dépôts / lhc / web / wiklou.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
Merge "Use User::groupHasPermission"
[lhc/web/wiklou.git] / tests / phpunit / includes / SanitizerTest.php
1 <?php
2
3 class SanitizerTest extends MediaWikiTestCase {
4
5 protected function setUp() {
6 parent::setUp();
7
8 AutoLoader::loadClass( 'Sanitizer' );
9 }
10
11 function testDecodeNamedEntities() {
12 $this->assertEquals(
13 "\xc3\xa9cole",
14 Sanitizer::decodeCharReferences( '&eacute;cole' ),
15 'decode named entities'
16 );
17 }
18
19 function testDecodeNumericEntities() {
20 $this->assertEquals(
21 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
22 Sanitizer::decodeCharReferences( "&#x108;io bonas dans l'&#233;cole!" ),
23 'decode numeric entities'
24 );
25 }
26
27 function testDecodeMixedEntities() {
28 $this->assertEquals(
29 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
30 Sanitizer::decodeCharReferences( "&#x108;io bonas dans l'&eacute;cole!" ),
31 'decode mixed numeric/named entities'
32 );
33 }
34
35 function testDecodeMixedComplexEntities() {
36 $this->assertEquals(
37 "\xc4\x88io bonas dans l'\xc3\xa9cole! (mais pas &#x108;io dans l'&eacute;cole)",
38 Sanitizer::decodeCharReferences(
39 "&#x108;io bonas dans l'&eacute;cole! (mais pas &amp;#x108;io dans l'&#38;eacute;cole)"
40 ),
41 'decode mixed complex entities'
42 );
43 }
44
45 function testInvalidAmpersand() {
46 $this->assertEquals(
47 'a & b',
48 Sanitizer::decodeCharReferences( 'a & b' ),
49 'Invalid ampersand'
50 );
51 }
52
53 function testInvalidEntities() {
54 $this->assertEquals(
55 '&foo;',
56 Sanitizer::decodeCharReferences( '&foo;' ),
57 'Invalid named entity'
58 );
59 }
60
61 function testInvalidNumberedEntities() {
62 $this->assertEquals( UTF8_REPLACEMENT, Sanitizer::decodeCharReferences( "&#88888888888888;" ), 'Invalid numbered entity' );
63 }
64
65 /**
66 * @covers Sanitizer::removeHTMLtags
67 * @dataProvider provideHtml5Tags
68 *
69 * @param String $tag Name of an HTML5 element (ie: 'video')
70 * @param Boolean $escaped Wheter sanitizer let the tag in or escape it (ie: '&lt;video&gt;')
71 */
72 function testRemovehtmltagsOnHtml5Tags( $tag, $escaped ) {
73 $this->setMwGlobals( array(
74 # Enable HTML5 mode
75 'wgHtml5' => true,
76 'wgUseTidy' => false
77 ) );
78
79 if ( $escaped ) {
80 $this->assertEquals( "&lt;$tag&gt;",
81 Sanitizer::removeHTMLtags( "<$tag>" )
82 );
83 } else {
84 $this->assertEquals( "<$tag></$tag>\n",
85 Sanitizer::removeHTMLtags( "<$tag>" )
86 );
87 }
88 }
89
90 /**
91 * Provide HTML5 tags
92 */
93 function provideHtml5Tags() {
94 $ESCAPED = true; # We want tag to be escaped
95 $VERBATIM = false; # We want to keep the tag
96 return array(
97 array( 'data', $VERBATIM ),
98 array( 'mark', $VERBATIM ),
99 array( 'time', $VERBATIM ),
100 array( 'video', $ESCAPED ),
101 );
102 }
103
104 function testSelfClosingTag() {
105 $this->setMwGlobals( array(
106 'wgUseTidy' => false
107 ) );
108
109 $this->assertEquals(
110 '<div>Hello world</div>',
111 Sanitizer::removeHTMLtags( '<div>Hello world</div />' ),
112 'Self-closing closing div'
113 );
114 }
115
116
117 /**
118 * @dataProvider provideTagAttributesToDecode
119 * @covers Sanitizer::decodeTagAttributes
120 */
121 function testDecodeTagAttributes( $expected, $attributes, $message = '' ) {
122 $this->assertEquals( $expected,
123 Sanitizer::decodeTagAttributes( $attributes ),
124 $message
125 );
126 }
127
128 function provideTagAttributesToDecode() {
129 return array(
130 array( array( 'foo' => 'bar' ), 'foo=bar', 'Unquoted attribute' ),
131 array( array( 'foo' => 'bar' ), ' foo = bar ', 'Spaced attribute' ),
132 array( array( 'foo' => 'bar' ), 'foo="bar"', 'Double-quoted attribute' ),
133 array( array( 'foo' => 'bar' ), 'foo=\'bar\'', 'Single-quoted attribute' ),
134 array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
135 array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
136 array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
137 array( array( ':foo' => 'bar' ), ':foo=\'bar\'', 'Leading :' ),
138 array( array( '_foo' => 'bar' ), '_foo=\'bar\'', 'Leading _' ),
139 array( array( 'foo' => 'bar' ), 'Foo=\'bar\'', 'Leading capital' ),
140 array( array( 'foo' => 'BAR' ), 'FOO=BAR', 'Attribute keys are normalized to lowercase' ),
141
142 # Invalid beginning
143 array( array(), '-foo=bar', 'Leading - is forbidden' ),
144 array( array(), '.foo=bar', 'Leading . is forbidden' ),
145 array( array( 'foo-bar' => 'bar' ), 'foo-bar=bar', 'A - is allowed inside the attribute' ),
146 array( array( 'foo-' => 'bar' ), 'foo-=bar', 'A - is allowed inside the attribute' ),
147 array( array( 'foo.bar' => 'baz' ), 'foo.bar=baz', 'A . is allowed inside the attribute' ),
148 array( array( 'foo.' => 'baz' ), 'foo.=baz', 'A . is allowed as last character' ),
149 array( array( 'foo6' => 'baz' ), 'foo6=baz', 'Numbers are allowed' ),
150
151
152 # This bit is more relaxed than XML rules, but some extensions use
153 # it, like ProofreadPage (see bug 27539)
154 array( array( '1foo' => 'baz' ), '1foo=baz', 'Leading numbers are allowed' ),
155 array( array(), 'foo$=baz', 'Symbols are not allowed' ),
156 array( array(), 'foo@=baz', 'Symbols are not allowed' ),
157 array( array(), 'foo~=baz', 'Symbols are not allowed' ),
158 array( array( 'foo' => '1[#^`*%w/(' ), 'foo=1[#^`*%w/(', 'All kind of characters are allowed as values' ),
159 array( array( 'foo' => '1[#^`*%\'w/(' ), 'foo="1[#^`*%\'w/("', 'Double quotes are allowed if quoted by single quotes' ),
160 array( array( 'foo' => '1[#^`*%"w/(' ), 'foo=\'1[#^`*%"w/(\'', 'Single quotes are allowed if quoted by double quotes' ),
161 array( array( 'foo' => '&"' ), 'foo=&amp;&quot;', 'Special chars can be provided as entities' ),
162 array( array( 'foo' => '&foobar;' ), 'foo=&foobar;', 'Entity-like items are accepted' ),
163 );
164 }
165
166 /**
167 * @dataProvider provideDeprecatedAttributes
168 * @covers Sanitizer::fixTagAttributes
169 */
170 function testDeprecatedAttributesUnaltered( $inputAttr, $inputEl, $message = '' ) {
171 $this->assertEquals( " $inputAttr",
172 Sanitizer::fixTagAttributes( $inputAttr, $inputEl ),
173 $message
174 );
175 }
176
177 public static function provideDeprecatedAttributes() {
178 /** array( <attribute>, <element>, [message] ) */
179 return array(
180 array( 'clear="left"', 'br' ),
181 array( 'clear="all"', 'br' ),
182 array( 'width="100"', 'td' ),
183 array( 'nowrap="true"', 'td' ),
184 array( 'nowrap=""', 'td' ),
185 array( 'align="right"', 'td' ),
186 array( 'align="center"', 'table' ),
187 array( 'align="left"', 'tr' ),
188 array( 'align="center"', 'div' ),
189 array( 'align="left"', 'h1' ),
190 array( 'align="left"', 'span' ),
191 );
192 }
193
194 /**
195 * @dataProvider provideCssCommentsFixtures
196 * @covers Sanitizer::checkCss
197 */
198 function testCssCommentsChecking( $expected, $css, $message = '' ) {
199 $this->assertEquals( $expected,
200 Sanitizer::checkCss( $css ),
201 $message
202 );
203 }
204
205 public static function provideCssCommentsFixtures() {
206 /** array( <expected>, <css>, [message] ) */
207 return array(
208 array( ' ', '/**/' ),
209 array( ' ', '/****/' ),
210 array( ' ', '/* comment */' ),
211 array( ' ', "\\2f\\2a foo \\2a\\2f",
212 'Backslash-escaped comments must be stripped (bug 28450)' ),
213 array( '', '/* unfinished comment structure',
214 'Remove anything after a comment-start token' ),
215 array( '', "\\2f\\2a unifinished comment'",
216 'Remove anything after a backslash-escaped comment-start token' ),
217 array( '/* insecure input */', 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\');' ),
218 array( '/* insecure input */', '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\')";' ),
219 array( '/* insecure input */', 'width: expression(1+1);' ),
220 array( '/* insecure input */', 'background-image: image(asdf.png);' ),
221 array( '/* insecure input */', 'background-image: -webkit-image(asdf.png);' ),
222 array( '/* insecure input */', 'background-image: -moz-image(asdf.png);' ),
223 array( '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);' ),
224 array( '/* insecure input */', 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
225 array( '/* insecure input */', 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
226 );
227 }
228
229 /**
230 * Test for support or lack of support for specific attributes in the attribute whitelist.
231 */
232 function provideAttributeSupport() {
233 /** array( <attributes>, <expected>, <message> ) */
234 return array(
235 array( 'div', ' role="presentation"', ' role="presentation"', 'Support for WAI-ARIA\'s role="presentation".' ),
236 array( 'div', ' role="main"', '', "Other WAI-ARIA roles are currently not supported." ),
237 );
238 }
239
240 /**
241 * @dataProvider provideAttributeSupport
242 */
243 function testAttributeSupport( $tag, $attributes, $expected, $message ) {
244 $this->assertEquals( $expected,
245 Sanitizer::fixTagAttributes( $attributes, $tag ),
246 $message
247 );
248 }
249
250 }
Wiklou, le Wiki du Wiklou