protected function setUp() {
parent::setUp();
- $this->setMwGlobals( 'wgCleanupPresentationalAttributes', true );
-
AutoLoader::loadClass( 'Sanitizer' );
}
$this->assertEquals( UTF8_REPLACEMENT, Sanitizer::decodeCharReferences( "�" ), 'Invalid numbered entity' );
}
+ /**
+ * @cover Sanitizer::removeHTMLtags
+ * @dataProvider provideHtml5Tags
+ *
+ * @param String $tag Name of an HTML5 element (ie: 'video')
+ * @param Boolean $escaped Wheter sanitizer let the tag in or escape it (ie: '<video>')
+ */
+ function testRemovehtmltagsOnHtml5Tags( $tag, $escaped ) {
+ $this->setMwGlobals( array(
+ # Enable HTML5 mode
+ 'wgHtml5' => true,
+ 'wgUseTidy' => false
+ ));
+
+ if( $escaped ) {
+ $this->assertEquals( "<$tag>",
+ Sanitizer::removeHTMLtags( "<$tag>" )
+ );
+ } else {
+ $this->assertEquals( "<$tag></$tag>\n",
+ Sanitizer::removeHTMLtags( "<$tag>" )
+ );
+ }
+ }
+
+ /**
+ * Provide HTML5 tags
+ */
+ function provideHtml5Tags() {
+ $ESCAPED = true; # We want tag to be escaped
+ $VERBATIM = false; # We want to keep the tag
+ return array(
+ array( 'data', $VERBATIM ),
+ array( 'mark', $VERBATIM ),
+ array( 'time', $VERBATIM ),
+ array( 'video', $ESCAPED ),
+ );
+ }
+
function testSelfClosingTag() {
- $GLOBALS['wgUseTidy'] = false;
+ $this->setMwGlobals( array(
+ 'wgUseTidy' => false
+ ));
+
$this->assertEquals(
'<div>Hello world</div>',
Sanitizer::removeHTMLtags( '<div>Hello world</div />' ),
'Self-closing closing div'
);
}
-
- function testDecodeTagAttributes() {
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=bar' ), array( 'foo' => 'bar' ), 'Unquoted attribute' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( ' foo = bar ' ), array( 'foo' => 'bar' ), 'Spaced attribute' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo="bar"' ), array( 'foo' => 'bar' ), 'Double-quoted attribute' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\'' ), array( 'foo' => 'bar' ), 'Single-quoted attribute' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' );
-
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' );
-
- $this->assertEquals( Sanitizer::decodeTagAttributes( ':foo=\'bar\'' ), array( ':foo' => 'bar' ), 'Leading :' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( '_foo=\'bar\'' ), array( '_foo' => 'bar' ), 'Leading _' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'Foo=\'bar\'' ), array( 'foo' => 'bar' ), 'Leading capital' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'FOO=BAR' ), array( 'foo' => 'BAR' ), 'Attribute keys are normalized to lowercase' );
-
- # Invalid beginning
- $this->assertEquals( Sanitizer::decodeTagAttributes( '-foo=bar' ), array(), 'Leading - is forbidden' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( '.foo=bar' ), array(), 'Leading . is forbidden' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo-bar=bar' ), array( 'foo-bar' => 'bar' ), 'A - is allowed inside the attribute' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo-=bar' ), array( 'foo-' => 'bar' ), 'A - is allowed inside the attribute' );
-
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo.bar=baz' ), array( 'foo.bar' => 'baz' ), 'A . is allowed inside the attribute' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo.=baz' ), array( 'foo.' => 'baz' ), 'A . is allowed as last character' );
-
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo6=baz' ), array( 'foo6' => 'baz' ), 'Numbers are allowed' );
-
- # This bit is more relaxed than XML rules, but some extensions use it, like ProofreadPage (see bug 27539)
- $this->assertEquals( Sanitizer::decodeTagAttributes( '1foo=baz' ), array( '1foo' => 'baz' ), 'Leading numbers are allowed' );
-
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo$=baz' ), array(), 'Symbols are not allowed' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo@=baz' ), array(), 'Symbols are not allowed' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo~=baz' ), array(), 'Symbols are not allowed' );
-
-
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=1[#^`*%w/(' ), array( 'foo' => '1[#^`*%w/(' ), 'All kind of characters are allowed as values' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo="1[#^`*%\'w/("' ), array( 'foo' => '1[#^`*%\'w/(' ), 'Double quotes are allowed if quoted by single quotes' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'1[#^`*%"w/(\'' ), array( 'foo' => '1[#^`*%"w/(' ), 'Single quotes are allowed if quoted by double quotes' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=&"' ), array( 'foo' => '&"' ), 'Special chars can be provided as entities' );
- $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=&foobar;' ), array( 'foo' => '&foobar;' ), 'Entity-like items are accepted' );
- }
+
/**
- * @dataProvider provideDeprecatedAttributes
+ * @dataProvider provideTagAttributesToDecode
+ * @cover Sanitizer::decodeTagAttributes
*/
- function testDeprecatedAttributes( $input, $tag, $expected, $message = null ) {
- $this->assertEquals( $expected, Sanitizer::fixTagAttributes( $input, $tag ), $message );
+ function testDecodeTagAttributes( $expected, $attributes, $message = '' ) {
+ $this->assertEquals( $expected,
+ Sanitizer::decodeTagAttributes( $attributes ),
+ $message
+ );
}
- function testDeprecatedAttributesDisabled() {
- global $wgCleanupPresentationalAttributes;
-
- $wgCleanupPresentationalAttributes = false;
+ function provideTagAttributesToDecode() {
+ return array(
+ array( array( 'foo' => 'bar' ), 'foo=bar', 'Unquoted attribute' ),
+ array( array( 'foo' => 'bar' ), ' foo = bar ', 'Spaced attribute' ),
+ array( array( 'foo' => 'bar' ), 'foo="bar"', 'Double-quoted attribute' ),
+ array( array( 'foo' => 'bar' ), 'foo=\'bar\'', 'Single-quoted attribute' ),
+ array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
+ array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
+ array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
+ array( array( ':foo' => 'bar' ), ':foo=\'bar\'', 'Leading :' ),
+ array( array( '_foo' => 'bar' ), '_foo=\'bar\'', 'Leading _' ),
+ array( array( 'foo' => 'bar' ), 'Foo=\'bar\'', 'Leading capital' ),
+ array( array( 'foo' => 'BAR' ), 'FOO=BAR', 'Attribute keys are normalized to lowercase' ),
+
+ # Invalid beginning
+ array( array(), '-foo=bar', 'Leading - is forbidden' ),
+ array( array(), '.foo=bar', 'Leading . is forbidden' ),
+ array( array( 'foo-bar' => 'bar' ), 'foo-bar=bar', 'A - is allowed inside the attribute' ),
+ array( array( 'foo-' => 'bar' ), 'foo-=bar', 'A - is allowed inside the attribute' ),
+ array( array( 'foo.bar' => 'baz' ), 'foo.bar=baz', 'A . is allowed inside the attribute' ),
+ array( array( 'foo.' => 'baz' ), 'foo.=baz', 'A . is allowed as last character' ),
+ array( array( 'foo6' => 'baz' ), 'foo6=baz', 'Numbers are allowed' ),
+
+
+ # This bit is more relaxed than XML rules, but some extensions use
+ # it, like ProofreadPage (see bug 27539)
+ array( array( '1foo' => 'baz' ), '1foo=baz', 'Leading numbers are allowed' ),
+ array( array(), 'foo$=baz', 'Symbols are not allowed' ),
+ array( array(), 'foo@=baz', 'Symbols are not allowed' ),
+ array( array(), 'foo~=baz', 'Symbols are not allowed' ),
+ array( array( 'foo' => '1[#^`*%w/(' ), 'foo=1[#^`*%w/(', 'All kind of characters are allowed as values' ),
+ array( array( 'foo' => '1[#^`*%\'w/(' ), 'foo="1[#^`*%\'w/("', 'Double quotes are allowed if quoted by single quotes' ),
+ array( array( 'foo' => '1[#^`*%"w/(' ), 'foo=\'1[#^`*%"w/(\'', 'Single quotes are allowed if quoted by double quotes' ),
+ array( array( 'foo' => '&"' ), 'foo=&"', 'Special chars can be provided as entities' ),
+ array( array( 'foo' => '&foobar;' ), 'foo=&foobar;', 'Entity-like items are accepted' ),
+ );
+ }
- $this->assertEquals( ' clear="left"', Sanitizer::fixTagAttributes( 'clear="left"', 'br' ), 'Deprecated attributes are not converted to styles when enabled.' );
+ /**
+ * @dataProvider provideDeprecatedAttributes
+ * @cover Sanitizer::fixTagAttributes
+ */
+ function testDeprecatedAttributesUnaltered( $inputAttr, $inputEl, $message = '' ) {
+ $this->assertEquals( " $inputAttr",
+ Sanitizer::fixTagAttributes( $inputAttr, $inputEl ),
+ $message
+ );
}
public static function provideDeprecatedAttributes() {
+ /** array( <attribute>, <element>, [message] ) */
return array(
- array( 'clear="left"', 'br', ' style="clear: left;"', 'Deprecated attributes are converted to styles when enabled.' ),
- array( 'clear="all"', 'br', ' style="clear: both;"', 'clear=all is converted to clear: both; not clear: all;' ),
- array( 'CLEAR="ALL"', 'br', ' style="clear: both;"', 'clear=ALL is not treated differently from clear=all' ),
- array( 'width="100"', 'td', ' style="width: 100px;"', 'Numeric sizes use pixels instead of numbers.' ),
- array( 'width="100%"', 'td', ' style="width: 100%;"', 'Units are allowed in sizes.' ),
- array( 'WIDTH="100%"', 'td', ' style="width: 100%;"', 'Uppercase WIDTH is treated as lowercase width.' ),
- array( 'WiDTh="100%"', 'td', ' style="width: 100%;"', 'Mixed case does not break WiDTh.' ),
- array( 'nowrap="true"', 'td', ' style="white-space: nowrap;"', 'nowrap attribute is output as white-space: nowrap; not something else.' ),
- array( 'nowrap=""', 'td', ' style="white-space: nowrap;"', 'nowrap="" is considered true, not false' ),
- array( 'NOWRAP="true"', 'td', ' style="white-space: nowrap;"', 'nowrap attribute works when uppercase.' ),
- array( 'NoWrAp="true"', 'td', ' style="white-space: nowrap;"', 'nowrap attribute works when mixed-case.' ),
- array( 'align="right"', 'td', ' style="text-align: right;"' , 'align on table cells gets converted to text-align' ),
- array( 'align="center"', 'td', ' style="text-align: center;"' , 'align on table cells gets converted to text-align' ),
- array( 'align="left"' , 'div', ' style="text-align: left;"' , 'align=(left|right) on div elements gets converted to text-align' ),
- array( 'align="center"', 'div', ' style="text-align: center;"', 'align="center" on div elements gets converted to text-align' ),
- array( 'align="left"' , 'p', ' style="text-align: left;"' , 'align on p elements gets converted to text-align' ),
- array( 'align="left"' , 'h1', ' style="text-align: left;"' , 'align on h1 elements gets converted to text-align' ),
- array( 'align="left"' , 'h1', ' style="text-align: left;"' , 'align on h1 elements gets converted to text-align' ),
- array( 'align="left"' , 'caption',' style="text-align: left;"','align on caption elements gets converted to text-align' ),
- array( 'align="left"' , 'tfoot',' style="text-align: left;"' , 'align on tfoot elements gets converted to text-align' ),
- array( 'align="left"' , 'tbody',' style="text-align: left;"' , 'align on tbody elements gets converted to text-align' ),
-
- # <tr>
- array( 'align="right"' , 'tr', ' style="text-align: right;"' , 'align on table row get converted to text-align' ),
- array( 'align="center"', 'tr', ' style="text-align: center;"', 'align on table row get converted to text-align' ),
- array( 'align="left"' , 'tr', ' style="text-align: left;"' , 'align on table row get converted to text-align' ),
-
- #table
- array( 'align="left"' , 'table', ' style="float: left;"' , 'align on table converted to float' ),
- array( 'align="center"', 'table', ' style="margin-left: auto; margin-right: auto;"', 'align center on table converted to margins' ),
- array( 'align="right"' , 'table', ' style="float: right;"' , 'align on table converted to float' ),
+ array( 'clear="left"', 'br' ),
+ array( 'clear="all"', 'br' ),
+ array( 'width="100"', 'td' ),
+ array( 'nowrap="true"', 'td' ),
+ array( 'nowrap=""', 'td' ),
+ array( 'align="right"', 'td' ),
+ array( 'align="center"', 'table' ),
+ array( 'align="left"', 'tr' ),
+ array( 'align="center"', 'div' ),
+ array( 'align="left"', 'h1' ),
+ array( 'align="left"', 'span' ),
);
}
/**
* @dataProvider provideCssCommentsFixtures
+ * @cover Sanitizer::checkCss
*/
function testCssCommentsChecking( $expected, $css, $message = '' ) {
- $this->assertEquals(
- $expected,
+ $this->assertEquals( $expected,
Sanitizer::checkCss( $css ),
$message
);