4 * @todo Tests covering decodeCharReferences can be refactored into a single
5 * method and dataprovider.
7 class SanitizerTest
extends MediaWikiTestCase
{
9 protected function tearDown() {
10 MWTidy
::destroySingleton();
15 * @covers Sanitizer::decodeCharReferences
17 public function testDecodeNamedEntities() {
20 Sanitizer
::decodeCharReferences( 'école' ),
21 'decode named entities'
26 * @covers Sanitizer::decodeCharReferences
28 public function testDecodeNumericEntities() {
30 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
31 Sanitizer
::decodeCharReferences( "Ĉio bonas dans l'école!" ),
32 'decode numeric entities'
37 * @covers Sanitizer::decodeCharReferences
39 public function testDecodeMixedEntities() {
41 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
42 Sanitizer
::decodeCharReferences( "Ĉio bonas dans l'école!" ),
43 'decode mixed numeric/named entities'
48 * @covers Sanitizer::decodeCharReferences
50 public function testDecodeMixedComplexEntities() {
52 "\xc4\x88io bonas dans l'\xc3\xa9cole! (mais pas Ĉio dans l'école)",
53 Sanitizer
::decodeCharReferences(
54 "Ĉio bonas dans l'école! (mais pas Ĉio dans l'école)"
56 'decode mixed complex entities'
61 * @covers Sanitizer::decodeCharReferences
63 public function testInvalidAmpersand() {
66 Sanitizer
::decodeCharReferences( 'a & b' ),
72 * @covers Sanitizer::decodeCharReferences
74 public function testInvalidEntities() {
77 Sanitizer
::decodeCharReferences( '&foo;' ),
78 'Invalid named entity'
83 * @covers Sanitizer::decodeCharReferences
85 public function testInvalidNumberedEntities() {
87 UtfNormal\Constants
::UTF8_REPLACEMENT
,
88 Sanitizer
::decodeCharReferences( "�" ),
89 'Invalid numbered entity'
94 * @covers Sanitizer::removeHTMLtags
95 * @dataProvider provideHtml5Tags
97 * @param string $tag Name of an HTML5 element (ie: 'video')
98 * @param bool $escaped Whether sanitizer let the tag in or escape it (ie: '<video>')
100 public function testRemovehtmltagsOnHtml5Tags( $tag, $escaped ) {
101 MWTidy
::setInstance( false );
104 $this->assertEquals( "<$tag>",
105 Sanitizer
::removeHTMLtags( "<$tag>" )
108 $this->assertEquals( "<$tag></$tag>\n",
109 Sanitizer
::removeHTMLtags( "<$tag>" )
117 public static function provideHtml5Tags() {
118 $ESCAPED = true; # We want tag to be escaped
119 $VERBATIM = false; # We want to keep the tag
121 array( 'data', $VERBATIM ),
122 array( 'mark', $VERBATIM ),
123 array( 'time', $VERBATIM ),
124 array( 'video', $ESCAPED ),
128 function dataRemoveHTMLtags() {
130 // former testSelfClosingTag
132 '<div>Hello world</div />',
133 '<div>Hello world</div>',
134 'Self-closing closing div'
136 // Make sure special nested HTML5 semantics are not broken
137 // http://www.whatwg.org/html/text-level-semantics.html#the-kbd-element
139 '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
140 '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
143 // http://www.whatwg.org/html/text-level-semantics.html#the-sub-and-sup-elements
145 '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
146 '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
149 // http://www.whatwg.org/html/text-level-semantics.html#the-dfn-element
151 '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
152 '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
153 '<abbr> inside <dfn>',
159 * @dataProvider dataRemoveHTMLtags
160 * @covers Sanitizer::removeHTMLtags
162 public function testRemoveHTMLtags( $input, $output, $msg = null ) {
163 MWTidy
::setInstance( false );
164 $this->assertEquals( $output, Sanitizer
::removeHTMLtags( $input ), $msg );
168 * @dataProvider provideTagAttributesToDecode
169 * @covers Sanitizer::decodeTagAttributes
171 public function testDecodeTagAttributes( $expected, $attributes, $message = '' ) {
172 $this->assertEquals( $expected,
173 Sanitizer
::decodeTagAttributes( $attributes ),
178 public static function provideTagAttributesToDecode() {
180 array( array( 'foo' => 'bar' ), 'foo=bar', 'Unquoted attribute' ),
181 array( array( 'foo' => 'bar' ), ' foo = bar ', 'Spaced attribute' ),
182 array( array( 'foo' => 'bar' ), 'foo="bar"', 'Double-quoted attribute' ),
183 array( array( 'foo' => 'bar' ), 'foo=\'bar\'', 'Single-quoted attribute' ),
185 array( 'foo' => 'bar', 'baz' => 'foo' ),
186 'foo=\'bar\' baz="foo"',
190 array( 'foo' => 'bar', 'baz' => 'foo' ),
191 'foo=\'bar\' baz="foo"',
195 array( 'foo' => 'bar', 'baz' => 'foo' ),
196 'foo=\'bar\' baz="foo"',
199 array( array( ':foo' => 'bar' ), ':foo=\'bar\'', 'Leading :' ),
200 array( array( '_foo' => 'bar' ), '_foo=\'bar\'', 'Leading _' ),
201 array( array( 'foo' => 'bar' ), 'Foo=\'bar\'', 'Leading capital' ),
202 array( array( 'foo' => 'BAR' ), 'FOO=BAR', 'Attribute keys are normalized to lowercase' ),
205 array( array(), '-foo=bar', 'Leading - is forbidden' ),
206 array( array(), '.foo=bar', 'Leading . is forbidden' ),
207 array( array( 'foo-bar' => 'bar' ), 'foo-bar=bar', 'A - is allowed inside the attribute' ),
208 array( array( 'foo-' => 'bar' ), 'foo-=bar', 'A - is allowed inside the attribute' ),
209 array( array( 'foo.bar' => 'baz' ), 'foo.bar=baz', 'A . is allowed inside the attribute' ),
210 array( array( 'foo.' => 'baz' ), 'foo.=baz', 'A . is allowed as last character' ),
211 array( array( 'foo6' => 'baz' ), 'foo6=baz', 'Numbers are allowed' ),
213 # This bit is more relaxed than XML rules, but some extensions use
214 # it, like ProofreadPage (see bug 27539)
215 array( array( '1foo' => 'baz' ), '1foo=baz', 'Leading numbers are allowed' ),
216 array( array(), 'foo$=baz', 'Symbols are not allowed' ),
217 array( array(), 'foo@=baz', 'Symbols are not allowed' ),
218 array( array(), 'foo~=baz', 'Symbols are not allowed' ),
220 array( 'foo' => '1[#^`*%w/(' ),
222 'All kind of characters are allowed as values'
225 array( 'foo' => '1[#^`*%\'w/(' ),
226 'foo="1[#^`*%\'w/("',
227 'Double quotes are allowed if quoted by single quotes'
230 array( 'foo' => '1[#^`*%"w/(' ),
231 'foo=\'1[#^`*%"w/(\'',
232 'Single quotes are allowed if quoted by double quotes'
234 array( array( 'foo' => '&"' ), 'foo=&"', 'Special chars can be provided as entities' ),
235 array( array( 'foo' => '&foobar;' ), 'foo=&foobar;', 'Entity-like items are accepted' ),
240 * @dataProvider provideDeprecatedAttributes
241 * @covers Sanitizer::fixTagAttributes
243 public function testDeprecatedAttributesUnaltered( $inputAttr, $inputEl, $message = '' ) {
244 $this->assertEquals( " $inputAttr",
245 Sanitizer
::fixTagAttributes( $inputAttr, $inputEl ),
250 public static function provideDeprecatedAttributes() {
251 /** array( <attribute>, <element>, [message] ) */
253 array( 'clear="left"', 'br' ),
254 array( 'clear="all"', 'br' ),
255 array( 'width="100"', 'td' ),
256 array( 'nowrap="true"', 'td' ),
257 array( 'nowrap=""', 'td' ),
258 array( 'align="right"', 'td' ),
259 array( 'align="center"', 'table' ),
260 array( 'align="left"', 'tr' ),
261 array( 'align="center"', 'div' ),
262 array( 'align="left"', 'h1' ),
263 array( 'align="left"', 'p' ),
268 * @dataProvider provideCssCommentsFixtures
269 * @covers Sanitizer::checkCss
271 public function testCssCommentsChecking( $expected, $css, $message = '' ) {
272 $this->assertEquals( $expected,
273 Sanitizer
::checkCss( $css ),
278 public static function provideCssCommentsFixtures() {
279 /** array( <expected>, <css>, [message] ) */
281 // Valid comments spanning entire input
282 array( '/**/', '/**/' ),
283 array( '/* comment */', '/* comment */' ),
285 array( ' ', '/****/' ),
286 array( ' ', '/* /* */' ),
287 array( 'display: block;', "display:/* foo */block;" ),
288 array( 'display: block;', "display:\\2f\\2a foo \\2a\\2f block;",
289 'Backslash-escaped comments must be stripped (bug 28450)' ),
290 array( '', '/* unfinished comment structure',
291 'Remove anything after a comment-start token' ),
292 array( '', "\\2f\\2a unifinished comment'",
293 'Remove anything after a backslash-escaped comment-start token' ),
295 '/* insecure input */',
296 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader'
297 . '(src=\'asdf.png\',sizingMethod=\'scale\');'
300 '/* insecure input */',
301 '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader'
302 . '(src=\'asdf.png\',sizingMethod=\'scale\')";'
304 array( '/* insecure input */', 'width: expression(1+1);' ),
305 array( '/* insecure input */', 'background-image: image(asdf.png);' ),
306 array( '/* insecure input */', 'background-image: -webkit-image(asdf.png);' ),
307 array( '/* insecure input */', 'background-image: -moz-image(asdf.png);' ),
308 array( '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);' ),
310 '/* insecure input */',
311 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);'
314 '/* insecure input */',
315 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);'
321 * Test for support or lack of support for specific attributes in the attribute whitelist.
323 public static function provideAttributeSupport() {
324 /** array( <attributes>, <expected>, <message> ) */
328 ' role="presentation"',
329 ' role="presentation"',
330 'Support for WAI-ARIA\'s role="presentation".'
332 array( 'div', ' role="main"', '', "Other WAI-ARIA roles are currently not supported." ),
337 * @dataProvider provideAttributeSupport
338 * @covers Sanitizer::fixTagAttributes
340 public function testAttributeSupport( $tag, $attributes, $expected, $message ) {
341 $this->assertEquals( $expected,
342 Sanitizer
::fixTagAttributes( $attributes, $tag ),
348 * @dataProvider provideEscapeHtmlAllowEntities
349 * @covers Sanitizer::escapeHtmlAllowEntities
351 public function testEscapeHtmlAllowEntities( $expected, $html ) {
354 Sanitizer
::escapeHtmlAllowEntities( $html )
358 public static function provideEscapeHtmlAllowEntities() {
360 array( 'foo', 'foo' ),
361 array( 'a¡b', 'a¡b' ),
362 array( 'foo'bar', "foo'bar" ),
363 array( '<script>foo</script>', '<script>foo</script>' ),