dépôts / lhc / web / wiklou.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge "(bug 37755) Set robot meta tags for 'view source' pages"
[lhc/web/wiklou.git] / tests / phpunit / includes / SanitizerTest.php
1 <?php
2
3 class SanitizerTest extends MediaWikiTestCase {
4
5 protected function setUp() {
6 parent::setUp();
7
8 AutoLoader::loadClass( 'Sanitizer' );
9 }
10
11 function testDecodeNamedEntities() {
12 $this->assertEquals(
13 "\xc3\xa9cole",
14 Sanitizer::decodeCharReferences( '&eacute;cole' ),
15 'decode named entities'
16 );
17 }
18
19 function testDecodeNumericEntities() {
20 $this->assertEquals(
21 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
22 Sanitizer::decodeCharReferences( "&#x108;io bonas dans l'&#233;cole!" ),
23 'decode numeric entities'
24 );
25 }
26
27 function testDecodeMixedEntities() {
28 $this->assertEquals(
29 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
30 Sanitizer::decodeCharReferences( "&#x108;io bonas dans l'&eacute;cole!" ),
31 'decode mixed numeric/named entities'
32 );
33 }
34
35 function testDecodeMixedComplexEntities() {
36 $this->assertEquals(
37 "\xc4\x88io bonas dans l'\xc3\xa9cole! (mais pas &#x108;io dans l'&eacute;cole)",
38 Sanitizer::decodeCharReferences(
39 "&#x108;io bonas dans l'&eacute;cole! (mais pas &amp;#x108;io dans l'&#38;eacute;cole)"
40 ),
41 'decode mixed complex entities'
42 );
43 }
44
45 function testInvalidAmpersand() {
46 $this->assertEquals(
47 'a & b',
48 Sanitizer::decodeCharReferences( 'a & b' ),
49 'Invalid ampersand'
50 );
51 }
52
53 function testInvalidEntities() {
54 $this->assertEquals(
55 '&foo;',
56 Sanitizer::decodeCharReferences( '&foo;' ),
57 'Invalid named entity'
58 );
59 }
60
61 function testInvalidNumberedEntities() {
62 $this->assertEquals( UTF8_REPLACEMENT, Sanitizer::decodeCharReferences( "&#88888888888888;" ), 'Invalid numbered entity' );
63 }
64
65 /**
66 * @cover Sanitizer::removeHTMLtags
67 * @dataProvider provideHtml5Tags
68 *
69 * @param String $tag Name of an HTML5 element (ie: 'video')
70 * @param Boolean $escaped Wheter sanitizer let the tag in or escape it (ie: '&lt;video&gt;')
71 */
72 function testRemovehtmltagsOnHtml5Tags( $tag, $escaped ) {
73 global $wgHtml5;
74
75 # Enable HTML5 mode
76 $save = $wgHtml5;
77 $wgHtml5 = true;
78
79 if( $escaped ) {
80 $this->assertEquals( "&lt;$tag&gt;",
81 Sanitizer::removeHTMLtags( "<$tag>" )
82 );
83 } else {
84 $this->assertEquals( "<$tag></$tag>\n",
85 Sanitizer::removeHTMLtags( "<$tag>" )
86 );
87 }
88 $wgHtml5 = $save;
89 }
90
91 /**
92 * Provide HTML5 tags
93 */
94 function provideHtml5Tags() {
95 $ESCAPED = true; # We want tag to be escaped
96 $VERBATIM = false; # We want to keep the tag
97 return array(
98 array( 'data', $VERBATIM ),
99 array( 'mark', $VERBATIM ),
100 array( 'time', $VERBATIM ),
101 array( 'video', $ESCAPED ),
102 );
103 }
104
105 function testSelfClosingTag() {
106 $GLOBALS['wgUseTidy'] = false;
107 $this->assertEquals(
108 '<div>Hello world</div>',
109 Sanitizer::removeHTMLtags( '<div>Hello world</div />' ),
110 'Self-closing closing div'
111 );
112 }
113
114 function testDecodeTagAttributes() {
115 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=bar' ), array( 'foo' => 'bar' ), 'Unquoted attribute' );
116 $this->assertEquals( Sanitizer::decodeTagAttributes( ' foo = bar ' ), array( 'foo' => 'bar' ), 'Spaced attribute' );
117 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo="bar"' ), array( 'foo' => 'bar' ), 'Double-quoted attribute' );
118 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\'' ), array( 'foo' => 'bar' ), 'Single-quoted attribute' );
119 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' );
120
121 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' );
122 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' );
123
124 $this->assertEquals( Sanitizer::decodeTagAttributes( ':foo=\'bar\'' ), array( ':foo' => 'bar' ), 'Leading :' );
125 $this->assertEquals( Sanitizer::decodeTagAttributes( '_foo=\'bar\'' ), array( '_foo' => 'bar' ), 'Leading _' );
126 $this->assertEquals( Sanitizer::decodeTagAttributes( 'Foo=\'bar\'' ), array( 'foo' => 'bar' ), 'Leading capital' );
127 $this->assertEquals( Sanitizer::decodeTagAttributes( 'FOO=BAR' ), array( 'foo' => 'BAR' ), 'Attribute keys are normalized to lowercase' );
128
129 # Invalid beginning
130 $this->assertEquals( Sanitizer::decodeTagAttributes( '-foo=bar' ), array(), 'Leading - is forbidden' );
131 $this->assertEquals( Sanitizer::decodeTagAttributes( '.foo=bar' ), array(), 'Leading . is forbidden' );
132 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo-bar=bar' ), array( 'foo-bar' => 'bar' ), 'A - is allowed inside the attribute' );
133 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo-=bar' ), array( 'foo-' => 'bar' ), 'A - is allowed inside the attribute' );
134
135 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo.bar=baz' ), array( 'foo.bar' => 'baz' ), 'A . is allowed inside the attribute' );
136 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo.=baz' ), array( 'foo.' => 'baz' ), 'A . is allowed as last character' );
137
138 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo6=baz' ), array( 'foo6' => 'baz' ), 'Numbers are allowed' );
139
140 # This bit is more relaxed than XML rules, but some extensions use it, like ProofreadPage (see bug 27539)
141 $this->assertEquals( Sanitizer::decodeTagAttributes( '1foo=baz' ), array( '1foo' => 'baz' ), 'Leading numbers are allowed' );
142
143 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo$=baz' ), array(), 'Symbols are not allowed' );
144 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo@=baz' ), array(), 'Symbols are not allowed' );
145 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo~=baz' ), array(), 'Symbols are not allowed' );
146
147
148 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=1[#^`*%w/(' ), array( 'foo' => '1[#^`*%w/(' ), 'All kind of characters are allowed as values' );
149 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo="1[#^`*%\'w/("' ), array( 'foo' => '1[#^`*%\'w/(' ), 'Double quotes are allowed if quoted by single quotes' );
150 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'1[#^`*%"w/(\'' ), array( 'foo' => '1[#^`*%"w/(' ), 'Single quotes are allowed if quoted by double quotes' );
151 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=&amp;&quot;' ), array( 'foo' => '&"' ), 'Special chars can be provided as entities' );
152 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=&foobar;' ), array( 'foo' => '&foobar;' ), 'Entity-like items are accepted' );
153 }
154
155 /**
156 * @dataProvider provideDeprecatedAttributes
157 */
158 function testDeprecatedAttributesUnaltered( $inputAttr, $inputEl ) {
159
160 $this->assertEquals( " $inputAttr", Sanitizer::fixTagAttributes( $inputAttr, $inputEl ) );
161 }
162
163 public static function provideDeprecatedAttributes() {
164 return array(
165 array( 'clear="left"', 'br' ),
166 array( 'clear="all"', 'br' ),
167 array( 'width="100"', 'td' ),
168 array( 'nowrap="true"', 'td' ),
169 array( 'nowrap=""', 'td' ),
170 array( 'align="right"', 'td' ),
171 array( 'align="center"', 'table' ),
172 array( 'align="left"', 'tr' ),
173 array( 'align="center"', 'div' ),
174 array( 'align="left"', 'h1' ),
175 array( 'align="left"', 'span' ),
176 );
177 }
178
179 /**
180 * @dataProvider provideCssCommentsFixtures
181 */
182 function testCssCommentsChecking( $expected, $css, $message = '' ) {
183 $this->assertEquals(
184 $expected,
185 Sanitizer::checkCss( $css ),
186 $message
187 );
188 }
189
190 public static function provideCssCommentsFixtures() {
191 /** array( <expected>, <css>, [message] ) */
192 return array(
193 array( ' ', '/**/' ),
194 array( ' ', '/****/' ),
195 array( ' ', '/* comment */' ),
196 array( ' ', "\\2f\\2a foo \\2a\\2f",
197 'Backslash-escaped comments must be stripped (bug 28450)' ),
198 array( '', '/* unfinished comment structure',
199 'Remove anything after a comment-start token' ),
200 array( '', "\\2f\\2a unifinished comment'",
201 'Remove anything after a backslash-escaped comment-start token' ),
202 array( '/* insecure input */', 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\');'),
203 array( '/* insecure input */', '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\')";'),
204 array( '/* insecure input */', 'width: expression(1+1);'),
205 array( '/* insecure input */', 'background-image: image(asdf.png);'),
206 array( '/* insecure input */', 'background-image: -webkit-image(asdf.png);'),
207 array( '/* insecure input */', 'background-image: -moz-image(asdf.png);'),
208 array( '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);'),
209 array( '/* insecure input */', 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);'),
210 array( '/* insecure input */', 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);'),
211 );
212 }
213 }
214
Wiklou, le Wiki du Wiklou