' ], 'foo.=baz', 'A . is allowed as last character' ],
217 [ [ 'foo6' => 'baz' ], 'foo6=baz', 'Numbers are allowed' ],
219 # This bit is more relaxed than XML rules, but some extensions use
220 # it, like ProofreadPage (see T29539)
221 [ [ '1foo' => 'baz' ], '1foo=baz', 'Leading numbers are allowed' ],
222 [ [], 'foo$=baz', 'Symbols are not allowed' ],
223 [ [], 'foo@=baz', 'Symbols are not allowed' ],
224 [ [], 'foo~=baz', 'Symbols are not allowed' ],
226 [ 'foo' => '1[#^`*%w/(' ],
228 'All kind of characters are allowed as values'
231 [ 'foo' => '1[#^`*%\'w/(' ],
232 'foo="1[#^`*%\'w/("',
233 'Double quotes are allowed if quoted by single quotes'
236 [ 'foo' => '1[#^`*%"w/(' ],
237 'foo=\'1[#^`*%"w/(\'',
238 'Single quotes are allowed if quoted by double quotes'
240 [ [ 'foo' => '&"' ], 'foo=&"', 'Special chars can be provided as entities' ],
241 [ [ 'foo' => '&foobar;' ], 'foo=&foobar;', 'Entity-like items are accepted' ],
246 * @dataProvider provideDeprecatedAttributes
247 * @covers Sanitizer::fixTagAttributes
249 public function testDeprecatedAttributesUnaltered( $inputAttr, $inputEl, $message = '' ) {
250 $this->assertEquals( " $inputAttr",
251 Sanitizer
::fixTagAttributes( $inputAttr, $inputEl ),
256 public static function provideDeprecatedAttributes() {
257 /** [ <attribute>, <element>, [message] ] */
259 [ 'clear="left"', 'br' ],
260 [ 'clear="all"', 'br' ],
261 [ 'width="100"', 'td' ],
262 [ 'nowrap="true"', 'td' ],
263 [ 'nowrap=""', 'td' ],
264 [ 'align="right"', 'td' ],
265 [ 'align="center"', 'table' ],
266 [ 'align="left"', 'tr' ],
267 [ 'align="center"', 'div' ],
268 [ 'align="left"', 'h1' ],
269 [ 'align="left"', 'p' ],
274 * @dataProvider provideCssCommentsFixtures
275 * @covers Sanitizer::checkCss
277 public function testCssCommentsChecking( $expected, $css, $message = '' ) {
278 $this->assertEquals( $expected,
279 Sanitizer
::checkCss( $css ),
284 public static function provideCssCommentsFixtures() {
285 /** [ <expected>, <css>, [message] ] */
287 // Valid comments spanning entire input
289 [ '/* comment */', '/* comment */' ],
293 [ 'display: block;', "display:/* foo */block;" ],
294 [ 'display: block;', "display:\\2f\\2a foo \\2a\\2f block;",
295 'Backslash-escaped comments must be stripped (T30450)' ],
296 [ '', '/* unfinished comment structure',
297 'Remove anything after a comment-start token' ],
298 [ '', "\\2f\\2a unifinished comment'",
299 'Remove anything after a backslash-escaped comment-start token' ],
301 '/* insecure input */',
302 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader'
303 . '(src=\'asdf.png\',sizingMethod=\'scale\');'
306 '/* insecure input */',
307 '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader'
308 . '(src=\'asdf.png\',sizingMethod=\'scale\')";'
310 [ '/* insecure input */', 'width: expression(1+1);' ],
311 [ '/* insecure input */', 'background-image: image(asdf.png);' ],
312 [ '/* insecure input */', 'background-image: -webkit-image(asdf.png);' ],
313 [ '/* insecure input */', 'background-image: -moz-image(asdf.png);' ],
314 [ '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);' ],
316 '/* insecure input */',
317 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);'
320 '/* insecure input */',
321 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);'
323 [ '/* insecure input */', 'foo: attr( title, url );' ],
324 [ '/* insecure input */', 'foo: attr( title url );' ],
329 * @dataProvider provideEscapeHtmlAllowEntities
330 * @covers Sanitizer::escapeHtmlAllowEntities
332 public function testEscapeHtmlAllowEntities( $expected, $html ) {
335 Sanitizer
::escapeHtmlAllowEntities( $html )
339 public static function provideEscapeHtmlAllowEntities() {
342 [ 'a¡b', 'a¡b' ],
343 [ 'foo'bar', "foo'bar" ],
344 [ '<script>foo</script>', '<script>foo</script>' ],
349 * Test Sanitizer::escapeId
351 * @dataProvider provideEscapeId
352 * @covers Sanitizer::escapeId
354 public function testEscapeId( $input, $output ) {
357 Sanitizer
::escapeId( $input, [ 'noninitial', 'legacy' ] )
361 public static function provideEscapeId() {
378 [ 'Test:A & B/Here', 'Test:A_.26_B.2FHere' ],
379 [ 'A&B&C&amp;D&amp;amp;E', 'A.26B.26C.26amp.3BD.26amp.3Bamp.3BE' ],
384 * Test escapeIdReferenceList for consistency with escapeIdForAttribute
386 * @dataProvider provideEscapeIdReferenceList
387 * @covers Sanitizer::escapeIdReferenceList
389 public function testEscapeIdReferenceList( $referenceList, $id1, $id2 ) {
391 Sanitizer
::escapeIdReferenceList( $referenceList, 'noninitial' ),
392 Sanitizer
::escapeIdForAttribute( $id1 )
394 . Sanitizer
::escapeIdForAttribute( $id2 )
398 public static function provideEscapeIdReferenceList() {
399 /** [ <reference list>, <individual id 1>, <individual id 2> ] */
401 [ 'foo bar', 'foo', 'bar' ],
402 [ '#1 #2', '#1', '#2' ],
403 [ '+1 +2', '+1', '+2' ],
408 * @dataProvider provideIsReservedDataAttribute
410 public function testIsReservedDataAttribute( $attr, $expected ) {
411 $this->assertSame( $expected, Sanitizer
::isReservedDataAttribute( $attr ) );
414 public static function provideIsReservedDataAttribute() {
418 [ 'data-foo', false ],
420 [ 'data-ooui', true ],
421 [ 'data-parsoid', true ],
422 [ 'data-mw-foo', true ],
423 [ 'data-ooui-foo', true ],
424 [ 'data-mwfoo', true ], // could be false but this is how it's implemented currently
429 * @dataProvider provideEscapeIdForStuff
431 * @covers Sanitizer::escapeIdForAttribute()
432 * @covers Sanitizer::escapeIdForLink()
433 * @covers Sanitizer::escapeIdForExternalInterwiki()
434 * @covers Sanitizer::escapeIdInternal()
435 * @covers Sanitizer::urlEscapeId()
437 * @param string $stuff
438 * @param string[] $config
440 * @param string|false $expected
441 * @param int|null $mode
443 public function testEscapeIdForStuff( $stuff, array $config, $id, $expected, $mode = null ) {
444 $func = "Sanitizer::escapeIdFor{$stuff}";
445 $iwFlavor = array_pop( $config );
446 $this->setMwGlobals( [
447 'wgFragmentMode' => $config,
448 'wgExternalInterwikiFragmentMode' => $iwFlavor,
450 $escaped = call_user_func( $func, $id, $mode );
451 self
::assertEquals( $expected, $escaped );
454 public function provideEscapeIdForStuff() {
455 // Test inputs and outputs
456 $text = 'foo тест_#%!\'()[]:<>';
457 $legacyEncoded = 'foo_.D1.82.D0.B5.D1.81.D1.82_.23.25.21.27.28.29.5B.5D:.3C.3E';
458 $html5Encoded = 'foo_тест_#%!\'()[]:<>';
459 $html5Escaped = 'foo_%D1%82%D0%B5%D1%81%D1%82_%23%25%21%27%28%29%5B%5D:%3C%3E';
460 $html5Experimental = 'foo_тест_!_()[]:<>';
462 // Settings: last element is $wgExternalInterwikiFragmentMode, the rest is $wgFragmentMode
463 $legacy = [ 'legacy', 'legacy' ];
464 $legacyNew = [ 'legacy', 'html5', 'legacy' ];
465 $newLegacy = [ 'html5', 'legacy', 'legacy' ];
466 $new = [ 'html5', 'legacy' ];
467 $allNew = [ 'html5', 'html5' ];
468 $experimentalLegacy = [ 'html5-legacy', 'legacy', 'legacy' ];
469 $newExperimental = [ 'html5', 'html5-legacy', 'legacy' ];
472 // Pure legacy: how MW worked before 2017
473 [ 'Attribute', $legacy, $text, $legacyEncoded, Sanitizer
::ID_PRIMARY
],
474 [ 'Attribute', $legacy, $text, false, Sanitizer
::ID_FALLBACK
],
475 [ 'Link', $legacy, $text, $legacyEncoded ],
476 [ 'ExternalInterwiki', $legacy, $text, $legacyEncoded ],
478 // Transition to a new world: legacy links with HTML5 fallback
479 [ 'Attribute', $legacyNew, $text, $legacyEncoded, Sanitizer
::ID_PRIMARY
],
480 [ 'Attribute', $legacyNew, $text, $html5Encoded, Sanitizer
::ID_FALLBACK
],
481 [ 'Link', $legacyNew, $text, $legacyEncoded ],
482 [ 'ExternalInterwiki', $legacyNew, $text, $legacyEncoded ],
484 // New world: HTML5 links, legacy fallbacks
485 [ 'Attribute', $newLegacy, $text, $html5Encoded, Sanitizer
::ID_PRIMARY
],
486 [ 'Attribute', $newLegacy, $text, $legacyEncoded, Sanitizer
::ID_FALLBACK
],
487 [ 'Link', $newLegacy, $text, $html5Escaped ],
488 [ 'ExternalInterwiki', $newLegacy, $text, $legacyEncoded ],
490 // Distant future: no legacy fallbacks, but still linking to leagacy wikis
491 [ 'Attribute', $new, $text, $html5Encoded, Sanitizer
::ID_PRIMARY
],
492 [ 'Attribute', $new, $text, false, Sanitizer
::ID_FALLBACK
],
493 [ 'Link', $new, $text, $html5Escaped ],
494 [ 'ExternalInterwiki', $new, $text, $legacyEncoded ],
496 // Just before the heat death of universe: external interwikis are also HTML5 \m/
497 [ 'Attribute', $allNew, $text, $html5Encoded, Sanitizer
::ID_PRIMARY
],
498 [ 'Attribute', $allNew, $text, false, Sanitizer
::ID_FALLBACK
],
499 [ 'Link', $allNew, $text, $html5Escaped ],
500 [ 'ExternalInterwiki', $allNew, $text, $html5Escaped ],
502 // Someone flipped $wgExperimentalHtmlIds on
503 [ 'Attribute', $experimentalLegacy, $text, $html5Experimental, Sanitizer
::ID_PRIMARY
],
504 [ 'Attribute', $experimentalLegacy, $text, $legacyEncoded, Sanitizer
::ID_FALLBACK
],
505 [ 'Link', $experimentalLegacy, $text, $html5Experimental ],
506 [ 'ExternalInterwiki', $experimentalLegacy, $text, $legacyEncoded ],
508 // Migration from $wgExperimentalHtmlIds to modern HTML5
509 [ 'Attribute', $newExperimental, $text, $html5Encoded, Sanitizer
::ID_PRIMARY
],
510 [ 'Attribute', $newExperimental, $text, $html5Experimental, Sanitizer
::ID_FALLBACK
],
511 [ 'Link', $newExperimental, $text, $html5Escaped ],
512 [ 'ExternalInterwiki', $newExperimental, $text, $legacyEncoded ],
517 * @expectedException InvalidArgumentException
518 * @covers Sanitizer::escapeIdInternal()
520 public function testInvalidFragmentThrows() {
521 $this->setMwGlobals( 'wgFragmentMode', [ 'boom!' ] );
522 Sanitizer
::escapeIdForAttribute( 'This should throw' );
526 * @expectedException UnexpectedValueException
527 * @covers Sanitizer::escapeIdForAttribute()
529 public function testNoPrimaryFragmentModeThrows() {
530 $this->setMwGlobals( 'wgFragmentMode', [ 666 => 'html5' ] );
531 Sanitizer
::escapeIdForAttribute( 'This should throw' );
535 * @expectedException UnexpectedValueException
536 * @covers Sanitizer::escapeIdForLink()
538 public function testNoPrimaryFragmentModeThrows2() {
539 $this->setMwGlobals( 'wgFragmentMode', [ 666 => 'html5' ] );
540 Sanitizer
::escapeIdForLink( 'This should throw' );