3 class SanitizerTest
extends MediaWikiTestCase
{
5 protected function setUp() {
8 AutoLoader
::loadClass( 'Sanitizer' );
11 function testDecodeNamedEntities() {
14 Sanitizer
::decodeCharReferences( 'école' ),
15 'decode named entities'
19 function testDecodeNumericEntities() {
21 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
22 Sanitizer
::decodeCharReferences( "Ĉio bonas dans l'école!" ),
23 'decode numeric entities'
27 function testDecodeMixedEntities() {
29 "\xc4\x88io bonas dans l'\xc3\xa9cole!",
30 Sanitizer
::decodeCharReferences( "Ĉio bonas dans l'école!" ),
31 'decode mixed numeric/named entities'
35 function testDecodeMixedComplexEntities() {
37 "\xc4\x88io bonas dans l'\xc3\xa9cole! (mais pas Ĉio dans l'école)",
38 Sanitizer
::decodeCharReferences(
39 "Ĉio bonas dans l'école! (mais pas Ĉio dans l'école)"
41 'decode mixed complex entities'
45 function testInvalidAmpersand() {
48 Sanitizer
::decodeCharReferences( 'a & b' ),
53 function testInvalidEntities() {
56 Sanitizer
::decodeCharReferences( '&foo;' ),
57 'Invalid named entity'
61 function testInvalidNumberedEntities() {
62 $this->assertEquals( UTF8_REPLACEMENT
, Sanitizer
::decodeCharReferences( "�" ), 'Invalid numbered entity' );
66 * @covers Sanitizer::removeHTMLtags
67 * @dataProvider provideHtml5Tags
69 * @param String $tag Name of an HTML5 element (ie: 'video')
70 * @param Boolean $escaped Wheter sanitizer let the tag in or escape it (ie: '<video>')
72 function testRemovehtmltagsOnHtml5Tags( $tag, $escaped ) {
73 $this->setMwGlobals( array(
80 $this->assertEquals( "<$tag>",
81 Sanitizer
::removeHTMLtags( "<$tag>" )
84 $this->assertEquals( "<$tag></$tag>\n",
85 Sanitizer
::removeHTMLtags( "<$tag>" )
93 public static function provideHtml5Tags() {
94 $ESCAPED = true; # We want tag to be escaped
95 $VERBATIM = false; # We want to keep the tag
97 array( 'data', $VERBATIM ),
98 array( 'mark', $VERBATIM ),
99 array( 'time', $VERBATIM ),
100 array( 'video', $ESCAPED ),
104 function dataRemoveHTMLtags() {
106 // former testSelfClosingTag
108 '<div>Hello world</div />',
109 '<div>Hello world</div>',
110 'Self-closing closing div'
112 // Make sure special nested HTML5 semantics are not broken
113 // http://www.whatwg.org/html/text-level-semantics.html#the-kbd-element
115 '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
116 '<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
119 // http://www.whatwg.org/html/text-level-semantics.html#the-sub-and-sup-elements
121 '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
122 '<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
125 // http://www.whatwg.org/html/text-level-semantics.html#the-dfn-element
127 '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
128 '<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
129 '<abbr> inside <dfn>',
135 * @dataProvider dataRemoveHTMLtags
137 function testRemoveHTMLtags( $input, $output, $msg = null ) {
138 $GLOBALS['wgUseTidy'] = false;
139 $this->assertEquals( $output, Sanitizer
::removeHTMLtags( $input ), $msg );
143 * @dataProvider provideTagAttributesToDecode
144 * @covers Sanitizer::decodeTagAttributes
146 function testDecodeTagAttributes( $expected, $attributes, $message = '' ) {
147 $this->assertEquals( $expected,
148 Sanitizer
::decodeTagAttributes( $attributes ),
153 public static function provideTagAttributesToDecode() {
155 array( array( 'foo' => 'bar' ), 'foo=bar', 'Unquoted attribute' ),
156 array( array( 'foo' => 'bar' ), ' foo = bar ', 'Spaced attribute' ),
157 array( array( 'foo' => 'bar' ), 'foo="bar"', 'Double-quoted attribute' ),
158 array( array( 'foo' => 'bar' ), 'foo=\'bar\'', 'Single-quoted attribute' ),
159 array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
160 array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
161 array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
162 array( array( ':foo' => 'bar' ), ':foo=\'bar\'', 'Leading :' ),
163 array( array( '_foo' => 'bar' ), '_foo=\'bar\'', 'Leading _' ),
164 array( array( 'foo' => 'bar' ), 'Foo=\'bar\'', 'Leading capital' ),
165 array( array( 'foo' => 'BAR' ), 'FOO=BAR', 'Attribute keys are normalized to lowercase' ),
168 array( array(), '-foo=bar', 'Leading - is forbidden' ),
169 array( array(), '.foo=bar', 'Leading . is forbidden' ),
170 array( array( 'foo-bar' => 'bar' ), 'foo-bar=bar', 'A - is allowed inside the attribute' ),
171 array( array( 'foo-' => 'bar' ), 'foo-=bar', 'A - is allowed inside the attribute' ),
172 array( array( 'foo.bar' => 'baz' ), 'foo.bar=baz', 'A . is allowed inside the attribute' ),
173 array( array( 'foo.' => 'baz' ), 'foo.=baz', 'A . is allowed as last character' ),
174 array( array( 'foo6' => 'baz' ), 'foo6=baz', 'Numbers are allowed' ),
176 # This bit is more relaxed than XML rules, but some extensions use
177 # it, like ProofreadPage (see bug 27539)
178 array( array( '1foo' => 'baz' ), '1foo=baz', 'Leading numbers are allowed' ),
179 array( array(), 'foo$=baz', 'Symbols are not allowed' ),
180 array( array(), 'foo@=baz', 'Symbols are not allowed' ),
181 array( array(), 'foo~=baz', 'Symbols are not allowed' ),
182 array( array( 'foo' => '1[#^`*%w/(' ), 'foo=1[#^`*%w/(', 'All kind of characters are allowed as values' ),
183 array( array( 'foo' => '1[#^`*%\'w/(' ), 'foo="1[#^`*%\'w/("', 'Double quotes are allowed if quoted by single quotes' ),
184 array( array( 'foo' => '1[#^`*%"w/(' ), 'foo=\'1[#^`*%"w/(\'', 'Single quotes are allowed if quoted by double quotes' ),
185 array( array( 'foo' => '&"' ), 'foo=&"', 'Special chars can be provided as entities' ),
186 array( array( 'foo' => '&foobar;' ), 'foo=&foobar;', 'Entity-like items are accepted' ),
191 * @dataProvider provideDeprecatedAttributes
192 * @covers Sanitizer::fixTagAttributes
194 function testDeprecatedAttributesUnaltered( $inputAttr, $inputEl, $message = '' ) {
195 $this->assertEquals( " $inputAttr",
196 Sanitizer
::fixTagAttributes( $inputAttr, $inputEl ),
201 public static function provideDeprecatedAttributes() {
202 /** array( <attribute>, <element>, [message] ) */
204 array( 'clear="left"', 'br' ),
205 array( 'clear="all"', 'br' ),
206 array( 'width="100"', 'td' ),
207 array( 'nowrap="true"', 'td' ),
208 array( 'nowrap=""', 'td' ),
209 array( 'align="right"', 'td' ),
210 array( 'align="center"', 'table' ),
211 array( 'align="left"', 'tr' ),
212 array( 'align="center"', 'div' ),
213 array( 'align="left"', 'h1' ),
214 array( 'align="left"', 'span' ),
219 * @dataProvider provideCssCommentsFixtures
220 * @covers Sanitizer::checkCss
222 function testCssCommentsChecking( $expected, $css, $message = '' ) {
223 $this->assertEquals( $expected,
224 Sanitizer
::checkCss( $css ),
229 public static function provideCssCommentsFixtures() {
230 /** array( <expected>, <css>, [message] ) */
232 array( ' ', '/**/' ),
233 array( ' ', '/****/' ),
234 array( ' ', '/* comment */' ),
235 array( ' ', "\\2f\\2a foo \\2a\\2f",
236 'Backslash-escaped comments must be stripped (bug 28450)' ),
237 array( '', '/* unfinished comment structure',
238 'Remove anything after a comment-start token' ),
239 array( '', "\\2f\\2a unifinished comment'",
240 'Remove anything after a backslash-escaped comment-start token' ),
241 array( '/* insecure input */', 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\');' ),
242 array( '/* insecure input */', '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\')";' ),
243 array( '/* insecure input */', 'width: expression(1+1);' ),
244 array( '/* insecure input */', 'background-image: image(asdf.png);' ),
245 array( '/* insecure input */', 'background-image: -webkit-image(asdf.png);' ),
246 array( '/* insecure input */', 'background-image: -moz-image(asdf.png);' ),
247 array( '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);' ),
248 array( '/* insecure input */', 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
249 array( '/* insecure input */', 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
254 * Test for support or lack of support for specific attributes in the attribute whitelist.
256 public static function provideAttributeSupport() {
257 /** array( <attributes>, <expected>, <message> ) */
259 array( 'div', ' role="presentation"', ' role="presentation"', 'Support for WAI-ARIA\'s role="presentation".' ),
260 array( 'div', ' role="main"', '', "Other WAI-ARIA roles are currently not supported." ),
265 * @dataProvider provideAttributeSupport
267 function testAttributeSupport( $tag, $attributes, $expected, $message ) {
268 $this->assertEquals( $expected,
269 Sanitizer
::fixTagAttributes( $attributes, $tag ),