Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/tests/phpunit/includes/SanitizerTest.php

303 lines
10 KiB
PHP
Raw Normal View History

Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
<?php
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
/**
* @todo Tests covering decodeCharReferences can be refactored into a single
* method and dataprovider.
*/
* verbose and color default output from phpunit * Make a bunch of tests subclass MediaWikiTestCase * Parser tests and ResourceLoaderTest can't subclass it yet due to various issues
2010-12-28 18:17:16 +00:00
class SanitizerTest extends MediaWikiTestCase {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
Clean and repair many phpunit tests (+ fix implied configuration) This commit depends on the introduction of MediaWikiTestCase::setMwGlobals in change Iccf6ea81f4. Various tests already set their globals, but forgot to restore them afterwards, or forgot to call the parent setUp, tearDown... Either way they won't have to anymore with setMwGlobals. Consistent use of function characteristics: * protected function setUp * protected function tearDown * public static function (provide..) (Matching the function signature with PHPUnit/Framework/TestCase.php) Replaces: * public function (setUp|tearDown)\( * protected function $1( * \tfunction (setUp|tearDown)\( * \tprotected function $1( * \tfunction (data|provide)\( * \tpublic static function $1\( Also renamed a few "data#", "provider#" and "provides#" functions to "provide#" for consistency. This also removes confusion where the /media tests had a few private methods called dataFile(), which were sometimes expected to be data providers. Fixes: TimestampTest often failed due to a previous test setting a different language (it tests "1 hour ago" so need to make sure it is set to English). MWNamespaceTest became a lot cleaner now that it executes with a known context. Though the now-redundant code that was removed didn't work anyway because wgContentNamespaces isn't keyed by namespace id, it had them was values... FileBackendTest: * Fixed: "PHP Fatal: Using $this when not in object context" HttpTest * Added comment about: "PHP Fatal: Call to protected MWHttpRequest::__construct()" (too much unrelated code to fix in this commit) ExternalStoreTest * Add an assertTrue as well, without it the test is useless because regardless of whether wgExternalStores is true or false it only uses it if it is an array. Change-Id: I9d2b148e57bada64afeb7d5a99bec0e58f8e1561
2012-10-08 10:56:20 +00:00
protected function setUp() {
parent::setUp();
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
AutoLoader::loadClass( 'Sanitizer' );
}
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
/**
* @covers Sanitizer::decodeCharReferences
*/
public function testDecodeNamedEntities() {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
$this->assertEquals(
"\xc3\xa9cole",
Sanitizer::decodeCharReferences( '&eacute;cole' ),
'decode named entities'
);
}
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
/**
* @covers Sanitizer::decodeCharReferences
*/
public function testDecodeNumericEntities() {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
$this->assertEquals(
"\xc4\x88io bonas dans l'\xc3\xa9cole!",
Sanitizer::decodeCharReferences( "&#x108;io bonas dans l'&#233;cole!" ),
'decode numeric entities'
);
}
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
/**
* @covers Sanitizer::decodeCharReferences
*/
public function testDecodeMixedEntities() {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
$this->assertEquals(
"\xc4\x88io bonas dans l'\xc3\xa9cole!",
Sanitizer::decodeCharReferences( "&#x108;io bonas dans l'&eacute;cole!" ),
'decode mixed numeric/named entities'
);
}
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
/**
* @covers Sanitizer::decodeCharReferences
*/
public function testDecodeMixedComplexEntities() {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
$this->assertEquals(
"\xc4\x88io bonas dans l'\xc3\xa9cole! (mais pas &#x108;io dans l'&eacute;cole)",
Sanitizer::decodeCharReferences(
"&#x108;io bonas dans l'&eacute;cole! (mais pas &amp;#x108;io dans l'&#38;eacute;cole)"
),
'decode mixed complex entities'
);
}
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
/**
* @covers Sanitizer::decodeCharReferences
*/
public function testInvalidAmpersand() {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
$this->assertEquals(
'a & b',
Sanitizer::decodeCharReferences( 'a & b' ),
'Invalid ampersand'
);
}
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
/**
* @covers Sanitizer::decodeCharReferences
*/
public function testInvalidEntities() {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
$this->assertEquals(
'&foo;',
Sanitizer::decodeCharReferences( '&foo;' ),
'Invalid named entity'
);
}
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
/**
* @covers Sanitizer::decodeCharReferences
*/
public function testInvalidNumberedEntities() {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
$this->assertEquals( UTF8_REPLACEMENT, Sanitizer::decodeCharReferences( "&#88888888888888;" ), 'Invalid numbered entity' );
}
(bug 39067) Add support for HTML5 <mark> element. * whitelist <mark> in tidy and sanitizer * provides a default styling for mark elements Change-Id: I23fc2fc558ff0590be04771ef1e75fcfdf240aac
2012-08-06 10:02:49 +00:00
/**
Lots of spelling mistakes and phpdoc attributes @throw->@throws @returns->@return @seealso->@see @cover->@covers etc Change-Id: I9ae6bc3034e9790e2d66cd96473b923fe9ee7953
2013-03-11 03:16:28 +00:00
* @covers Sanitizer::removeHTMLtags
(bug 39067) Add support for HTML5 <mark> element. * whitelist <mark> in tidy and sanitizer * provides a default styling for mark elements Change-Id: I23fc2fc558ff0590be04771ef1e75fcfdf240aac
2012-08-06 10:02:49 +00:00
* @dataProvider provideHtml5Tags
*
* @param String $tag Name of an HTML5 element (ie: 'video')
* @param Boolean $escaped Wheter sanitizer let the tag in or escape it (ie: '&lt;video&gt;')
*/
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
public function testRemovehtmltagsOnHtml5Tags( $tag, $escaped ) {
Fix SanitizerTest for wikis with wgUseTidy = true; testRemovehtmltagsOnHtml5Tags needs wgUseTidy = false; 3) SanitizerTest::testRemovehtmltagsOnHtml5Tags with data set #2 ('time', false) Failed asserting that two strings are equal. --- Expected +++ Actual @@ @@ -'<time></time> -' +'<time>' Change-Id: Ib7e156293e2efae053b055e40393e442719eb5bd
2012-12-09 10:03:03 +00:00
$this->setMwGlobals( array(
'wgUseTidy' => false
Update formatting 2 of n. Change-Id: I5406673e99ed53e4e330ed47f022a17177544daa
2013-02-14 11:36:35 +00:00
) );
(bug 39067) Add support for HTML5 <mark> element. * whitelist <mark> in tidy and sanitizer * provides a default styling for mark elements Change-Id: I23fc2fc558ff0590be04771ef1e75fcfdf240aac
2012-08-06 10:02:49 +00:00
Update formatting 2 of n. Change-Id: I5406673e99ed53e4e330ed47f022a17177544daa
2013-02-14 11:36:35 +00:00
if ( $escaped ) {
(bug 39067) Add support for HTML5 <mark> element. * whitelist <mark> in tidy and sanitizer * provides a default styling for mark elements Change-Id: I23fc2fc558ff0590be04771ef1e75fcfdf240aac
2012-08-06 10:02:49 +00:00
$this->assertEquals( "&lt;$tag&gt;",
Sanitizer::removeHTMLtags( "<$tag>" )
);
} else {
$this->assertEquals( "<$tag></$tag>\n",
Sanitizer::removeHTMLtags( "<$tag>" )
);
}
}
/**
* Provide HTML5 tags
*/
Tests: Make phpunit providers "public static". Follows-up I9d2b148e57 (including phpunit/languages this time). Bug: 46434 Change-Id: I30e5efcd88c516121c454676bd7a18f9b7c8fca6
2013-03-22 02:12:37 +00:00
public static function provideHtml5Tags() {
Update formatting 2 of n. Change-Id: I5406673e99ed53e4e330ed47f022a17177544daa
2013-02-14 11:36:35 +00:00
$ESCAPED = true; # We want tag to be escaped
$VERBATIM = false; # We want to keep the tag
(bug 39067) Add support for HTML5 <mark> element. * whitelist <mark> in tidy and sanitizer * provides a default styling for mark elements Change-Id: I23fc2fc558ff0590be04771ef1e75fcfdf240aac
2012-08-06 10:02:49 +00:00
return array(
array( 'data', $VERBATIM ),
array( 'mark', $VERBATIM ),
array( 'time', $VERBATIM ),
array( 'video', $ESCAPED ),
);
}
(bug 41545) Allow kbd, samp, and var to be nested. HTML5 has various semantics that allow -- or rather require -- <kbd> and <samp> and even <var> to be nested. eg: <kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd> eg: <var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var> This fixes the sanitizer to permit their nesting and adds test cases to ensure that some of HTML5's special semantics are permitted by our sanitizer and not broken. Change-Id: I6ad64e6eb4c9b5bdc15be513f55c58f6717c3939
2012-10-30 13:34:56 +00:00
function dataRemoveHTMLtags() {
return array(
// former testSelfClosingTag
array(
'<div>Hello world</div />',
'<div>Hello world</div>',
'Self-closing closing div'
),
// Make sure special nested HTML5 semantics are not broken
// http://www.whatwg.org/html/text-level-semantics.html#the-kbd-element
array(
'<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
'<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
'Nested <kbd>.'
),
// http://www.whatwg.org/html/text-level-semantics.html#the-sub-and-sup-elements
array(
'<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
'<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
'Nested <var>.'
),
// http://www.whatwg.org/html/text-level-semantics.html#the-dfn-element
array(
'<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
'<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
'<abbr> inside <dfn>',
),
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
);
}
testDecodeTagAttributes now use a data provider We had a huge pile of assertEquals in a single test function, this patch convert the mess in a nicer dataprovider. The parameters passed to assertEquals() were mixed up, the expected values should be passed as the first argument, I thus exchange the first two parameters in each case. Change-Id: Ib74804a7aa84a1e59fffb8c85abbf0b95995d897
2012-11-22 10:25:30 +00:00
(bug 41545) Allow kbd, samp, and var to be nested. HTML5 has various semantics that allow -- or rather require -- <kbd> and <samp> and even <var> to be nested. eg: <kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd> eg: <var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var> This fixes the sanitizer to permit their nesting and adds test cases to ensure that some of HTML5's special semantics are permitted by our sanitizer and not broken. Change-Id: I6ad64e6eb4c9b5bdc15be513f55c58f6717c3939
2012-10-30 13:34:56 +00:00
/**
* @dataProvider dataRemoveHTMLtags
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
* @covers Sanitizer::removeHTMLtags
(bug 41545) Allow kbd, samp, and var to be nested. HTML5 has various semantics that allow -- or rather require -- <kbd> and <samp> and even <var> to be nested. eg: <kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd> eg: <var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var> This fixes the sanitizer to permit their nesting and adds test cases to ensure that some of HTML5's special semantics are permitted by our sanitizer and not broken. Change-Id: I6ad64e6eb4c9b5bdc15be513f55c58f6717c3939
2012-10-30 13:34:56 +00:00
*/
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
public function testRemoveHTMLtags( $input, $output, $msg = null ) {
(bug 41545) Allow kbd, samp, and var to be nested. HTML5 has various semantics that allow -- or rather require -- <kbd> and <samp> and even <var> to be nested. eg: <kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd> eg: <var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var> This fixes the sanitizer to permit their nesting and adds test cases to ensure that some of HTML5's special semantics are permitted by our sanitizer and not broken. Change-Id: I6ad64e6eb4c9b5bdc15be513f55c58f6717c3939
2012-10-30 13:34:56 +00:00
$GLOBALS['wgUseTidy'] = false;
$this->assertEquals( $output, Sanitizer::removeHTMLtags( $input ), $msg );
}
testDecodeTagAttributes now use a data provider We had a huge pile of assertEquals in a single test function, this patch convert the mess in a nicer dataprovider. The parameters passed to assertEquals() were mixed up, the expected values should be passed as the first argument, I thus exchange the first two parameters in each case. Change-Id: Ib74804a7aa84a1e59fffb8c85abbf0b95995d897
2012-11-22 10:25:30 +00:00
/**
* @dataProvider provideTagAttributesToDecode
Lots of spelling mistakes and phpdoc attributes @throw->@throws @returns->@return @seealso->@see @cover->@covers etc Change-Id: I9ae6bc3034e9790e2d66cd96473b923fe9ee7953
2013-03-11 03:16:28 +00:00
* @covers Sanitizer::decodeTagAttributes
testDecodeTagAttributes now use a data provider We had a huge pile of assertEquals in a single test function, this patch convert the mess in a nicer dataprovider. The parameters passed to assertEquals() were mixed up, the expected values should be passed as the first argument, I thus exchange the first two parameters in each case. Change-Id: Ib74804a7aa84a1e59fffb8c85abbf0b95995d897
2012-11-22 10:25:30 +00:00
*/
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
public function testDecodeTagAttributes( $expected, $attributes, $message = '' ) {
testDecodeTagAttributes now use a data provider We had a huge pile of assertEquals in a single test function, this patch convert the mess in a nicer dataprovider. The parameters passed to assertEquals() were mixed up, the expected values should be passed as the first argument, I thus exchange the first two parameters in each case. Change-Id: Ib74804a7aa84a1e59fffb8c85abbf0b95995d897
2012-11-22 10:25:30 +00:00
$this->assertEquals( $expected,
Sanitizer::decodeTagAttributes( $attributes ),
$message
);
}
Tests: Make phpunit providers "public static". Follows-up I9d2b148e57 (including phpunit/languages this time). Bug: 46434 Change-Id: I30e5efcd88c516121c454676bd7a18f9b7c8fca6
2013-03-22 02:12:37 +00:00
public static function provideTagAttributesToDecode() {
testDecodeTagAttributes now use a data provider We had a huge pile of assertEquals in a single test function, this patch convert the mess in a nicer dataprovider. The parameters passed to assertEquals() were mixed up, the expected values should be passed as the first argument, I thus exchange the first two parameters in each case. Change-Id: Ib74804a7aa84a1e59fffb8c85abbf0b95995d897
2012-11-22 10:25:30 +00:00
return array(
array( array( 'foo' => 'bar' ), 'foo=bar', 'Unquoted attribute' ),
array( array( 'foo' => 'bar' ), ' foo = bar ', 'Spaced attribute' ),
array( array( 'foo' => 'bar' ), 'foo="bar"', 'Double-quoted attribute' ),
array( array( 'foo' => 'bar' ), 'foo=\'bar\'', 'Single-quoted attribute' ),
array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
array( array( 'foo' => 'bar', 'baz' => 'foo' ), 'foo=\'bar\' baz="foo"', 'Several attributes' ),
array( array( ':foo' => 'bar' ), ':foo=\'bar\'', 'Leading :' ),
array( array( '_foo' => 'bar' ), '_foo=\'bar\'', 'Leading _' ),
array( array( 'foo' => 'bar' ), 'Foo=\'bar\'', 'Leading capital' ),
array( array( 'foo' => 'BAR' ), 'FOO=BAR', 'Attribute keys are normalized to lowercase' ),
# Invalid beginning
array( array(), '-foo=bar', 'Leading - is forbidden' ),
array( array(), '.foo=bar', 'Leading . is forbidden' ),
array( array( 'foo-bar' => 'bar' ), 'foo-bar=bar', 'A - is allowed inside the attribute' ),
array( array( 'foo-' => 'bar' ), 'foo-=bar', 'A - is allowed inside the attribute' ),
array( array( 'foo.bar' => 'baz' ), 'foo.bar=baz', 'A . is allowed inside the attribute' ),
array( array( 'foo.' => 'baz' ), 'foo.=baz', 'A . is allowed as last character' ),
array( array( 'foo6' => 'baz' ), 'foo6=baz', 'Numbers are allowed' ),
# This bit is more relaxed than XML rules, but some extensions use
# it, like ProofreadPage (see bug 27539)
array( array( '1foo' => 'baz' ), '1foo=baz', 'Leading numbers are allowed' ),
array( array(), 'foo$=baz', 'Symbols are not allowed' ),
array( array(), 'foo@=baz', 'Symbols are not allowed' ),
array( array(), 'foo~=baz', 'Symbols are not allowed' ),
array( array( 'foo' => '1[#^`*%w/(' ), 'foo=1[#^`*%w/(', 'All kind of characters are allowed as values' ),
array( array( 'foo' => '1[#^`*%\'w/(' ), 'foo="1[#^`*%\'w/("', 'Double quotes are allowed if quoted by single quotes' ),
array( array( 'foo' => '1[#^`*%"w/(' ), 'foo=\'1[#^`*%"w/(\'', 'Single quotes are allowed if quoted by double quotes' ),
array( array( 'foo' => '&"' ), 'foo=&amp;&quot;', 'Special chars can be provided as entities' ),
array( array( 'foo' => '&foobar;' ), 'foo=&foobar;', 'Entity-like items are accepted' ),
);
(Bug 27539) Allow attributes beginning with a digit in wiktext tag parameters. Its removal in r70849 breaks ProofreadPage extension. Restricted r82475 relaxation to just numbers. Added tests. This only affects wikitext (tag hooks). MW_ATTRIBS_REGEX is only used through decodeTagAttributes() calls. fixTagAttributes() calls decodeTagAttributes(), and would be nastier to fix, since it is called with HTML parameters (eg. by removeHTMLtags) but such incorrect parameters grabbed would be removed by validateTagAttributes()
2011-02-19 20:16:54 +00:00
}
Followup r94465 and r94465; Add phpunit tests for Sanitizer::fixDeprecatedAttributes and fix bugs related to clear="all" and mixed/uppercase attributes and values.
2011-09-25 04:08:23 +00:00
(bug 36495) Sanitizer: Convert align to margin/float outside tables. Change-Id: I108cbd100cff6bade011b14d74b5bca82f2a1e5f
2012-06-29 16:24:20 +00:00
/**
* @dataProvider provideDeprecatedAttributes
Lots of spelling mistakes and phpdoc attributes @throw->@throws @returns->@return @seealso->@see @cover->@covers etc Change-Id: I9ae6bc3034e9790e2d66cd96473b923fe9ee7953
2013-03-11 03:16:28 +00:00
* @covers Sanitizer::fixTagAttributes
(bug 36495) Sanitizer: Convert align to margin/float outside tables. Change-Id: I108cbd100cff6bade011b14d74b5bca82f2a1e5f
2012-06-29 16:24:20 +00:00
*/
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
public function testDeprecatedAttributesUnaltered( $inputAttr, $inputEl, $message = '' ) {
normalize sanitizerTest and add coverage tips * @cover let us mention which function the test is using, help out when building coverage report to make sure we only record traces for that function. * Normalized test functions so they look alike and make use of an optional message. Change-Id: I3e431b28e377f2ca21d06300537f63b2df4a3a99
2012-11-22 10:23:13 +00:00
$this->assertEquals( " $inputAttr",
Sanitizer::fixTagAttributes( $inputAttr, $inputEl ),
$message
);
Clean and repair many phpunit tests (+ fix implied configuration) This commit depends on the introduction of MediaWikiTestCase::setMwGlobals in change Iccf6ea81f4. Various tests already set their globals, but forgot to restore them afterwards, or forgot to call the parent setUp, tearDown... Either way they won't have to anymore with setMwGlobals. Consistent use of function characteristics: * protected function setUp * protected function tearDown * public static function (provide..) (Matching the function signature with PHPUnit/Framework/TestCase.php) Replaces: * public function (setUp|tearDown)\( * protected function $1( * \tfunction (setUp|tearDown)\( * \tprotected function $1( * \tfunction (data|provide)\( * \tpublic static function $1\( Also renamed a few "data#", "provider#" and "provides#" functions to "provide#" for consistency. This also removes confusion where the /media tests had a few private methods called dataFile(), which were sometimes expected to be data providers. Fixes: TimestampTest often failed due to a previous test setting a different language (it tests "1 hour ago" so need to make sure it is set to English). MWNamespaceTest became a lot cleaner now that it executes with a known context. Though the now-redundant code that was removed didn't work anyway because wgContentNamespaces isn't keyed by namespace id, it had them was values... FileBackendTest: * Fixed: "PHP Fatal: Using $this when not in object context" HttpTest * Added comment about: "PHP Fatal: Call to protected MWHttpRequest::__construct()" (too much unrelated code to fix in this commit) ExternalStoreTest * Add an assertTrue as well, without it the test is useless because regardless of whether wgExternalStores is true or false it only uses it if it is an array. Change-Id: I9d2b148e57bada64afeb7d5a99bec0e58f8e1561
2012-10-08 10:56:20 +00:00
}
public static function provideDeprecatedAttributes() {
normalize sanitizerTest and add coverage tips * @cover let us mention which function the test is using, help out when building coverage report to make sure we only record traces for that function. * Normalized test functions so they look alike and make use of an optional message. Change-Id: I3e431b28e377f2ca21d06300537f63b2df4a3a99
2012-11-22 10:23:13 +00:00
/** array( <attribute>, <element>, [message] ) */
(bug 36495) Sanitizer: Convert align to margin/float outside tables. Change-Id: I108cbd100cff6bade011b14d74b5bca82f2a1e5f
2012-06-29 16:24:20 +00:00
return array(
(bug 40632) Remove CleanupPresentationalAttributes feature Removed $wgCleanupPresentationalAttributes, the associated code it toggles and references to those in src and tests. Also fixes bug 40329. This was originally introduced in r94465 (released in REL1_19) but disabled by default. Then enabled in r98053, after which several bugs were filed and eventually the decision was made to remove this feature. Removed obsolete release-note entry, as this is to be backported to REL1_20. Change-Id: I4e86305520a3b22ef88381caab55d24abac932e3
2012-11-01 18:08:54 +00:00
array( 'clear="left"', 'br' ),
array( 'clear="all"', 'br' ),
array( 'width="100"', 'td' ),
array( 'nowrap="true"', 'td' ),
array( 'nowrap=""', 'td' ),
array( 'align="right"', 'td' ),
array( 'align="center"', 'table' ),
array( 'align="left"', 'tr' ),
array( 'align="center"', 'div' ),
array( 'align="left"', 'h1' ),
Put the HTML attribute whitelist closer to HTML5 * Add the global attributes to <bdo> and <q> and add "cite" to <q>. This is to make these elements actually usable: <bdo> needs a "dir" attribute to be useful for anything, and the whole point of <q> compared to hard-coded quotation marks is its support for the "lang" and "cite" attributes. * Drop the "align" attribute from <span> because it was never standards- compliant and does not work in browsers either, unless one constructs such unlikely things as <span align="center" style="display:block;">. * Drop the obsolete "char" and "charoff" attributes from <tr>, <td>, <th>. These have not been implemented in browsers anyway. * Drop the obsolete presentational attributes "align", "valign" and "width" from <colgroup>, <col>, <thead>, <tfoot> and <tbody>. These elements are currently not accepted in wikitext anyway, but removing these attributes from the whitelist ensures that they are not accidentally enabled in the future. * Drop the obsolete presentational attributes "noshade" and "size" from <hr>. They have been overridden by skin-specific CSS for a long time anyway. * Allow all global attributes on <br> and <wbr>. Not allowing "dir" and "lang" on <br> was a restriction in HTML 4.01, presumably copied to <wbr>, that has been lifted in HTML5. Allowing these may not be particularly useful, but simplifies the code. Bug: 55582 Change-Id: I1c3289ef51a449a7837af28d9906701534175896
2013-10-11 20:04:49 +00:00
array( 'align="left"', 'p' ),
(bug 36495) Sanitizer: Convert align to margin/float outside tables. Change-Id: I108cbd100cff6bade011b14d74b5bca82f2a1e5f
2012-06-29 16:24:20 +00:00
);
Followup r94465 and r94465; Add phpunit tests for Sanitizer::fixDeprecatedAttributes and fix bugs related to clear="all" and mixed/uppercase attributes and values.
2011-09-25 04:08:23 +00:00
}
Test handling of escaped CSS comments r85856 fixed a CSS injection issue but lacked testing. This test verify we properly strip out CSS comments even when the token delimiter '/*' is backslash-escaped : \2f\2a
2011-10-24 08:39:58 +00:00
/**
* @dataProvider provideCssCommentsFixtures
Lots of spelling mistakes and phpdoc attributes @throw->@throws @returns->@return @seealso->@see @cover->@covers etc Change-Id: I9ae6bc3034e9790e2d66cd96473b923fe9ee7953
2013-03-11 03:16:28 +00:00
* @covers Sanitizer::checkCss
Test handling of escaped CSS comments r85856 fixed a CSS injection issue but lacked testing. This test verify we properly strip out CSS comments even when the token delimiter '/*' is backslash-escaped : \2f\2a
2011-10-24 08:39:58 +00:00
*/
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
public function testCssCommentsChecking( $expected, $css, $message = '' ) {
normalize sanitizerTest and add coverage tips * @cover let us mention which function the test is using, help out when building coverage report to make sure we only record traces for that function. * Normalized test functions so they look alike and make use of an optional message. Change-Id: I3e431b28e377f2ca21d06300537f63b2df4a3a99
2012-11-22 10:23:13 +00:00
$this->assertEquals( $expected,
Test handling of escaped CSS comments r85856 fixed a CSS injection issue but lacked testing. This test verify we properly strip out CSS comments even when the token delimiter '/*' is backslash-escaped : \2f\2a
2011-10-24 08:39:58 +00:00
Sanitizer::checkCss( $css ),
$message
);
}
Clean and repair many phpunit tests (+ fix implied configuration) This commit depends on the introduction of MediaWikiTestCase::setMwGlobals in change Iccf6ea81f4. Various tests already set their globals, but forgot to restore them afterwards, or forgot to call the parent setUp, tearDown... Either way they won't have to anymore with setMwGlobals. Consistent use of function characteristics: * protected function setUp * protected function tearDown * public static function (provide..) (Matching the function signature with PHPUnit/Framework/TestCase.php) Replaces: * public function (setUp|tearDown)\( * protected function $1( * \tfunction (setUp|tearDown)\( * \tprotected function $1( * \tfunction (data|provide)\( * \tpublic static function $1\( Also renamed a few "data#", "provider#" and "provides#" functions to "provide#" for consistency. This also removes confusion where the /media tests had a few private methods called dataFile(), which were sometimes expected to be data providers. Fixes: TimestampTest often failed due to a previous test setting a different language (it tests "1 hour ago" so need to make sure it is set to English). MWNamespaceTest became a lot cleaner now that it executes with a known context. Though the now-redundant code that was removed didn't work anyway because wgContentNamespaces isn't keyed by namespace id, it had them was values... FileBackendTest: * Fixed: "PHP Fatal: Using $this when not in object context" HttpTest * Added comment about: "PHP Fatal: Call to protected MWHttpRequest::__construct()" (too much unrelated code to fix in this commit) ExternalStoreTest * Add an assertTrue as well, without it the test is useless because regardless of whether wgExternalStores is true or false it only uses it if it is an array. Change-Id: I9d2b148e57bada64afeb7d5a99bec0e58f8e1561
2012-10-08 10:56:20 +00:00
public static function provideCssCommentsFixtures() {
Test handling of escaped CSS comments r85856 fixed a CSS injection issue but lacked testing. This test verify we properly strip out CSS comments even when the token delimiter '/*' is backslash-escaped : \2f\2a
2011-10-24 08:39:58 +00:00
/** array( <expected>, <css>, [message] ) */
return array(
displaytitle: reject some CSS if $wgRestrictDisplayTitle set $wgRestrictDisplayTitle is intended to make it possible to simply copy-and-paste the title text even if it requires some styling like subscript or superscript. Using a <span style="display: none;" /> broke that expectation, as the text hidden in such way becomes completely invisible and unselectable. This patch rejects such styles. Also disallowed 'user-select' and 'visibility', since they both prevent the user from selecting and/or copying the text as well. Minor changes in Sanitizer: * checkCss() was made to pass through values which consist of nothing but a single comment, to allow this rejection to display some sort of a notification to the user. * encodeTagAttributes() was added as a counterpart to decodeTagAttributes(), pulling some code out of fixTagAttributes(). Bug: 26547 Change-Id: Ie162535b6bcbebce4ee69f6dcc1957ccccc3c672
2013-05-22 08:48:14 +00:00
// Valid comments spanning entire input
array( '/**/', '/**/' ),
array( '/* comment */', '/* comment */' ),
// Weird stuff
Test handling of escaped CSS comments r85856 fixed a CSS injection issue but lacked testing. This test verify we properly strip out CSS comments even when the token delimiter '/*' is backslash-escaped : \2f\2a
2011-10-24 08:39:58 +00:00
array( ' ', '/****/' ),
displaytitle: reject some CSS if $wgRestrictDisplayTitle set $wgRestrictDisplayTitle is intended to make it possible to simply copy-and-paste the title text even if it requires some styling like subscript or superscript. Using a <span style="display: none;" /> broke that expectation, as the text hidden in such way becomes completely invisible and unselectable. This patch rejects such styles. Also disallowed 'user-select' and 'visibility', since they both prevent the user from selecting and/or copying the text as well. Minor changes in Sanitizer: * checkCss() was made to pass through values which consist of nothing but a single comment, to allow this rejection to display some sort of a notification to the user. * encodeTagAttributes() was added as a counterpart to decodeTagAttributes(), pulling some code out of fixTagAttributes(). Bug: 26547 Change-Id: Ie162535b6bcbebce4ee69f6dcc1957ccccc3c672
2013-05-22 08:48:14 +00:00
array( ' ', '/* /* */' ),
array( 'display: block;', "display:/* foo */block;" ),
array( 'display: block;', "display:\\2f\\2a foo \\2a\\2f block;",
Test handling of escaped CSS comments r85856 fixed a CSS injection issue but lacked testing. This test verify we properly strip out CSS comments even when the token delimiter '/*' is backslash-escaped : \2f\2a
2011-10-24 08:39:58 +00:00
'Backslash-escaped comments must be stripped (bug 28450)' ),
array( '', '/* unfinished comment structure',
Update formatting 2 of n. Change-Id: I5406673e99ed53e4e330ed47f022a17177544daa
2013-02-14 11:36:35 +00:00
'Remove anything after a comment-start token' ),
Test handling of escaped CSS comments r85856 fixed a CSS injection issue but lacked testing. This test verify we properly strip out CSS comments even when the token delimiter '/*' is backslash-escaped : \2f\2a
2011-10-24 08:39:58 +00:00
array( '', "\\2f\\2a unifinished comment'",
Update formatting 2 of n. Change-Id: I5406673e99ed53e4e330ed47f022a17177544daa
2013-02-14 11:36:35 +00:00
'Remove anything after a backslash-escaped comment-start token' ),
array( '/* insecure input */', 'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\');' ),
array( '/* insecure input */', '-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader(src=\'asdf.png\',sizingMethod=\'scale\')";' ),
array( '/* insecure input */', 'width: expression(1+1);' ),
array( '/* insecure input */', 'background-image: image(asdf.png);' ),
array( '/* insecure input */', 'background-image: -webkit-image(asdf.png);' ),
array( '/* insecure input */', 'background-image: -moz-image(asdf.png);' ),
array( '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);' ),
array( '/* insecure input */', 'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
array( '/* insecure input */', 'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);' ),
Test handling of escaped CSS comments r85856 fixed a CSS injection issue but lacked testing. This test verify we properly strip out CSS comments even when the token delimiter '/*' is backslash-escaped : \2f\2a
2011-10-24 08:39:58 +00:00
);
}
Support WAI-ARIA's role="presentation" inside of WikiText. - role="presentation" is the standard way to mark some element as presentational for assistive technologies, etc... Such as presentational tables. Something we have a lot of and need the ability to mark as presentational. - Other ARIA roles need more thought so for now they are not supported. Change-Id: I426ea04a8bc48181a71a308753525f3964201748
2012-10-19 08:57:25 +00:00
/**
* Test for support or lack of support for specific attributes in the attribute whitelist.
*/
Tests: Make phpunit providers "public static". Follows-up I9d2b148e57 (including phpunit/languages this time). Bug: 46434 Change-Id: I30e5efcd88c516121c454676bd7a18f9b7c8fca6
2013-03-22 02:12:37 +00:00
public static function provideAttributeSupport() {
Support WAI-ARIA's role="presentation" inside of WikiText. - role="presentation" is the standard way to mark some element as presentational for assistive technologies, etc... Such as presentational tables. Something we have a lot of and need the ability to mark as presentational. - Other ARIA roles need more thought so for now they are not supported. Change-Id: I426ea04a8bc48181a71a308753525f3964201748
2012-10-19 08:57:25 +00:00
/** array( <attributes>, <expected>, <message> ) */
return array(
array( 'div', ' role="presentation"', ' role="presentation"', 'Support for WAI-ARIA\'s role="presentation".' ),
array( 'div', ' role="main"', '', "Other WAI-ARIA roles are currently not supported." ),
);
}
/**
* @dataProvider provideAttributeSupport
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
* @covers Sanitizer::fixTagAttributes
Support WAI-ARIA's role="presentation" inside of WikiText. - role="presentation" is the standard way to mark some element as presentational for assistive technologies, etc... Such as presentational tables. Something we have a lot of and need the ability to mark as presentational. - Other ARIA roles need more thought so for now they are not supported. Change-Id: I426ea04a8bc48181a71a308753525f3964201748
2012-10-19 08:57:25 +00:00
*/
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
public function testAttributeSupport( $tag, $attributes, $expected, $message ) {
Support WAI-ARIA's role="presentation" inside of WikiText. - role="presentation" is the standard way to mark some element as presentational for assistive technologies, etc... Such as presentational tables. Something we have a lot of and need the ability to mark as presentational. - Other ARIA roles need more thought so for now they are not supported. Change-Id: I426ea04a8bc48181a71a308753525f3964201748
2012-10-19 08:57:25 +00:00
$this->assertEquals( $expected,
Sanitizer::fixTagAttributes( $attributes, $tag ),
$message
);
}
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
}
Reference in a new issue Copy permalink