From 7eea23984cc60bcc859f8d40324972fdda6aacef Mon Sep 17 00:00:00 2001
From: =?utf8?q?=C3=86var=20Arnfj=C3=B6r=C3=B0=20Bjarmason?=
 <avar@users.mediawiki.org>
Date: Sun, 8 Jan 2006 10:33:28 +0000
Subject: [PATCH] * More <!-- comment --> tests, two of which fail * Two tests
 for hex sequences in links, one of which fails * moved all the XSS tests to
 one place * More & improved parser hook tests

---
 maintenance/parserTests.txt | 264 +++++++++++++++++++++++++++---------
 1 file changed, 197 insertions(+), 67 deletions(-)

diff --git a/maintenance/parserTests.txt b/maintenance/parserTests.txt
index 5409f2b15b..bf2d8c49ab 100644
--- a/maintenance/parserTests.txt
+++ b/maintenance/parserTests.txt
@@ -16,6 +16,7 @@
 #	cat		add category links
 #	ill		add inter-language links
 #	subpage		enable subpages (disabled by default)
+#	noxml		don't check for XML well formdness
 #	title=[[XXX]]	run test using article title XXX
 #	disabled	do not run test
 #
@@ -218,6 +219,51 @@ c
 </p>
 !! end
 
+!! test
+Comment whitespace
+!! input
+<!-- returns a single newline, not nothing, since the newline after > is not stripped -->
+!! result
+
+!! end
+
+!! test
+Comment semantics and delimiters
+!! input
+<!-- --><!----><!-----><!------>
+!! result
+
+!! end
+
+!! test
+Comment semantics and delimiters, redux
+!! input
+<!-- In SGML every "foo" here would actually show up in the text -- foo -- bar
+-- foo -- funky huh? ... -->
+!! result
+
+!! end
+
+!! test
+Comment semantics and delimiters: directors cut
+!! input
+<!-- ... However we're purely an XML shop you see, so we eat everything
+starting with < followed by !-- until the first -- and > we see, observe: -->-->
+!! result
+<p>--&gt;
+</p>
+!! end
+
+!! test
+Comment semantics: nesting
+!! input
+<!--<!-- no, we're not going to do anything fancy here -->-->
+!! result
+<p>--&gt;
+</p>
+!! end
+
+
 ###
 ### Preformatted text
 ###
@@ -1013,6 +1059,24 @@ Link containing % as a double hex sequence interpreted to hex sequence
 </p>
 !!end
 
+!! test
+Link containing "#<" and "#>" % as a hex sequences
+!! input
+[[%23%3c]]<!-- Render this as "[[#%3c]]" maybe.. ? -->[[%23%3e]]<!-- ..."[[#%3e]]" ? -->
+!! result
+<p>[[%23%3c]][[%23%3e]]
+</p>
+!! end
+
+!! test
+Link containing "<#" and ">#" as a hex sequences
+!! input
+[[%3c%23]][[%3e%23]]
+!! result
+<p>[[%3c%23]][[%3e%23]]
+</p>
+!! end
+
 !! test
 Plain link to URL
 !! input
@@ -2778,6 +2842,7 @@ Bug 2304: HTML attribute safety (bold)
 
 !! end
 
+
 !! test
 Bug 2304: HTML attribute safety (ISBN)
 !! input
@@ -2841,7 +2906,6 @@ Bug 3244: HTML attribute safety (extension; unsafe)
 
 !! end
 
-
 !! test
 Math section safety when disabled
 !! input
@@ -2851,6 +2915,44 @@ Math section safety when disabled
 </p>
 !! end
 
+# More MSIE fun discovered by Tom Gilder
+
+!! test
+MSIE CSS safety test: spurious slash
+!! input
+<div style="background-image:u\rl(javascript:alert('boo'))">evil</div>
+!! result
+<div>evil</div>
+
+!! end
+
+!! test
+MSIE CSS safety test: hex code
+!! input
+<div style="background-image:u\72l(javascript:alert('boo'))">evil</div>
+!! result
+<div>evil</div>
+
+!! end
+
+!! test
+MSIE CSS safety test: comment in url
+!! input
+<div style="background-image:u/**/rl(javascript:alert('boo'))">evil</div>
+!! result
+<div style="background-image:u rl(javascript:alert('boo'))">evil</div>
+
+!! end
+
+!! test
+MSIE CSS safety test: comment in expression
+!! input
+<div style="background-image:expres/**/sion(alert('boo4'))">evil4</div>
+!! result
+<div style="background-image:expres sion(alert('boo4'))">evil4</div>
+
+!! end
+
 
 !! test
 Table attribute legitimate extension
@@ -2881,13 +2983,32 @@ Table attribute safety
 !! end
 
 ###
-### Parser hooks
+### Parser hooks (see maintenance/parserTestsParserHook.php for the <tag> extension)
 ###
 !! test
 Parser hook: empty input
 !! input
 <tag></tag>
 !! result
+<pre>
+string(0) ""
+array(0) {
+}
+</pre>
+
+!! end
+
+!! test
+Parser hook: empty input using terminated empty elements
+!! input
+<tag/>
+!! result
+<pre>
+NULL
+array(0) {
+}
+</pre>
+
 !! end
 
 !! test
@@ -2895,17 +3016,55 @@ Parser hook: basic input
 !! input
 <tag>input</tag>
 !! result
-<p>input
-</p>
+<pre>
+string(5) "input"
+array(0) {
+}
+</pre>
+
 !! end
 
+
 !! test
 Parser hook: case insensetive
 !! input
+<TAG>input</TAG>
+!! result
+<pre>
+string(5) "input"
+array(0) {
+}
+</pre>
+
+!! end
+
+
+!! test
+Parser hook: case insensetive, redux
+!! input
 <TaG>input</TAg>
 !! result
-<p>input
-</p>
+<pre>
+string(5) "input"
+array(0) {
+}
+</pre>
+
+!! end
+
+!! test
+Parser hook: nested tags
+!! options
+noxml
+!! input
+<tag><tag></tag></tag>
+!! result
+<pre>
+string(5) "<tag>"
+array(0) {
+}
+</pre>&lt;/tag&gt;
+
 !! end
 
 !! test
@@ -2914,13 +3073,17 @@ Parser hook: basic arguments
 <tag width=200 height = "100" depth = '50' square></tag>
 !! result
 <pre>
-Array
-(
-    [width] => 200
-    [height] => 100
-    [depth] => 50
-    [square] => square
-)
+string(0) ""
+array(4) {
+  ["width"]=>
+  string(3) "200"
+  ["height"]=>
+  string(3) "100"
+  ["depth"]=>
+  string(2) "50"
+  ["square"]=>
+  string(6) "square"
+}
 </pre>
 
 !! end
@@ -2931,12 +3094,13 @@ Parser hook: empty input using terminated empty elements (bug 2374)
 <tag foo=bar/>text
 !! result
 <pre>
-Array
-(
-    [foo] => bar
-)
-</pre>
-text
+NULL
+array(1) {
+  ["foo"]=>
+  string(3) "bar"
+}
+</pre>text
+
 !! end
 
 # </tag> should be output literally since there is no matching tag that begins it
@@ -2948,17 +3112,21 @@ other stuff
 </tag>
 !! result
 <pre>
-Array
-(
-    [width] => 200
-    [height] => 100
-    [depth] => 50
-    [square] => square
-)
+NULL
+array(4) {
+  ["width"]=>
+  string(3) "200"
+  ["height"]=>
+  string(3) "100"
+  ["depth"]=>
+  string(2) "50"
+  ["square"]=>
+  string(6) "square"
+}
 </pre>
-other stuff
-</tag>
-
+<p>other stuff
+&lt;/tag&gt;
+</p>
 !! end
 
 
@@ -2987,44 +3155,6 @@ Nested template calls
 !! end
 
 
-# More MSIE fun discovered by Tom Gilder
-
-!! test
-MSIE CSS safety test: spurious slash
-!! input
-<div style="background-image:u\rl(javascript:alert('boo'))">evil</div>
-!! result
-<div>evil</div>
-
-!! end
-
-!! test
-MSIE CSS safety test: hex code
-!! input
-<div style="background-image:u\72l(javascript:alert('boo'))">evil</div>
-!! result
-<div>evil</div>
-
-!! end
-
-!! test
-MSIE CSS safety test: comment in url
-!! input
-<div style="background-image:u/**/rl(javascript:alert('boo'))">evil</div>
-!! result
-<div style="background-image:u rl(javascript:alert('boo'))">evil</div>
-
-!! end
-
-!! test
-MSIE CSS safety test: comment in expression
-!! input
-<div style="background-image:expres/**/sion(alert('boo4'))">evil4</div>
-!! result
-<div style="background-image:expres sion(alert('boo4'))">evil4</div>
-
-!! end
-
 ###
 ### Sanitizer
 ###
-- 
2.20.1