search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Release notes for Iabf4873f
[mediawiki.git] / tests / phpunit / includes / SanitizerTest.php
blob97abf8020a7ea10df6c67fcad6a69926863a22c4
1 <?php
2
3 /**
4 * @todo Tests covering decodeCharReferences can be refactored into a single
5 * method and dataprovider.
6 */
7 class SanitizerTest extends MediaWikiTestCase {
8
9 protected function setUp() {
10 parent::setUp();
11
12 AutoLoader::loadClass( 'Sanitizer' );
13 }
14
15 /**
16 * @covers Sanitizer::decodeCharReferences
17 */
18 public function testDecodeNamedEntities() {
19 $this->assertEquals(
20 "\xc3\xa9cole",
21 Sanitizer::decodeCharReferences( '&eacute;cole' ),
22 'decode named entities'
23 );
24 }
25
26 /**
27 * @covers Sanitizer::decodeCharReferences
28 */
29 public function testDecodeNumericEntities() {
30 $this->assertEquals(
31 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
32 Sanitizer::decodeCharReferences( "&#x108;io bonas dans l'&#233;cole!" ),
33 'decode numeric entities'
34 );
35 }
36
37 /**
38 * @covers Sanitizer::decodeCharReferences
39 */
40 public function testDecodeMixedEntities() {
41 $this->assertEquals(
42 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
43 Sanitizer::decodeCharReferences( "&#x108;io bonas dans l'&eacute;cole!" ),
44 'decode mixed numeric/named entities'
45 );
46 }
47
48 /**
49 * @covers Sanitizer::decodeCharReferences
50 */
51 public function testDecodeMixedComplexEntities() {
52 $this->assertEquals(
53 "\xc4\x88io bonas dans l'\xc3\xa9cole! (mais pas &#x108;io dans l'&eacute;cole)",
54 Sanitizer::decodeCharReferences(
55 "&#x108;io bonas dans l'&eacute;cole! (mais pas &amp;#x108;io dans l'&#38;eacute;cole)"
56 ),
57 'decode mixed complex entities'
58 );
59 }
60
61 /**
62 * @covers Sanitizer::decodeCharReferences
63 */
64 public function testInvalidAmpersand() {
65 $this->assertEquals(
66 'a & b',
67 Sanitizer::decodeCharReferences( 'a & b' ),
68 'Invalid ampersand'
69 );
70 }
71
72 /**
73 * @covers Sanitizer::decodeCharReferences
74 */
75 public function testInvalidEntities() {
76 $this->assertEquals(
77 '&foo;',
78 Sanitizer::decodeCharReferences( '&foo;' ),
79 'Invalid named entity'
80 );
81 }
82
83 /**
84 * @covers Sanitizer::decodeCharReferences
85 */
86 public function testInvalidNumberedEntities() {
87 $this->assertEquals( UTF8_REPLACEMENT, Sanitizer::decodeCharReferences( "&#88888888888888;" ), 'Invalid numbered entity' );
88 }
89
90 /**
91 * @covers Sanitizer::removeHTMLtags
92 * @dataProvider provideHtml5Tags
93 *
94 * @param String $tag Name of an HTML5 element (ie: 'video')
95 * @param Boolean $escaped Wheter sanitizer let the tag in or escape it (ie: '&lt;video&gt;')
96 */
97 public function testRemovehtmltagsOnHtml5Tags( $tag, $escaped ) {
98 $this->setMwGlobals( array(
99 'wgUseTidy' => false
100 ) );
101
102 if ( $escaped ) {
103 $this->assertEquals( "&lt;$tag&gt;",
104 Sanitizer::removeHTMLtags( "<$tag>" )
105 );
106 } else {
107 $this->assertEquals( "<$tag></$tag>\n",
108 Sanitizer::removeHTMLtags( "<$tag>" )
109 );
110 }
111 }
112
113 /**
114 * Provide HTML5 tags
115 */
116 public static function provideHtml5Tags() {
117 $ESCAPED = true; # We want tag to be escaped
118 $VERBATIM = false; # We want to keep the tag
119 return array(
120 array( 'data', $VERBATIM ),
121 array( 'mark', $VERBATIM ),
122 array( 'time', $VERBATIM ),
123 array( 'video', $ESCAPED ),
124 );
125 }
126
127 function dataRemoveHTMLtags() {
128 return array(
129 // former testSelfClosingTag
130 array(
131 '<div>Hello world</div />',
132 '<div>Hello world</div>',
133 'Self-closing closing div'
134 ),
135 // Make sure special nested HTML5 semantics are not broken
136 // http://www.whatwg.org/html/text-level-semantics.html#the-kbd-element
137 array(
138 '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
139 '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
140 'Nested <kbd>.'
141 ),
142 // http://www.whatwg.org/html/text-level-semantics.html#the-sub-and-sup-elements
143 array(
144 '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
145 '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
146 'Nested <var>.'
147 ),
148 // http://www.whatwg.org/html/text-level-semantics.html#the-dfn-element
149 array(
150 '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
151 '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
152 '<abbr> inside <dfn>',
153 ),
154 );
155 }
156
157 /**
158 * @dataProvider dataRemoveHTMLtags
159 * @covers Sanitizer::removeHTMLtags
160 */
161 public function testRemoveHTMLtags( $input, $output, $msg = null ) {
162 $GLOBALS['wgUseTidy'] = false;
163 $this->assertEquals( $output, Sanitizer::removeHTMLtags( $input ), $msg );
164 }
165
166 /**
167 * @dataProvider provideTagAttributesToDecode
168 * @covers Sanitizer::decodeTagAttributes
169 */
170 public function testDecodeTagAttributes( $expected, $attributes, $message = '' ) {
171 $this->assertEquals( $expected,
172 Sanitizer::decodeTagAttributes( $attributes ),
173 $message
174 );
175 }
176
177 public static function provideTagAttributesToDecode() {
178 return array(
179 array( array( 'foo' => 'bar' ), 'foo=bar', 'Unquoted attribute' ),
180 array( array( 'foo' => 'bar' ), ' foo = bar ', 'Spaced attribute' ),
181 array( array( 'foo' => 'bar' ), 'foo="bar"', 'Double-quoted attribute' ),
182 array( array( 'foo' => 'bar' ), 'foo=\'bar\'', 'Single-quoted attribute' ),
183 array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
184 array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
185 array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
186 array( array( ':foo' => 'bar' ), ':foo=\'bar\'', 'Leading :' ),
187 array( array( '_foo' => 'bar' ), '_foo=\'bar\'', 'Leading _' ),
188 array( array( 'foo' => 'bar' ), 'Foo=\'bar\'', 'Leading capital' ),
189 array( array( 'foo' => 'BAR' ), 'FOO=BAR', 'Attribute keys are normalized to lowercase' ),
190
191 # Invalid beginning
192 array( array(), '-foo=bar', 'Leading - is forbidden' ),
193 array( array(), '.foo=bar', 'Leading . is forbidden' ),
194 array( array( 'foo-bar' => 'bar' ), 'foo-bar=bar', 'A - is allowed inside the attribute' ),
195 array( array( 'foo-' => 'bar' ), 'foo-=bar', 'A - is allowed inside the attribute' ),
196 array( array( 'foo.bar' => 'baz' ), 'foo.bar=baz', 'A . is allowed inside the attribute' ),
197 array( array( 'foo.' => 'baz' ), 'foo.=baz', 'A . is allowed as last character' ),
198 array( array( 'foo6' => 'baz' ), 'foo6=baz', 'Numbers are allowed' ),
199
200 # This bit is more relaxed than XML rules, but some extensions use
201 # it, like ProofreadPage (see bug 27539)
202 array( array( '1foo' => 'baz' ), '1foo=baz', 'Leading numbers are allowed' ),
203 array( array(), 'foo$=baz', 'Symbols are not allowed' ),
204 array( array(), 'foo@=baz', 'Symbols are not allowed' ),
205 array( array(), 'foo~=baz', 'Symbols are not allowed' ),
206 array( array( 'foo' => '1[#^`*%w/(' ), 'foo=1[#^`*%w/(', 'All kind of characters are allowed as values' ),
207 array( array( 'foo' => '1[#^`*%\'w/(' ), 'foo="1[#^`*%\'w/("', 'Double quotes are allowed if quoted by single quotes' ),
208 array( array( 'foo' => '1[#^`*%"w/(' ), 'foo=\'1[#^`*%"w/(\'', 'Single quotes are allowed if quoted by double quotes' ),
209 array( array( 'foo' => '&"' ), 'foo=&amp;&quot;', 'Special chars can be provided as entities' ),
210 array( array( 'foo' => '&foobar;' ), 'foo=&foobar;', 'Entity-like items are accepted' ),
211 );
212 }
213
214 /**
215 * @dataProvider provideDeprecatedAttributes
216 * @covers Sanitizer::fixTagAttributes
217 */
218 public function testDeprecatedAttributesUnaltered( $inputAttr, $inputEl, $message = '' ) {
219 $this->assertEquals( " $inputAttr",
220 Sanitizer::fixTagAttributes( $inputAttr, $inputEl ),
221 $message
222 );
223 }
224
225 public static function provideDeprecatedAttributes() {
226 /** array( <attribute>, <element>, [message] ) */
227 return array(
228 array( 'clear="left"', 'br' ),
229 array( 'clear="all"', 'br' ),
230 array( 'width="100"', 'td' ),
231 array( 'nowrap="true"', 'td' ),
232 array( 'nowrap=""', 'td' ),
233 array( 'align="right"', 'td' ),
234 array( 'align="center"', 'table' ),
235 array( 'align="left"', 'tr' ),
236 array( 'align="center"', 'div' ),
237 array( 'align="left"', 'h1' ),
238 array( 'align="left"', 'p' ),
239 );
240 }
241
242 /**
243 * @dataProvider provideCssCommentsFixtures
244 * @covers Sanitizer::checkCss
245 */
246 public function testCssCommentsChecking( $expected, $css, $message = '' ) {
247 $this->assertEquals( $expected,
248 Sanitizer::checkCss( $css ),
249 $message
250 );
251 }
252
253 public static function provideCssCommentsFixtures() {
254 /** array( <expected>, <css>, [message] ) */
255 return array(
256 // Valid comments spanning entire input
257 array( '/**/', '/**/' ),
258 array( '/* comment */', '/* comment */' ),
259 // Weird stuff
260 array( ' ', '/****/' ),
261 array( ' ', '/* /* */' ),
262 array( 'display: block;', "display:/* foo */block;" ),
263 array( 'display: block;', "display:\\2f\\2a foo \\2a\\2f block;",
264 'Backslash-escaped comments must be stripped (bug 28450)' ),
265 array( '', '/* unfinished comment structure',
266 'Remove anything after a comment-start token' ),
267 array( '', "\\2f\\2a unifinished comment'",
268 'Remove anything after a backslash-escaped comment-start token' ),
269 array( '/* insecure input */', 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\');' ),
270 array( '/* insecure input */', '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\')";' ),
271 array( '/* insecure input */', 'width: expression(1+1);' ),
272 array( '/* insecure input */', 'background-image: image(asdf.png);' ),
273 array( '/* insecure input */', 'background-image: -webkit-image(asdf.png);' ),
274 array( '/* insecure input */', 'background-image: -moz-image(asdf.png);' ),
275 array( '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);' ),
276 array( '/* insecure input */', 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
277 array( '/* insecure input */', 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
278 );
279 }
280
281 /**
282 * Test for support or lack of support for specific attributes in the attribute whitelist.
283 */
284 public static function provideAttributeSupport() {
285 /** array( <attributes>, <expected>, <message> ) */
286 return array(
287 array( 'div', ' role="presentation"', ' role="presentation"', 'Support for WAI-ARIA\'s role="presentation".' ),
288 array( 'div', ' role="main"', '', "Other WAI-ARIA roles are currently not supported." ),
289 );
290 }
291
292 /**
293 * @dataProvider provideAttributeSupport
294 * @covers Sanitizer::fixTagAttributes
295 */
296 public function testAttributeSupport( $tag, $attributes, $expected, $message ) {
297 $this->assertEquals( $expected,
298 Sanitizer::fixTagAttributes( $attributes, $tag ),
299 $message
300 );
301 }
302 }
MediaWiki Core