- Generated on Sat Nov 10 2012 00:01:15 for MediaWiki by
1.7.6.1
|
MediaWiki
master
|
00001 <?php 00002 00003 class SanitizerTest extends MediaWikiTestCase { 00004 00005 protected function setUp() { 00006 parent::setUp(); 00007 00008 $this->setMwGlobals( 'wgCleanupPresentationalAttributes', true ); 00009 00010 AutoLoader::loadClass( 'Sanitizer' ); 00011 } 00012 00013 function testDecodeNamedEntities() { 00014 $this->assertEquals( 00015 "\xc3\xa9cole", 00016 Sanitizer::decodeCharReferences( 'école' ), 00017 'decode named entities' 00018 ); 00019 } 00020 00021 function testDecodeNumericEntities() { 00022 $this->assertEquals( 00023 "\xc4\x88io bonas dans l'\xc3\xa9cole!", 00024 Sanitizer::decodeCharReferences( "Ĉio bonas dans l'école!" ), 00025 'decode numeric entities' 00026 ); 00027 } 00028 00029 function testDecodeMixedEntities() { 00030 $this->assertEquals( 00031 "\xc4\x88io bonas dans l'\xc3\xa9cole!", 00032 Sanitizer::decodeCharReferences( "Ĉio bonas dans l'école!" ), 00033 'decode mixed numeric/named entities' 00034 ); 00035 } 00036 00037 function testDecodeMixedComplexEntities() { 00038 $this->assertEquals( 00039 "\xc4\x88io bonas dans l'\xc3\xa9cole! (mais pas Ĉio dans l'école)", 00040 Sanitizer::decodeCharReferences( 00041 "Ĉio bonas dans l'école! (mais pas &#x108;io dans l'&eacute;cole)" 00042 ), 00043 'decode mixed complex entities' 00044 ); 00045 } 00046 00047 function testInvalidAmpersand() { 00048 $this->assertEquals( 00049 'a & b', 00050 Sanitizer::decodeCharReferences( 'a & b' ), 00051 'Invalid ampersand' 00052 ); 00053 } 00054 00055 function testInvalidEntities() { 00056 $this->assertEquals( 00057 '&foo;', 00058 Sanitizer::decodeCharReferences( '&foo;' ), 00059 'Invalid named entity' 00060 ); 00061 } 00062 00063 function testInvalidNumberedEntities() { 00064 $this->assertEquals( UTF8_REPLACEMENT, Sanitizer::decodeCharReferences( "�" ), 'Invalid numbered entity' ); 00065 } 00066 00067 function testSelfClosingTag() { 00068 $GLOBALS['wgUseTidy'] = false; 00069 $this->assertEquals( 00070 '<div>Hello world</div>', 00071 Sanitizer::removeHTMLtags( '<div>Hello world</div />' ), 00072 'Self-closing closing div' 00073 ); 00074 } 00075 00076 function testDecodeTagAttributes() { 00077 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=bar' ), array( 'foo' => 'bar' ), 'Unquoted attribute' ); 00078 $this->assertEquals( Sanitizer::decodeTagAttributes( ' foo = bar ' ), array( 'foo' => 'bar' ), 'Spaced attribute' ); 00079 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo="bar"' ), array( 'foo' => 'bar' ), 'Double-quoted attribute' ); 00080 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\'' ), array( 'foo' => 'bar' ), 'Single-quoted attribute' ); 00081 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' ); 00082 00083 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' ); 00084 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'bar\' baz="foo"' ), array( 'foo' => 'bar', 'baz' => 'foo' ), 'Several attributes' ); 00085 00086 $this->assertEquals( Sanitizer::decodeTagAttributes( ':foo=\'bar\'' ), array( ':foo' => 'bar' ), 'Leading :' ); 00087 $this->assertEquals( Sanitizer::decodeTagAttributes( '_foo=\'bar\'' ), array( '_foo' => 'bar' ), 'Leading _' ); 00088 $this->assertEquals( Sanitizer::decodeTagAttributes( 'Foo=\'bar\'' ), array( 'foo' => 'bar' ), 'Leading capital' ); 00089 $this->assertEquals( Sanitizer::decodeTagAttributes( 'FOO=BAR' ), array( 'foo' => 'BAR' ), 'Attribute keys are normalized to lowercase' ); 00090 00091 # Invalid beginning 00092 $this->assertEquals( Sanitizer::decodeTagAttributes( '-foo=bar' ), array(), 'Leading - is forbidden' ); 00093 $this->assertEquals( Sanitizer::decodeTagAttributes( '.foo=bar' ), array(), 'Leading . is forbidden' ); 00094 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo-bar=bar' ), array( 'foo-bar' => 'bar' ), 'A - is allowed inside the attribute' ); 00095 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo-=bar' ), array( 'foo-' => 'bar' ), 'A - is allowed inside the attribute' ); 00096 00097 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo.bar=baz' ), array( 'foo.bar' => 'baz' ), 'A . is allowed inside the attribute' ); 00098 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo.=baz' ), array( 'foo.' => 'baz' ), 'A . is allowed as last character' ); 00099 00100 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo6=baz' ), array( 'foo6' => 'baz' ), 'Numbers are allowed' ); 00101 00102 # This bit is more relaxed than XML rules, but some extensions use it, like ProofreadPage (see bug 27539) 00103 $this->assertEquals( Sanitizer::decodeTagAttributes( '1foo=baz' ), array( '1foo' => 'baz' ), 'Leading numbers are allowed' ); 00104 00105 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo$=baz' ), array(), 'Symbols are not allowed' ); 00106 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo@=baz' ), array(), 'Symbols are not allowed' ); 00107 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo~=baz' ), array(), 'Symbols are not allowed' ); 00108 00109 00110 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=1[#^`*%w/(' ), array( 'foo' => '1[#^`*%w/(' ), 'All kind of characters are allowed as values' ); 00111 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo="1[#^`*%\'w/("' ), array( 'foo' => '1[#^`*%\'w/(' ), 'Double quotes are allowed if quoted by single quotes' ); 00112 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=\'1[#^`*%"w/(\'' ), array( 'foo' => '1[#^`*%"w/(' ), 'Single quotes are allowed if quoted by double quotes' ); 00113 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=&"' ), array( 'foo' => '&"' ), 'Special chars can be provided as entities' ); 00114 $this->assertEquals( Sanitizer::decodeTagAttributes( 'foo=&foobar;' ), array( 'foo' => '&foobar;' ), 'Entity-like items are accepted' ); 00115 } 00116 00120 function testDeprecatedAttributes( $input, $tag, $expected, $message = null ) { 00121 $this->assertEquals( $expected, Sanitizer::fixTagAttributes( $input, $tag ), $message ); 00122 } 00123 00124 function testDeprecatedAttributesDisabled() { 00125 global $wgCleanupPresentationalAttributes; 00126 00127 $wgCleanupPresentationalAttributes = false; 00128 00129 $this->assertEquals( ' clear="left"', Sanitizer::fixTagAttributes( 'clear="left"', 'br' ), 'Deprecated attributes are not converted to styles when enabled.' ); 00130 } 00131 00132 public static function provideDeprecatedAttributes() { 00133 return array( 00134 array( 'clear="left"', 'br', ' style="clear: left;"', 'Deprecated attributes are converted to styles when enabled.' ), 00135 array( 'clear="all"', 'br', ' style="clear: both;"', 'clear=all is converted to clear: both; not clear: all;' ), 00136 array( 'CLEAR="ALL"', 'br', ' style="clear: both;"', 'clear=ALL is not treated differently from clear=all' ), 00137 array( 'width="100"', 'td', ' style="width: 100px;"', 'Numeric sizes use pixels instead of numbers.' ), 00138 array( 'width="100%"', 'td', ' style="width: 100%;"', 'Units are allowed in sizes.' ), 00139 array( 'WIDTH="100%"', 'td', ' style="width: 100%;"', 'Uppercase WIDTH is treated as lowercase width.' ), 00140 array( 'WiDTh="100%"', 'td', ' style="width: 100%;"', 'Mixed case does not break WiDTh.' ), 00141 array( 'nowrap="true"', 'td', ' style="white-space: nowrap;"', 'nowrap attribute is output as white-space: nowrap; not something else.' ), 00142 array( 'nowrap=""', 'td', ' style="white-space: nowrap;"', 'nowrap="" is considered true, not false' ), 00143 array( 'NOWRAP="true"', 'td', ' style="white-space: nowrap;"', 'nowrap attribute works when uppercase.' ), 00144 array( 'NoWrAp="true"', 'td', ' style="white-space: nowrap;"', 'nowrap attribute works when mixed-case.' ), 00145 array( 'align="right"', 'td', ' style="text-align: right;"' , 'align on table cells gets converted to text-align' ), 00146 array( 'align="center"', 'td', ' style="text-align: center;"' , 'align on table cells gets converted to text-align' ), 00147 array( 'align="left"' , 'div', ' style="text-align: left;"' , 'align=(left|right) on div elements gets converted to text-align' ), 00148 array( 'align="center"', 'div', ' style="text-align: center;"', 'align="center" on div elements gets converted to text-align' ), 00149 array( 'align="left"' , 'p', ' style="text-align: left;"' , 'align on p elements gets converted to text-align' ), 00150 array( 'align="left"' , 'h1', ' style="text-align: left;"' , 'align on h1 elements gets converted to text-align' ), 00151 array( 'align="left"' , 'h1', ' style="text-align: left;"' , 'align on h1 elements gets converted to text-align' ), 00152 array( 'align="left"' , 'caption',' style="text-align: left;"','align on caption elements gets converted to text-align' ), 00153 array( 'align="left"' , 'tfoot',' style="text-align: left;"' , 'align on tfoot elements gets converted to text-align' ), 00154 array( 'align="left"' , 'tbody',' style="text-align: left;"' , 'align on tbody elements gets converted to text-align' ), 00155 00156 # <tr> 00157 array( 'align="right"' , 'tr', ' style="text-align: right;"' , 'align on table row get converted to text-align' ), 00158 array( 'align="center"', 'tr', ' style="text-align: center;"', 'align on table row get converted to text-align' ), 00159 array( 'align="left"' , 'tr', ' style="text-align: left;"' , 'align on table row get converted to text-align' ), 00160 00161 #table 00162 array( 'align="left"' , 'table', ' style="float: left;"' , 'align on table converted to float' ), 00163 array( 'align="center"', 'table', ' style="margin-left: auto; margin-right: auto;"', 'align center on table converted to margins' ), 00164 array( 'align="right"' , 'table', ' style="float: right;"' , 'align on table converted to float' ), 00165 ); 00166 } 00167 00171 function testCssCommentsChecking( $expected, $css, $message = '' ) { 00172 $this->assertEquals( 00173 $expected, 00174 Sanitizer::checkCss( $css ), 00175 $message 00176 ); 00177 } 00178 00179 public static function provideCssCommentsFixtures() { 00181 return array( 00182 array( ' ', '/**/' ), 00183 array( ' ', '/****/' ), 00184 array( ' ', '/* comment */' ), 00185 array( ' ', "\\2f\\2a foo \\2a\\2f", 00186 'Backslash-escaped comments must be stripped (bug 28450)' ), 00187 array( '', '/* unfinished comment structure', 00188 'Remove anything after a comment-start token' ), 00189 array( '', "\\2f\\2a unifinished comment'", 00190 'Remove anything after a backslash-escaped comment-start token' ), 00191 array( '/* insecure input */', 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\');'), 00192 array( '/* insecure input */', '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\')";'), 00193 array( '/* insecure input */', 'width: expression(1+1);'), 00194 array( '/* insecure input */', 'background-image: image(asdf.png);'), 00195 array( '/* insecure input */', 'background-image: -webkit-image(asdf.png);'), 00196 array( '/* insecure input */', 'background-image: -moz-image(asdf.png);'), 00197 array( '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);'), 00198 array( '/* insecure input */', 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);'), 00199 array( '/* insecure input */', 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);'), 00200 ); 00201 } 00202 } 00203
1.7.6.1