search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Remove $wgDebugFunctionEntry, unused
[mediawiki.git] / tests / phpunit / includes / SanitizerTest.php
blobf960f4845500c6d5e202cc48dae58d772b18592d
1 <?php
2
3 /**
4 * @todo Tests covering decodeCharReferences can be refactored into a single
5 * method and dataprovider.
6 */
7 class SanitizerTest extends MediaWikiTestCase {
8
9 /**
10 * @covers Sanitizer::decodeCharReferences
11 */
12 public function testDecodeNamedEntities() {
13 $this->assertEquals(
14 "\xc3\xa9cole",
15 Sanitizer::decodeCharReferences( '&eacute;cole' ),
16 'decode named entities'
17 );
18 }
19
20 /**
21 * @covers Sanitizer::decodeCharReferences
22 */
23 public function testDecodeNumericEntities() {
24 $this->assertEquals(
25 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
26 Sanitizer::decodeCharReferences( "&#x108;io bonas dans l'&#233;cole!" ),
27 'decode numeric entities'
28 );
29 }
30
31 /**
32 * @covers Sanitizer::decodeCharReferences
33 */
34 public function testDecodeMixedEntities() {
35 $this->assertEquals(
36 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
37 Sanitizer::decodeCharReferences( "&#x108;io bonas dans l'&eacute;cole!" ),
38 'decode mixed numeric/named entities'
39 );
40 }
41
42 /**
43 * @covers Sanitizer::decodeCharReferences
44 */
45 public function testDecodeMixedComplexEntities() {
46 $this->assertEquals(
47 "\xc4\x88io bonas dans l'\xc3\xa9cole! (mais pas &#x108;io dans l'&eacute;cole)",
48 Sanitizer::decodeCharReferences(
49 "&#x108;io bonas dans l'&eacute;cole! (mais pas &amp;#x108;io dans l'&#38;eacute;cole)"
50 ),
51 'decode mixed complex entities'
52 );
53 }
54
55 /**
56 * @covers Sanitizer::decodeCharReferences
57 */
58 public function testInvalidAmpersand() {
59 $this->assertEquals(
60 'a & b',
61 Sanitizer::decodeCharReferences( 'a & b' ),
62 'Invalid ampersand'
63 );
64 }
65
66 /**
67 * @covers Sanitizer::decodeCharReferences
68 */
69 public function testInvalidEntities() {
70 $this->assertEquals(
71 '&foo;',
72 Sanitizer::decodeCharReferences( '&foo;' ),
73 'Invalid named entity'
74 );
75 }
76
77 /**
78 * @covers Sanitizer::decodeCharReferences
79 */
80 public function testInvalidNumberedEntities() {
81 $this->assertEquals(
82 UTF8_REPLACEMENT,
83 Sanitizer::decodeCharReferences( "&#88888888888888;" ),
84 'Invalid numbered entity'
85 );
86 }
87
88 /**
89 * @covers Sanitizer::removeHTMLtags
90 * @dataProvider provideHtml5Tags
91 *
92 * @param string $tag Name of an HTML5 element (ie: 'video')
93 * @param bool $escaped Whether sanitizer let the tag in or escape it (ie: '&lt;video&gt;')
94 */
95 public function testRemovehtmltagsOnHtml5Tags( $tag, $escaped ) {
96 $this->setMwGlobals( array(
97 'wgUseTidy' => false
98 ) );
99
100 if ( $escaped ) {
101 $this->assertEquals( "&lt;$tag&gt;",
102 Sanitizer::removeHTMLtags( "<$tag>" )
103 );
104 } else {
105 $this->assertEquals( "<$tag></$tag>\n",
106 Sanitizer::removeHTMLtags( "<$tag>" )
107 );
108 }
109 }
110
111 /**
112 * Provide HTML5 tags
113 */
114 public static function provideHtml5Tags() {
115 $ESCAPED = true; # We want tag to be escaped
116 $VERBATIM = false; # We want to keep the tag
117 return array(
118 array( 'data', $VERBATIM ),
119 array( 'mark', $VERBATIM ),
120 array( 'time', $VERBATIM ),
121 array( 'video', $ESCAPED ),
122 );
123 }
124
125 function dataRemoveHTMLtags() {
126 return array(
127 // former testSelfClosingTag
128 array(
129 '<div>Hello world</div />',
130 '<div>Hello world</div>',
131 'Self-closing closing div'
132 ),
133 // Make sure special nested HTML5 semantics are not broken
134 // http://www.whatwg.org/html/text-level-semantics.html#the-kbd-element
135 array(
136 '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
137 '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
138 'Nested <kbd>.'
139 ),
140 // http://www.whatwg.org/html/text-level-semantics.html#the-sub-and-sup-elements
141 array(
142 '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
143 '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
144 'Nested <var>.'
145 ),
146 // http://www.whatwg.org/html/text-level-semantics.html#the-dfn-element
147 array(
148 '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
149 '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
150 '<abbr> inside <dfn>',
151 ),
152 );
153 }
154
155 /**
156 * @dataProvider dataRemoveHTMLtags
157 * @covers Sanitizer::removeHTMLtags
158 */
159 public function testRemoveHTMLtags( $input, $output, $msg = null ) {
160 $GLOBALS['wgUseTidy'] = false;
161 $this->assertEquals( $output, Sanitizer::removeHTMLtags( $input ), $msg );
162 }
163
164 /**
165 * @dataProvider provideTagAttributesToDecode
166 * @covers Sanitizer::decodeTagAttributes
167 */
168 public function testDecodeTagAttributes( $expected, $attributes, $message = '' ) {
169 $this->assertEquals( $expected,
170 Sanitizer::decodeTagAttributes( $attributes ),
171 $message
172 );
173 }
174
175 public static function provideTagAttributesToDecode() {
176 return array(
177 array( array( 'foo' => 'bar' ), 'foo=bar', 'Unquoted attribute' ),
178 array( array( 'foo' => 'bar' ), ' foo = bar ', 'Spaced attribute' ),
179 array( array( 'foo' => 'bar' ), 'foo="bar"', 'Double-quoted attribute' ),
180 array( array( 'foo' => 'bar' ), 'foo=\'bar\'', 'Single-quoted attribute' ),
181 array(
182 array( 'foo' => 'bar', 'baz' => 'foo' ),
183 'foo=\'bar\' baz="foo"',
184 'Several attributes'
185 ),
186 array(
187 array( 'foo' => 'bar', 'baz' => 'foo' ),
188 'foo=\'bar\' baz="foo"',
189 'Several attributes'
190 ),
191 array(
192 array( 'foo' => 'bar', 'baz' => 'foo' ),
193 'foo=\'bar\' baz="foo"',
194 'Several attributes'
195 ),
196 array( array( ':foo' => 'bar' ), ':foo=\'bar\'', 'Leading :' ),
197 array( array( '_foo' => 'bar' ), '_foo=\'bar\'', 'Leading _' ),
198 array( array( 'foo' => 'bar' ), 'Foo=\'bar\'', 'Leading capital' ),
199 array( array( 'foo' => 'BAR' ), 'FOO=BAR', 'Attribute keys are normalized to lowercase' ),
200
201 # Invalid beginning
202 array( array(), '-foo=bar', 'Leading - is forbidden' ),
203 array( array(), '.foo=bar', 'Leading . is forbidden' ),
204 array( array( 'foo-bar' => 'bar' ), 'foo-bar=bar', 'A - is allowed inside the attribute' ),
205 array( array( 'foo-' => 'bar' ), 'foo-=bar', 'A - is allowed inside the attribute' ),
206 array( array( 'foo.bar' => 'baz' ), 'foo.bar=baz', 'A . is allowed inside the attribute' ),
207 array( array( 'foo.' => 'baz' ), 'foo.=baz', 'A . is allowed as last character' ),
208 array( array( 'foo6' => 'baz' ), 'foo6=baz', 'Numbers are allowed' ),
209
210 # This bit is more relaxed than XML rules, but some extensions use
211 # it, like ProofreadPage (see bug 27539)
212 array( array( '1foo' => 'baz' ), '1foo=baz', 'Leading numbers are allowed' ),
213 array( array(), 'foo$=baz', 'Symbols are not allowed' ),
214 array( array(), 'foo@=baz', 'Symbols are not allowed' ),
215 array( array(), 'foo~=baz', 'Symbols are not allowed' ),
216 array(
217 array( 'foo' => '1[#^`*%w/(' ),
218 'foo=1[#^`*%w/(',
219 'All kind of characters are allowed as values'
220 ),
221 array(
222 array( 'foo' => '1[#^`*%\'w/(' ),
223 'foo="1[#^`*%\'w/("',
224 'Double quotes are allowed if quoted by single quotes'
225 ),
226 array(
227 array( 'foo' => '1[#^`*%"w/(' ),
228 'foo=\'1[#^`*%"w/(\'',
229 'Single quotes are allowed if quoted by double quotes'
230 ),
231 array( array( 'foo' => '&"' ), 'foo=&amp;&quot;', 'Special chars can be provided as entities' ),
232 array( array( 'foo' => '&foobar;' ), 'foo=&foobar;', 'Entity-like items are accepted' ),
233 );
234 }
235
236 /**
237 * @dataProvider provideDeprecatedAttributes
238 * @covers Sanitizer::fixTagAttributes
239 */
240 public function testDeprecatedAttributesUnaltered( $inputAttr, $inputEl, $message = '' ) {
241 $this->assertEquals( " $inputAttr",
242 Sanitizer::fixTagAttributes( $inputAttr, $inputEl ),
243 $message
244 );
245 }
246
247 public static function provideDeprecatedAttributes() {
248 /** array( <attribute>, <element>, [message] ) */
249 return array(
250 array( 'clear="left"', 'br' ),
251 array( 'clear="all"', 'br' ),
252 array( 'width="100"', 'td' ),
253 array( 'nowrap="true"', 'td' ),
254 array( 'nowrap=""', 'td' ),
255 array( 'align="right"', 'td' ),
256 array( 'align="center"', 'table' ),
257 array( 'align="left"', 'tr' ),
258 array( 'align="center"', 'div' ),
259 array( 'align="left"', 'h1' ),
260 array( 'align="left"', 'p' ),
261 );
262 }
263
264 /**
265 * @dataProvider provideCssCommentsFixtures
266 * @covers Sanitizer::checkCss
267 */
268 public function testCssCommentsChecking( $expected, $css, $message = '' ) {
269 $this->assertEquals( $expected,
270 Sanitizer::checkCss( $css ),
271 $message
272 );
273 }
274
275 public static function provideCssCommentsFixtures() {
276 /** array( <expected>, <css>, [message] ) */
277 return array(
278 // Valid comments spanning entire input
279 array( '/**/', '/**/' ),
280 array( '/* comment */', '/* comment */' ),
281 // Weird stuff
282 array( ' ', '/****/' ),
283 array( ' ', '/* /* */' ),
284 array( 'display: block;', "display:/* foo */block;" ),
285 array( 'display: block;', "display:\\2f\\2a foo \\2a\\2f block;",
286 'Backslash-escaped comments must be stripped (bug 28450)' ),
287 array( '', '/* unfinished comment structure',
288 'Remove anything after a comment-start token' ),
289 array( '', "\\2f\\2a unifinished comment'",
290 'Remove anything after a backslash-escaped comment-start token' ),
291 array(
292 '/* insecure input */',
293 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader'
294 . '(src=\'asdf.png\',sizingMethod=\'scale\');'
295 ),
296 array(
297 '/* insecure input */',
298 '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader'
299 . '(src=\'asdf.png\',sizingMethod=\'scale\')";'
300 ),
301 array( '/* insecure input */', 'width: expression(1+1);' ),
302 array( '/* insecure input */', 'background-image: image(asdf.png);' ),
303 array( '/* insecure input */', 'background-image: -webkit-image(asdf.png);' ),
304 array( '/* insecure input */', 'background-image: -moz-image(asdf.png);' ),
305 array( '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);' ),
306 array(
307 '/* insecure input */',
308 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);'
309 ),
310 array(
311 '/* insecure input */',
312 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);'
313 ),
314 );
315 }
316
317 /**
318 * Test for support or lack of support for specific attributes in the attribute whitelist.
319 */
320 public static function provideAttributeSupport() {
321 /** array( <attributes>, <expected>, <message> ) */
322 return array(
323 array(
324 'div',
325 ' role="presentation"',
326 ' role="presentation"',
327 'Support for WAI-ARIA\'s role="presentation".'
328 ),
329 array( 'div', ' role="main"', '', "Other WAI-ARIA roles are currently not supported." ),
330 );
331 }
332
333 /**
334 * @dataProvider provideAttributeSupport
335 * @covers Sanitizer::fixTagAttributes
336 */
337 public function testAttributeSupport( $tag, $attributes, $expected, $message ) {
338 $this->assertEquals( $expected,
339 Sanitizer::fixTagAttributes( $attributes, $tag ),
340 $message
341 );
342 }
343 }
MediaWiki Core