3 class SanitizerTest
extends MediaWikiTestCase
{
5 protected function setUp() {
8 $this->setMwGlobals( 'wgCleanupPresentationalAttributes', true );
10 AutoLoader
::loadClass( 'Sanitizer' );
13 function testDecodeNamedEntities() {
16 Sanitizer
::decodeCharReferences( 'école' ),
17 'decode named entities'
21 function testDecodeNumericEntities() {
23 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
24 Sanitizer
::decodeCharReferences( "Ĉio bonas dans l'école!" ),
25 'decode numeric entities'
29 function testDecodeMixedEntities() {
31 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
32 Sanitizer
::decodeCharReferences( "Ĉio bonas dans l'école!" ),
33 'decode mixed numeric/named entities'
37 function testDecodeMixedComplexEntities() {
39 "\xc4\x88io bonas dans l'\xc3\xa9cole! (mais pas Ĉio dans l'école)",
40 Sanitizer
::decodeCharReferences(
41 "Ĉio bonas dans l'école! (mais pas Ĉio dans l'école)"
43 'decode mixed complex entities'
47 function testInvalidAmpersand() {
50 Sanitizer
::decodeCharReferences( 'a & b' ),
55 function testInvalidEntities() {
58 Sanitizer
::decodeCharReferences( '&foo;' ),
59 'Invalid named entity'
63 function testInvalidNumberedEntities() {
64 $this->assertEquals( UTF8_REPLACEMENT
, Sanitizer
::decodeCharReferences( "�" ), 'Invalid numbered entity' );
67 function testSelfClosingTag() {
68 $GLOBALS['wgUseTidy'] = false;
70 '<div>Hello world</div>',
71 Sanitizer
::removeHTMLtags( '<div>Hello world</div />' ),
72 'Self-closing closing div'
76 function testDecodeTagAttributes() {
77 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo=bar' ), array( 'foo' => 'bar' ), 'Unquoted attribute' );
78 $this->assertEquals( Sanitizer
::decodeTagAttributes( ' foo = bar ' ), array( 'foo' => 'bar' ), 'Spaced attribute' );
79 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo="bar"' ), array( 'foo' => 'bar' ), 'Double-quoted attribute' );
80 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo=\'bar\'' ), array( 'foo' => 'bar' ), 'Single-quoted attribute' );
81 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' );
83 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' );
84 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' );
86 $this->assertEquals( Sanitizer
::decodeTagAttributes( ':foo=\'bar\'' ), array( ':foo' => 'bar' ), 'Leading :' );
87 $this->assertEquals( Sanitizer
::decodeTagAttributes( '_foo=\'bar\'' ), array( '_foo' => 'bar' ), 'Leading _' );
88 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'Foo=\'bar\'' ), array( 'foo' => 'bar' ), 'Leading capital' );
89 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'FOO=BAR' ), array( 'foo' => 'BAR' ), 'Attribute keys are normalized to lowercase' );
92 $this->assertEquals( Sanitizer
::decodeTagAttributes( '-foo=bar' ), array(), 'Leading - is forbidden' );
93 $this->assertEquals( Sanitizer
::decodeTagAttributes( '.foo=bar' ), array(), 'Leading . is forbidden' );
94 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo-bar=bar' ), array( 'foo-bar' => 'bar' ), 'A - is allowed inside the attribute' );
95 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo-=bar' ), array( 'foo-' => 'bar' ), 'A - is allowed inside the attribute' );
97 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo.bar=baz' ), array( 'foo.bar' => 'baz' ), 'A . is allowed inside the attribute' );
98 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo.=baz' ), array( 'foo.' => 'baz' ), 'A . is allowed as last character' );
100 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo6=baz' ), array( 'foo6' => 'baz' ), 'Numbers are allowed' );
102 # This bit is more relaxed than XML rules, but some extensions use it, like ProofreadPage (see bug 27539)
103 $this->assertEquals( Sanitizer
::decodeTagAttributes( '1foo=baz' ), array( '1foo' => 'baz' ), 'Leading numbers are allowed' );
105 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo$=baz' ), array(), 'Symbols are not allowed' );
106 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo@=baz' ), array(), 'Symbols are not allowed' );
107 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo~=baz' ), array(), 'Symbols are not allowed' );
110 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo=1[#^`*%w/(' ), array( 'foo' => '1[#^`*%w/(' ), 'All kind of characters are allowed as values' );
111 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo="1[#^`*%\'w/("' ), array( 'foo' => '1[#^`*%\'w/(' ), 'Double quotes are allowed if quoted by single quotes' );
112 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo=\'1[#^`*%"w/(\'' ), array( 'foo' => '1[#^`*%"w/(' ), 'Single quotes are allowed if quoted by double quotes' );
113 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo=&"' ), array( 'foo' => '&"' ), 'Special chars can be provided as entities' );
114 $this->assertEquals( Sanitizer
::decodeTagAttributes( 'foo=&foobar;' ), array( 'foo' => '&foobar;' ), 'Entity-like items are accepted' );
118 * @dataProvider provideDeprecatedAttributes
120 function testDeprecatedAttributes( $input, $tag, $expected, $message = null ) {
121 $this->assertEquals( $expected, Sanitizer
::fixTagAttributes( $input, $tag ), $message );
124 function testDeprecatedAttributesDisabled() {
125 global $wgCleanupPresentationalAttributes;
127 $wgCleanupPresentationalAttributes = false;
129 $this->assertEquals( ' clear="left"', Sanitizer
::fixTagAttributes( 'clear="left"', 'br' ), 'Deprecated attributes are not converted to styles when enabled.' );
132 public static function provideDeprecatedAttributes() {
134 array( 'clear="left"', 'br', ' style="clear: left;"', 'Deprecated attributes are converted to styles when enabled.' ),
135 array( 'clear="all"', 'br', ' style="clear: both;"', 'clear=all is converted to clear: both; not clear: all;' ),
136 array( 'CLEAR="ALL"', 'br', ' style="clear: both;"', 'clear=ALL is not treated differently from clear=all' ),
137 array( 'width="100"', 'td', ' style="width: 100px;"', 'Numeric sizes use pixels instead of numbers.' ),
138 array( 'width="100%"', 'td', ' style="width: 100%;"', 'Units are allowed in sizes.' ),
139 array( 'WIDTH="100%"', 'td', ' style="width: 100%;"', 'Uppercase WIDTH is treated as lowercase width.' ),
140 array( 'WiDTh="100%"', 'td', ' style="width: 100%;"', 'Mixed case does not break WiDTh.' ),
141 array( 'nowrap="true"', 'td', ' style="white-space: nowrap;"', 'nowrap attribute is output as white-space: nowrap; not something else.' ),
142 array( 'nowrap=""', 'td', ' style="white-space: nowrap;"', 'nowrap="" is considered true, not false' ),
143 array( 'NOWRAP="true"', 'td', ' style="white-space: nowrap;"', 'nowrap attribute works when uppercase.' ),
144 array( 'NoWrAp="true"', 'td', ' style="white-space: nowrap;"', 'nowrap attribute works when mixed-case.' ),
145 array( 'align="right"', 'td', ' style="text-align: right;"' , 'align on table cells gets converted to text-align' ),
146 array( 'align="center"', 'td', ' style="text-align: center;"' , 'align on table cells gets converted to text-align' ),
147 array( 'align="left"' , 'div', ' style="text-align: left;"' , 'align=(left|right) on div elements gets converted to text-align' ),
148 array( 'align="center"', 'div', ' style="text-align: center;"', 'align="center" on div elements gets converted to text-align' ),
149 array( 'align="left"' , 'p', ' style="text-align: left;"' , 'align on p elements gets converted to text-align' ),
150 array( 'align="left"' , 'h1', ' style="text-align: left;"' , 'align on h1 elements gets converted to text-align' ),
151 array( 'align="left"' , 'h1', ' style="text-align: left;"' , 'align on h1 elements gets converted to text-align' ),
152 array( 'align="left"' , 'caption',' style="text-align: left;"','align on caption elements gets converted to text-align' ),
153 array( 'align="left"' , 'tfoot',' style="text-align: left;"' , 'align on tfoot elements gets converted to text-align' ),
154 array( 'align="left"' , 'tbody',' style="text-align: left;"' , 'align on tbody elements gets converted to text-align' ),
157 array( 'align="right"' , 'tr', ' style="text-align: right;"' , 'align on table row get converted to text-align' ),
158 array( 'align="center"', 'tr', ' style="text-align: center;"', 'align on table row get converted to text-align' ),
159 array( 'align="left"' , 'tr', ' style="text-align: left;"' , 'align on table row get converted to text-align' ),
162 array( 'align="left"' , 'table', ' style="float: left;"' , 'align on table converted to float' ),
163 array( 'align="center"', 'table', ' style="margin-left: auto; margin-right: auto;"', 'align center on table converted to margins' ),
164 array( 'align="right"' , 'table', ' style="float: right;"' , 'align on table converted to float' ),
169 * @dataProvider provideCssCommentsFixtures
171 function testCssCommentsChecking( $expected, $css, $message = '' ) {
174 Sanitizer
::checkCss( $css ),
179 public static function provideCssCommentsFixtures() {
180 /** array( <expected>, <css>, [message] ) */
182 array( ' ', '/**/' ),
183 array( ' ', '/****/' ),
184 array( ' ', '/* comment */' ),
185 array( ' ', "\\2f\\2a foo \\2a\\2f",
186 'Backslash-escaped comments must be stripped (bug 28450)' ),
187 array( '', '/* unfinished comment structure',
188 'Remove anything after a comment-start token' ),
189 array( '', "\\2f\\2a unifinished comment'",
190 'Remove anything after a backslash-escaped comment-start token' ),
191 array( '/* insecure input */', 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\');'),
192 array( '/* insecure input */', '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\')";'),
193 array( '/* insecure input */', 'width: expression(1+1);'),
194 array( '/* insecure input */', 'background-image: image(asdf.png);'),
195 array( '/* insecure input */', 'background-image: -webkit-image(asdf.png);'),
196 array( '/* insecure input */', 'background-image: -moz-image(asdf.png);'),