dépôts / lhc / web / wiklou.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
(bug 39067) Add support for HTML5 <mark> element.
[lhc/web/wiklou.git] / tests / phpunit / includes / SanitizerTest.php
1 <?php
2
3 class SanitizerTest extends MediaWikiTestCase {
4
5 protected function setUp() {
6 parent::setUp();
7
8 $this->setMwGlobals( 'wgCleanupPresentationalAttributes', true );
9
10 AutoLoader::loadClass( 'Sanitizer' );
11 }
12
13 function testDecodeNamedEntities() {
14 $this->assertEquals(
15 "\xc3\xa9cole",
16 Sanitizer::decodeCharReferences( '&eacute;cole' ),
17 'decode named entities'
18 );
19 }
20
21 function testDecodeNumericEntities() {
22 $this->assertEquals(
23 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
24 Sanitizer::decodeCharReferences( "&#x108;io bonas dans l'&#233;cole!" ),
25 'decode numeric entities'
26 );
27 }
28
29 function testDecodeMixedEntities() {
30 $this->assertEquals(
31 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
32 Sanitizer::decodeCharReferences( "&#x108;io bonas dans l'&eacute;cole!" ),
33 'decode mixed numeric/named entities'
34 );
35 }
36
37 function testDecodeMixedComplexEntities() {
38 $this->assertEquals(
39 "\xc4\x88io bonas dans l'\xc3\xa9cole! (mais pas &#x108;io dans l'&eacute;cole)",
40 Sanitizer::decodeCharReferences(
41 "&#x108;io bonas dans l'&eacute;cole! (mais pas &amp;#x108;io dans l'&#38;eacute;cole)"
42 ),
43 'decode mixed complex entities'
44 );
45 }
46
47 function testInvalidAmpersand() {
48 $this->assertEquals(
49 'a & b',
50 Sanitizer::decodeCharReferences( 'a & b' ),
51 'Invalid ampersand'
52 );
53 }
54
55 function testInvalidEntities() {
56 $this->assertEquals(
57 '&foo;',
58 Sanitizer::decodeCharReferences( '&foo;' ),
59 'Invalid named entity'
60 );
61 }
62
63 function testInvalidNumberedEntities() {
64 $this->assertEquals( UTF8_REPLACEMENT, Sanitizer::decodeCharReferences( "&#88888888888888;" ), 'Invalid numbered entity' );
65 }
66
67 /**
68 * @cover Sanitizer::removeHTMLtags
69 * @dataProvider provideHtml5Tags
70 *
71 * @param String $tag Name of an HTML5 element (ie: 'video')
72 * @param Boolean $escaped Wheter sanitizer let the tag in or escape it (ie: '&lt;video&gt;')
73 */
74 function testRemovehtmltagsOnHtml5Tags( $tag, $escaped ) {
75
76 # Enable HTML5 mode
77 global $wgHTML5;
78 $save = $wgHTML5;
79 $wgHTML5 = true;
80
81 if( $escaped ) {
82 $this->assertEquals( "&lt;$tag&gt;",
83 Sanitizer::removeHTMLtags( "<$tag>" )
84 );
85 } else {
86 $this->assertEquals( "<$tag></$tag>\n",
87 Sanitizer::removeHTMLtags( "<$tag>" )
88 );
89 }
90 $wgHTML5 = $save;
91 }
92
93 /**
94 * Provide HTML5 tags
95 */
96 function provideHtml5Tags() {
97 $ESCAPED = true; # We want tag to be escaped
98 $VERBATIM = false; # We want to keep the tag
99 return array(
100 array( 'data', $VERBATIM ),
101 array( 'mark', $VERBATIM ),
102 array( 'time', $VERBATIM ),
103 array( 'video', $ESCAPED ),
104 );
105 }
106
107 function testSelfClosingTag() {
108 $GLOBALS['wgUseTidy'] = false;
109 $this->assertEquals(
110 '<div>Hello world</div>',
111 Sanitizer::removeHTMLtags( '<div>Hello world</div />' ),
112 'Self-closing closing div'
113 );
114 }
115
116 function testDecodeTagAttributes() {
117 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=bar' ), array( 'foo' => 'bar' ), 'Unquoted attribute' );
118 $this->assertEquals( Sanitizer::decodeTagAttributes( ' foo = bar ' ), array( 'foo' => 'bar' ), 'Spaced attribute' );
119 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo="bar"' ), array( 'foo' => 'bar' ), 'Double-quoted attribute' );
120 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\'' ), array( 'foo' => 'bar' ), 'Single-quoted attribute' );
121 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' );
122
123 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' );
124 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' );
125
126 $this->assertEquals( Sanitizer::decodeTagAttributes( ':foo=\'bar\'' ), array( ':foo' => 'bar' ), 'Leading :' );
127 $this->assertEquals( Sanitizer::decodeTagAttributes( '_foo=\'bar\'' ), array( '_foo' => 'bar' ), 'Leading _' );
128 $this->assertEquals( Sanitizer::decodeTagAttributes( 'Foo=\'bar\'' ), array( 'foo' => 'bar' ), 'Leading capital' );
129 $this->assertEquals( Sanitizer::decodeTagAttributes( 'FOO=BAR' ), array( 'foo' => 'BAR' ), 'Attribute keys are normalized to lowercase' );
130
131 # Invalid beginning
132 $this->assertEquals( Sanitizer::decodeTagAttributes( '-foo=bar' ), array(), 'Leading - is forbidden' );
133 $this->assertEquals( Sanitizer::decodeTagAttributes( '.foo=bar' ), array(), 'Leading . is forbidden' );
134 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo-bar=bar' ), array( 'foo-bar' => 'bar' ), 'A - is allowed inside the attribute' );
135 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo-=bar' ), array( 'foo-' => 'bar' ), 'A - is allowed inside the attribute' );
136
137 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo.bar=baz' ), array( 'foo.bar' => 'baz' ), 'A . is allowed inside the attribute' );
138 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo.=baz' ), array( 'foo.' => 'baz' ), 'A . is allowed as last character' );
139
140 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo6=baz' ), array( 'foo6' => 'baz' ), 'Numbers are allowed' );
141
142 # This bit is more relaxed than XML rules, but some extensions use it, like ProofreadPage (see bug 27539)
143 $this->assertEquals( Sanitizer::decodeTagAttributes( '1foo=baz' ), array( '1foo' => 'baz' ), 'Leading numbers are allowed' );
144
145 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo$=baz' ), array(), 'Symbols are not allowed' );
146 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo@=baz' ), array(), 'Symbols are not allowed' );
147 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo~=baz' ), array(), 'Symbols are not allowed' );
148
149
150 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=1[#^`*%w/(' ), array( 'foo' => '1[#^`*%w/(' ), 'All kind of characters are allowed as values' );
151 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo="1[#^`*%\'w/("' ), array( 'foo' => '1[#^`*%\'w/(' ), 'Double quotes are allowed if quoted by single quotes' );
152 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'1[#^`*%"w/(\'' ), array( 'foo' => '1[#^`*%"w/(' ), 'Single quotes are allowed if quoted by double quotes' );
153 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=&amp;&quot;' ), array( 'foo' => '&"' ), 'Special chars can be provided as entities' );
154 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=&foobar;' ), array( 'foo' => '&foobar;' ), 'Entity-like items are accepted' );
155 }
156
157 /**
158 * @dataProvider provideDeprecatedAttributes
159 */
160 function testDeprecatedAttributes( $input, $tag, $expected, $message = null ) {
161 $this->assertEquals( $expected, Sanitizer::fixTagAttributes( $input, $tag ), $message );
162 }
163
164 function testDeprecatedAttributesDisabled() {
165 global $wgCleanupPresentationalAttributes;
166
167 $wgCleanupPresentationalAttributes = false;
168
169 $this->assertEquals( ' clear="left"', Sanitizer::fixTagAttributes( 'clear="left"', 'br' ), 'Deprecated attributes are not converted to styles when enabled.' );
170 }
171
172 public static function provideDeprecatedAttributes() {
173 return array(
174 array( 'clear="left"', 'br', ' style="clear: left;"', 'Deprecated attributes are converted to styles when enabled.' ),
175 array( 'clear="all"', 'br', ' style="clear: both;"', 'clear=all is converted to clear: both; not clear: all;' ),
176 array( 'CLEAR="ALL"', 'br', ' style="clear: both;"', 'clear=ALL is not treated differently from clear=all' ),
177 array( 'width="100"', 'td', ' style="width: 100px;"', 'Numeric sizes use pixels instead of numbers.' ),
178 array( 'width="100%"', 'td', ' style="width: 100%;"', 'Units are allowed in sizes.' ),
179 array( 'WIDTH="100%"', 'td', ' style="width: 100%;"', 'Uppercase WIDTH is treated as lowercase width.' ),
180 array( 'WiDTh="100%"', 'td', ' style="width: 100%;"', 'Mixed case does not break WiDTh.' ),
181 array( 'nowrap="true"', 'td', ' style="white-space: nowrap;"', 'nowrap attribute is output as white-space: nowrap; not something else.' ),
182 array( 'nowrap=""', 'td', ' style="white-space: nowrap;"', 'nowrap="" is considered true, not false' ),
183 array( 'NOWRAP="true"', 'td', ' style="white-space: nowrap;"', 'nowrap attribute works when uppercase.' ),
184 array( 'NoWrAp="true"', 'td', ' style="white-space: nowrap;"', 'nowrap attribute works when mixed-case.' ),
185 array( 'align="right"', 'td', ' style="text-align: right;"' , 'align on table cells gets converted to text-align' ),
186 array( 'align="center"', 'td', ' style="text-align: center;"' , 'align on table cells gets converted to text-align' ),
187 array( 'align="left"' , 'div', ' style="text-align: left;"' , 'align=(left|right) on div elements gets converted to text-align' ),
188 array( 'align="center"', 'div', ' style="text-align: center;"', 'align="center" on div elements gets converted to text-align' ),
189 array( 'align="left"' , 'p', ' style="text-align: left;"' , 'align on p elements gets converted to text-align' ),
190 array( 'align="left"' , 'h1', ' style="text-align: left;"' , 'align on h1 elements gets converted to text-align' ),
191 array( 'align="left"' , 'h1', ' style="text-align: left;"' , 'align on h1 elements gets converted to text-align' ),
192 array( 'align="left"' , 'caption',' style="text-align: left;"','align on caption elements gets converted to text-align' ),
193 array( 'align="left"' , 'tfoot',' style="text-align: left;"' , 'align on tfoot elements gets converted to text-align' ),
194 array( 'align="left"' , 'tbody',' style="text-align: left;"' , 'align on tbody elements gets converted to text-align' ),
195
196 # <tr>
197 array( 'align="right"' , 'tr', ' style="text-align: right;"' , 'align on table row get converted to text-align' ),
198 array( 'align="center"', 'tr', ' style="text-align: center;"', 'align on table row get converted to text-align' ),
199 array( 'align="left"' , 'tr', ' style="text-align: left;"' , 'align on table row get converted to text-align' ),
200
201 #table
202 array( 'align="left"' , 'table', ' style="float: left;"' , 'align on table converted to float' ),
203 array( 'align="center"', 'table', ' style="margin-left: auto; margin-right: auto;"', 'align center on table converted to margins' ),
204 array( 'align="right"' , 'table', ' style="float: right;"' , 'align on table converted to float' ),
205 );
206 }
207
208 /**
209 * @dataProvider provideCssCommentsFixtures
210 */
211 function testCssCommentsChecking( $expected, $css, $message = '' ) {
212 $this->assertEquals(
213 $expected,
214 Sanitizer::checkCss( $css ),
215 $message
216 );
217 }
218
219 public static function provideCssCommentsFixtures() {
220 /** array( <expected>, <css>, [message] ) */
221 return array(
222 array( ' ', '/**/' ),
223 array( ' ', '/****/' ),
224 array( ' ', '/* comment */' ),
225 array( ' ', "\\2f\\2a foo \\2a\\2f",
226 'Backslash-escaped comments must be stripped (bug 28450)' ),
227 array( '', '/* unfinished comment structure',
228 'Remove anything after a comment-start token' ),
229 array( '', "\\2f\\2a unifinished comment'",
230 'Remove anything after a backslash-escaped comment-start token' ),
231 array( '/* insecure input */', 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\');'),
232 array( '/* insecure input */', '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\')";'),
233 array( '/* insecure input */', 'width: expression(1+1);'),
234 array( '/* insecure input */', 'background-image: image(asdf.png);'),
235 array( '/* insecure input */', 'background-image: -webkit-image(asdf.png);'),
236 array( '/* insecure input */', 'background-image: -moz-image(asdf.png);'),
237 array( '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);'),
238 array( '/* insecure input */', 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);'),
239 array( '/* insecure input */', 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);'),
240 );
241 }
242 }
243
Wiklou, le Wiki du Wiklou