2010-12-14 16:26:35 +00:00
|
|
|
|
<?php
|
|
|
|
|
|
|
2013-10-21 21:09:13 +00:00
|
|
|
|
/**
|
|
|
|
|
|
* @todo Tests covering decodeCharReferences can be refactored into a single
|
|
|
|
|
|
* method and dataprovider.
|
2017-06-30 00:13:12 +00:00
|
|
|
|
*
|
|
|
|
|
|
* @group Sanitizer
|
2013-10-21 21:09:13 +00:00
|
|
|
|
*/
|
2010-12-28 18:17:16 +00:00
|
|
|
|
class SanitizerTest extends MediaWikiTestCase {
|
2010-12-14 16:26:35 +00:00
|
|
|
|
|
2015-08-31 04:42:55 +00:00
|
|
|
|
protected function tearDown() {
|
|
|
|
|
|
MWTidy::destroySingleton();
|
|
|
|
|
|
parent::tearDown();
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-10-21 21:09:13 +00:00
|
|
|
|
/**
|
|
|
|
|
|
* @covers Sanitizer::decodeCharReferences
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function testDecodeNamedEntities() {
|
2010-12-14 16:26:35 +00:00
|
|
|
|
$this->assertEquals(
|
|
|
|
|
|
"\xc3\xa9cole",
|
|
|
|
|
|
Sanitizer::decodeCharReferences( 'école' ),
|
|
|
|
|
|
'decode named entities'
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-10-21 21:09:13 +00:00
|
|
|
|
/**
|
|
|
|
|
|
* @covers Sanitizer::decodeCharReferences
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function testDecodeNumericEntities() {
|
2010-12-14 16:26:35 +00:00
|
|
|
|
$this->assertEquals(
|
|
|
|
|
|
"\xc4\x88io bonas dans l'\xc3\xa9cole!",
|
|
|
|
|
|
Sanitizer::decodeCharReferences( "Ĉio bonas dans l'école!" ),
|
|
|
|
|
|
'decode numeric entities'
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-10-21 21:09:13 +00:00
|
|
|
|
/**
|
|
|
|
|
|
* @covers Sanitizer::decodeCharReferences
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function testDecodeMixedEntities() {
|
2010-12-14 16:26:35 +00:00
|
|
|
|
$this->assertEquals(
|
|
|
|
|
|
"\xc4\x88io bonas dans l'\xc3\xa9cole!",
|
|
|
|
|
|
Sanitizer::decodeCharReferences( "Ĉio bonas dans l'école!" ),
|
|
|
|
|
|
'decode mixed numeric/named entities'
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-10-21 21:09:13 +00:00
|
|
|
|
/**
|
|
|
|
|
|
* @covers Sanitizer::decodeCharReferences
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function testDecodeMixedComplexEntities() {
|
2010-12-14 16:26:35 +00:00
|
|
|
|
$this->assertEquals(
|
|
|
|
|
|
"\xc4\x88io bonas dans l'\xc3\xa9cole! (mais pas Ĉio dans l'école)",
|
|
|
|
|
|
Sanitizer::decodeCharReferences(
|
|
|
|
|
|
"Ĉio bonas dans l'école! (mais pas &#x108;io dans l'&eacute;cole)"
|
|
|
|
|
|
),
|
|
|
|
|
|
'decode mixed complex entities'
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-10-21 21:09:13 +00:00
|
|
|
|
/**
|
|
|
|
|
|
* @covers Sanitizer::decodeCharReferences
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function testInvalidAmpersand() {
|
2010-12-14 16:26:35 +00:00
|
|
|
|
$this->assertEquals(
|
|
|
|
|
|
'a & b',
|
|
|
|
|
|
Sanitizer::decodeCharReferences( 'a & b' ),
|
|
|
|
|
|
'Invalid ampersand'
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-10-21 21:09:13 +00:00
|
|
|
|
/**
|
|
|
|
|
|
* @covers Sanitizer::decodeCharReferences
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function testInvalidEntities() {
|
2010-12-14 16:26:35 +00:00
|
|
|
|
$this->assertEquals(
|
|
|
|
|
|
'&foo;',
|
|
|
|
|
|
Sanitizer::decodeCharReferences( '&foo;' ),
|
|
|
|
|
|
'Invalid named entity'
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-10-21 21:09:13 +00:00
|
|
|
|
/**
|
|
|
|
|
|
* @covers Sanitizer::decodeCharReferences
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function testInvalidNumberedEntities() {
|
2014-04-24 12:35:05 +00:00
|
|
|
|
$this->assertEquals(
|
2015-03-07 09:27:42 +00:00
|
|
|
|
UtfNormal\Constants::UTF8_REPLACEMENT,
|
2014-04-24 12:35:05 +00:00
|
|
|
|
Sanitizer::decodeCharReferences( "�" ),
|
|
|
|
|
|
'Invalid numbered entity'
|
|
|
|
|
|
);
|
2010-12-14 16:26:35 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-08-06 10:02:49 +00:00
|
|
|
|
/**
|
2013-03-11 03:16:28 +00:00
|
|
|
|
* @covers Sanitizer::removeHTMLtags
|
2012-08-06 10:02:49 +00:00
|
|
|
|
* @dataProvider provideHtml5Tags
|
|
|
|
|
|
*
|
2014-04-17 18:43:42 +00:00
|
|
|
|
* @param string $tag Name of an HTML5 element (ie: 'video')
|
|
|
|
|
|
* @param bool $escaped Whether sanitizer let the tag in or escape it (ie: '<video>')
|
2012-08-06 10:02:49 +00:00
|
|
|
|
*/
|
2013-10-21 21:09:13 +00:00
|
|
|
|
public function testRemovehtmltagsOnHtml5Tags( $tag, $escaped ) {
|
2015-08-31 04:42:55 +00:00
|
|
|
|
MWTidy::setInstance( false );
|
2012-08-06 10:02:49 +00:00
|
|
|
|
|
2013-02-14 11:36:35 +00:00
|
|
|
|
if ( $escaped ) {
|
2012-08-06 10:02:49 +00:00
|
|
|
|
$this->assertEquals( "<$tag>",
|
|
|
|
|
|
Sanitizer::removeHTMLtags( "<$tag>" )
|
|
|
|
|
|
);
|
|
|
|
|
|
} else {
|
|
|
|
|
|
$this->assertEquals( "<$tag></$tag>\n",
|
|
|
|
|
|
Sanitizer::removeHTMLtags( "<$tag>" )
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* Provide HTML5 tags
|
|
|
|
|
|
*/
|
2013-03-22 02:12:37 +00:00
|
|
|
|
public static function provideHtml5Tags() {
|
2013-02-14 11:36:35 +00:00
|
|
|
|
$ESCAPED = true; # We want tag to be escaped
|
|
|
|
|
|
$VERBATIM = false; # We want to keep the tag
|
2016-02-17 09:09:32 +00:00
|
|
|
|
return [
|
|
|
|
|
|
[ 'data', $VERBATIM ],
|
|
|
|
|
|
[ 'mark', $VERBATIM ],
|
|
|
|
|
|
[ 'time', $VERBATIM ],
|
|
|
|
|
|
[ 'video', $ESCAPED ],
|
|
|
|
|
|
];
|
2012-08-06 10:02:49 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
2012-10-30 13:34:56 +00:00
|
|
|
|
function dataRemoveHTMLtags() {
|
2016-02-17 09:09:32 +00:00
|
|
|
|
return [
|
2012-10-30 13:34:56 +00:00
|
|
|
|
// former testSelfClosingTag
|
2016-02-17 09:09:32 +00:00
|
|
|
|
[
|
2012-10-30 13:34:56 +00:00
|
|
|
|
'<div>Hello world</div />',
|
|
|
|
|
|
'<div>Hello world</div>',
|
|
|
|
|
|
'Self-closing closing div'
|
2016-02-17 09:09:32 +00:00
|
|
|
|
],
|
2012-10-30 13:34:56 +00:00
|
|
|
|
// Make sure special nested HTML5 semantics are not broken
|
2016-10-13 05:34:26 +00:00
|
|
|
|
// https://html.spec.whatwg.org/multipage/semantics.html#the-kbd-element
|
2016-02-17 09:09:32 +00:00
|
|
|
|
[
|
2012-10-30 13:34:56 +00:00
|
|
|
|
'<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
|
|
|
|
|
|
'<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
|
|
|
|
|
|
'Nested <kbd>.'
|
2016-02-17 09:09:32 +00:00
|
|
|
|
],
|
2016-10-13 05:34:26 +00:00
|
|
|
|
// https://html.spec.whatwg.org/multipage/semantics.html#the-sub-and-sup-elements
|
2016-02-17 09:09:32 +00:00
|
|
|
|
[
|
2012-10-30 13:34:56 +00:00
|
|
|
|
'<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
|
|
|
|
|
|
'<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
|
|
|
|
|
|
'Nested <var>.'
|
2016-02-17 09:09:32 +00:00
|
|
|
|
],
|
2016-10-13 05:34:26 +00:00
|
|
|
|
// https://html.spec.whatwg.org/multipage/semantics.html#the-dfn-element
|
2016-02-17 09:09:32 +00:00
|
|
|
|
[
|
2012-10-30 13:34:56 +00:00
|
|
|
|
'<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
|
|
|
|
|
|
'<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
|
|
|
|
|
|
'<abbr> inside <dfn>',
|
2016-02-17 09:09:32 +00:00
|
|
|
|
],
|
|
|
|
|
|
];
|
2010-12-14 16:26:35 +00:00
|
|
|
|
}
|
2012-11-22 10:25:30 +00:00
|
|
|
|
|
2012-10-30 13:34:56 +00:00
|
|
|
|
/**
|
|
|
|
|
|
* @dataProvider dataRemoveHTMLtags
|
2013-10-21 21:09:13 +00:00
|
|
|
|
* @covers Sanitizer::removeHTMLtags
|
2012-10-30 13:34:56 +00:00
|
|
|
|
*/
|
2013-10-21 21:09:13 +00:00
|
|
|
|
public function testRemoveHTMLtags( $input, $output, $msg = null ) {
|
2015-08-31 04:42:55 +00:00
|
|
|
|
MWTidy::setInstance( false );
|
2012-10-30 13:34:56 +00:00
|
|
|
|
$this->assertEquals( $output, Sanitizer::removeHTMLtags( $input ), $msg );
|
|
|
|
|
|
}
|
2012-11-22 10:25:30 +00:00
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* @dataProvider provideTagAttributesToDecode
|
2013-03-11 03:16:28 +00:00
|
|
|
|
* @covers Sanitizer::decodeTagAttributes
|
2012-11-22 10:25:30 +00:00
|
|
|
|
*/
|
2013-10-21 21:09:13 +00:00
|
|
|
|
public function testDecodeTagAttributes( $expected, $attributes, $message = '' ) {
|
2012-11-22 10:25:30 +00:00
|
|
|
|
$this->assertEquals( $expected,
|
|
|
|
|
|
Sanitizer::decodeTagAttributes( $attributes ),
|
|
|
|
|
|
$message
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2013-03-22 02:12:37 +00:00
|
|
|
|
public static function provideTagAttributesToDecode() {
|
2016-02-17 09:09:32 +00:00
|
|
|
|
return [
|
|
|
|
|
|
[ [ 'foo' => 'bar' ], 'foo=bar', 'Unquoted attribute' ],
|
2017-06-22 04:43:36 +00:00
|
|
|
|
[ [ 'עברית' => 'bar' ], 'עברית=bar', 'Non-Latin attribute' ],
|
|
|
|
|
|
[ [ '६' => 'bar' ], '६=bar', 'Devanagari number' ],
|
|
|
|
|
|
[ [ '搭𨋢' => 'bar' ], '搭𨋢=bar', 'Non-BMP character' ],
|
|
|
|
|
|
[ [], 'ńgh=bar', 'Combining accent is not allowed' ],
|
2016-02-17 09:09:32 +00:00
|
|
|
|
[ [ 'foo' => 'bar' ], ' foo = bar ', 'Spaced attribute' ],
|
|
|
|
|
|
[ [ 'foo' => 'bar' ], 'foo="bar"', 'Double-quoted attribute' ],
|
|
|
|
|
|
[ [ 'foo' => 'bar' ], 'foo=\'bar\'', 'Single-quoted attribute' ],
|
|
|
|
|
|
[
|
|
|
|
|
|
[ 'foo' => 'bar', 'baz' => 'foo' ],
|
2014-04-24 12:35:05 +00:00
|
|
|
|
'foo=\'bar\' baz="foo"',
|
|
|
|
|
|
'Several attributes'
|
2016-02-17 09:09:32 +00:00
|
|
|
|
],
|
|
|
|
|
|
[
|
|
|
|
|
|
[ 'foo' => 'bar', 'baz' => 'foo' ],
|
2014-04-24 12:35:05 +00:00
|
|
|
|
'foo=\'bar\' baz="foo"',
|
|
|
|
|
|
'Several attributes'
|
2016-02-17 09:09:32 +00:00
|
|
|
|
],
|
|
|
|
|
|
[
|
|
|
|
|
|
[ 'foo' => 'bar', 'baz' => 'foo' ],
|
2014-04-24 12:35:05 +00:00
|
|
|
|
'foo=\'bar\' baz="foo"',
|
|
|
|
|
|
'Several attributes'
|
2016-02-17 09:09:32 +00:00
|
|
|
|
],
|
|
|
|
|
|
[ [ ':foo' => 'bar' ], ':foo=\'bar\'', 'Leading :' ],
|
|
|
|
|
|
[ [ '_foo' => 'bar' ], '_foo=\'bar\'', 'Leading _' ],
|
|
|
|
|
|
[ [ 'foo' => 'bar' ], 'Foo=\'bar\'', 'Leading capital' ],
|
|
|
|
|
|
[ [ 'foo' => 'BAR' ], 'FOO=BAR', 'Attribute keys are normalized to lowercase' ],
|
2012-11-22 10:25:30 +00:00
|
|
|
|
|
|
|
|
|
|
# Invalid beginning
|
2016-02-17 09:09:32 +00:00
|
|
|
|
[ [], '-foo=bar', 'Leading - is forbidden' ],
|
|
|
|
|
|
[ [], '.foo=bar', 'Leading . is forbidden' ],
|
|
|
|
|
|
[ [ 'foo-bar' => 'bar' ], 'foo-bar=bar', 'A - is allowed inside the attribute' ],
|
|
|
|
|
|
[ [ 'foo-' => 'bar' ], 'foo-=bar', 'A - is allowed inside the attribute' ],
|
|
|
|
|
|
[ [ 'foo.bar' => 'baz' ], 'foo.bar=baz', 'A . is allowed inside the attribute' ],
|
|
|
|
|
|
[ [ 'foo.' => 'baz' ], 'foo.=baz', 'A . is allowed as last character' ],
|
|
|
|
|
|
[ [ 'foo6' => 'baz' ], 'foo6=baz', 'Numbers are allowed' ],
|
2012-11-22 10:25:30 +00:00
|
|
|
|
|
|
|
|
|
|
# This bit is more relaxed than XML rules, but some extensions use
|
2017-02-20 23:45:58 +00:00
|
|
|
|
# it, like ProofreadPage (see T29539)
|
2016-02-17 09:09:32 +00:00
|
|
|
|
[ [ '1foo' => 'baz' ], '1foo=baz', 'Leading numbers are allowed' ],
|
|
|
|
|
|
[ [], 'foo$=baz', 'Symbols are not allowed' ],
|
|
|
|
|
|
[ [], 'foo@=baz', 'Symbols are not allowed' ],
|
|
|
|
|
|
[ [], 'foo~=baz', 'Symbols are not allowed' ],
|
|
|
|
|
|
[
|
|
|
|
|
|
[ 'foo' => '1[#^`*%w/(' ],
|
2014-04-24 12:35:05 +00:00
|
|
|
|
'foo=1[#^`*%w/(',
|
|
|
|
|
|
'All kind of characters are allowed as values'
|
2016-02-17 09:09:32 +00:00
|
|
|
|
],
|
|
|
|
|
|
[
|
|
|
|
|
|
[ 'foo' => '1[#^`*%\'w/(' ],
|
2014-04-24 12:35:05 +00:00
|
|
|
|
'foo="1[#^`*%\'w/("',
|
|
|
|
|
|
'Double quotes are allowed if quoted by single quotes'
|
2016-02-17 09:09:32 +00:00
|
|
|
|
],
|
|
|
|
|
|
[
|
|
|
|
|
|
[ 'foo' => '1[#^`*%"w/(' ],
|
2014-04-24 12:35:05 +00:00
|
|
|
|
'foo=\'1[#^`*%"w/(\'',
|
|
|
|
|
|
'Single quotes are allowed if quoted by double quotes'
|
2016-02-17 09:09:32 +00:00
|
|
|
|
],
|
|
|
|
|
|
[ [ 'foo' => '&"' ], 'foo=&"', 'Special chars can be provided as entities' ],
|
|
|
|
|
|
[ [ 'foo' => '&foobar;' ], 'foo=&foobar;', 'Entity-like items are accepted' ],
|
|
|
|
|
|
];
|
2011-02-19 20:16:54 +00:00
|
|
|
|
}
|
2011-09-25 04:08:23 +00:00
|
|
|
|
|
2012-06-29 16:24:20 +00:00
|
|
|
|
/**
|
|
|
|
|
|
* @dataProvider provideDeprecatedAttributes
|
2013-03-11 03:16:28 +00:00
|
|
|
|
* @covers Sanitizer::fixTagAttributes
|
2012-06-29 16:24:20 +00:00
|
|
|
|
*/
|
2013-10-21 21:09:13 +00:00
|
|
|
|
public function testDeprecatedAttributesUnaltered( $inputAttr, $inputEl, $message = '' ) {
|
2012-11-22 10:23:13 +00:00
|
|
|
|
$this->assertEquals( " $inputAttr",
|
|
|
|
|
|
Sanitizer::fixTagAttributes( $inputAttr, $inputEl ),
|
|
|
|
|
|
$message
|
|
|
|
|
|
);
|
2012-10-08 10:56:20 +00:00
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public static function provideDeprecatedAttributes() {
|
2016-07-10 15:23:29 +00:00
|
|
|
|
/** [ <attribute>, <element>, [message] ] */
|
2016-02-17 09:09:32 +00:00
|
|
|
|
return [
|
|
|
|
|
|
[ 'clear="left"', 'br' ],
|
|
|
|
|
|
[ 'clear="all"', 'br' ],
|
|
|
|
|
|
[ 'width="100"', 'td' ],
|
|
|
|
|
|
[ 'nowrap="true"', 'td' ],
|
|
|
|
|
|
[ 'nowrap=""', 'td' ],
|
|
|
|
|
|
[ 'align="right"', 'td' ],
|
|
|
|
|
|
[ 'align="center"', 'table' ],
|
|
|
|
|
|
[ 'align="left"', 'tr' ],
|
|
|
|
|
|
[ 'align="center"', 'div' ],
|
|
|
|
|
|
[ 'align="left"', 'h1' ],
|
|
|
|
|
|
[ 'align="left"', 'p' ],
|
|
|
|
|
|
];
|
2011-09-25 04:08:23 +00:00
|
|
|
|
}
|
2011-10-24 08:39:58 +00:00
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* @dataProvider provideCssCommentsFixtures
|
2013-03-11 03:16:28 +00:00
|
|
|
|
* @covers Sanitizer::checkCss
|
2011-10-24 08:39:58 +00:00
|
|
|
|
*/
|
2013-10-21 21:09:13 +00:00
|
|
|
|
public function testCssCommentsChecking( $expected, $css, $message = '' ) {
|
2012-11-22 10:23:13 +00:00
|
|
|
|
$this->assertEquals( $expected,
|
2011-10-24 08:39:58 +00:00
|
|
|
|
Sanitizer::checkCss( $css ),
|
|
|
|
|
|
$message
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2012-10-08 10:56:20 +00:00
|
|
|
|
public static function provideCssCommentsFixtures() {
|
2016-07-10 15:23:29 +00:00
|
|
|
|
/** [ <expected>, <css>, [message] ] */
|
2016-02-17 09:09:32 +00:00
|
|
|
|
return [
|
2013-05-22 08:48:14 +00:00
|
|
|
|
// Valid comments spanning entire input
|
2016-02-17 09:09:32 +00:00
|
|
|
|
[ '/**/', '/**/' ],
|
|
|
|
|
|
[ '/* comment */', '/* comment */' ],
|
2013-05-22 08:48:14 +00:00
|
|
|
|
// Weird stuff
|
2016-02-17 09:09:32 +00:00
|
|
|
|
[ ' ', '/****/' ],
|
|
|
|
|
|
[ ' ', '/* /* */' ],
|
|
|
|
|
|
[ 'display: block;', "display:/* foo */block;" ],
|
|
|
|
|
|
[ 'display: block;', "display:\\2f\\2a foo \\2a\\2f block;",
|
2017-02-20 23:45:58 +00:00
|
|
|
|
'Backslash-escaped comments must be stripped (T30450)' ],
|
2016-02-17 09:09:32 +00:00
|
|
|
|
[ '', '/* unfinished comment structure',
|
|
|
|
|
|
'Remove anything after a comment-start token' ],
|
|
|
|
|
|
[ '', "\\2f\\2a unifinished comment'",
|
|
|
|
|
|
'Remove anything after a backslash-escaped comment-start token' ],
|
|
|
|
|
|
[
|
2014-04-24 12:35:05 +00:00
|
|
|
|
'/* insecure input */',
|
|
|
|
|
|
'filter: progid:DXImageTransform.Microsoft.AlphaImageLoader'
|
|
|
|
|
|
. '(src=\'asdf.png\',sizingMethod=\'scale\');'
|
2016-02-17 09:09:32 +00:00
|
|
|
|
],
|
|
|
|
|
|
[
|
2014-04-24 12:35:05 +00:00
|
|
|
|
'/* insecure input */',
|
|
|
|
|
|
'-ms-filter: "progid:DXImageTransform.Microsoft.AlphaImageLoader'
|
|
|
|
|
|
. '(src=\'asdf.png\',sizingMethod=\'scale\')";'
|
2016-02-17 09:09:32 +00:00
|
|
|
|
],
|
|
|
|
|
|
[ '/* insecure input */', 'width: expression(1+1);' ],
|
|
|
|
|
|
[ '/* insecure input */', 'background-image: image(asdf.png);' ],
|
|
|
|
|
|
[ '/* insecure input */', 'background-image: -webkit-image(asdf.png);' ],
|
|
|
|
|
|
[ '/* insecure input */', 'background-image: -moz-image(asdf.png);' ],
|
|
|
|
|
|
[ '/* insecure input */', 'background-image: image-set("asdf.png" 1x, "asdf.png" 2x);' ],
|
|
|
|
|
|
[
|
2014-04-24 12:35:05 +00:00
|
|
|
|
'/* insecure input */',
|
|
|
|
|
|
'background-image: -webkit-image-set("asdf.png" 1x, "asdf.png" 2x);'
|
2016-02-17 09:09:32 +00:00
|
|
|
|
],
|
|
|
|
|
|
[
|
2014-04-24 12:35:05 +00:00
|
|
|
|
'/* insecure input */',
|
|
|
|
|
|
'background-image: -moz-image-set("asdf.png" 1x, "asdf.png" 2x);'
|
2016-02-17 09:09:32 +00:00
|
|
|
|
],
|
2014-06-11 23:29:33 +00:00
|
|
|
|
[ '/* insecure input */', 'foo: attr( title, url );' ],
|
|
|
|
|
|
[ '/* insecure input */', 'foo: attr( title url );' ],
|
2016-02-17 09:09:32 +00:00
|
|
|
|
];
|
2011-10-24 08:39:58 +00:00
|
|
|
|
}
|
2012-10-19 08:57:25 +00:00
|
|
|
|
|
2015-01-14 23:22:06 +00:00
|
|
|
|
/**
|
|
|
|
|
|
* @dataProvider provideEscapeHtmlAllowEntities
|
|
|
|
|
|
* @covers Sanitizer::escapeHtmlAllowEntities
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function testEscapeHtmlAllowEntities( $expected, $html ) {
|
|
|
|
|
|
$this->assertEquals(
|
|
|
|
|
|
$expected,
|
|
|
|
|
|
Sanitizer::escapeHtmlAllowEntities( $html )
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public static function provideEscapeHtmlAllowEntities() {
|
2016-02-17 09:09:32 +00:00
|
|
|
|
return [
|
|
|
|
|
|
[ 'foo', 'foo' ],
|
|
|
|
|
|
[ 'a¡b', 'a¡b' ],
|
|
|
|
|
|
[ 'foo'bar', "foo'bar" ],
|
|
|
|
|
|
[ '<script>foo</script>', '<script>foo</script>' ],
|
|
|
|
|
|
];
|
2015-01-14 23:22:06 +00:00
|
|
|
|
}
|
2016-01-18 01:19:26 +00:00
|
|
|
|
|
2017-06-30 10:20:19 +00:00
|
|
|
|
/**
|
|
|
|
|
|
* Test Sanitizer::escapeId
|
|
|
|
|
|
*
|
|
|
|
|
|
* @dataProvider provideEscapeId
|
|
|
|
|
|
* @covers Sanitizer::escapeId
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function testEscapeId( $input, $output ) {
|
|
|
|
|
|
$this->assertEquals(
|
|
|
|
|
|
$output,
|
|
|
|
|
|
Sanitizer::escapeId( $input, [ 'noninitial', 'legacy' ] )
|
|
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public static function provideEscapeId() {
|
|
|
|
|
|
return [
|
|
|
|
|
|
[ '+', '.2B' ],
|
|
|
|
|
|
[ '&', '.26' ],
|
|
|
|
|
|
[ '=', '.3D' ],
|
|
|
|
|
|
[ ':', ':' ],
|
|
|
|
|
|
[ ';', '.3B' ],
|
|
|
|
|
|
[ '@', '.40' ],
|
|
|
|
|
|
[ '$', '.24' ],
|
|
|
|
|
|
[ '-_.', '-_.' ],
|
|
|
|
|
|
[ '!', '.21' ],
|
|
|
|
|
|
[ '*', '.2A' ],
|
|
|
|
|
|
[ '/', '.2F' ],
|
|
|
|
|
|
[ '[]', '.5B.5D' ],
|
|
|
|
|
|
[ '<>', '.3C.3E' ],
|
|
|
|
|
|
[ '\'', '.27' ],
|
|
|
|
|
|
[ '§', '.C2.A7' ],
|
|
|
|
|
|
[ 'Test:A & B/Here', 'Test:A_.26_B.2FHere' ],
|
2016-05-02 05:14:45 +00:00
|
|
|
|
[ 'A&B&C&amp;D&amp;amp;E', 'A.26B.26amp.3BC.26amp.3Bamp.3BD.26amp.3Bamp.3Bamp.3BE' ],
|
2017-06-30 10:20:19 +00:00
|
|
|
|
];
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2016-01-18 01:19:26 +00:00
|
|
|
|
/**
|
2017-06-30 00:13:12 +00:00
|
|
|
|
* Test escapeIdReferenceList for consistency with escapeIdForAttribute
|
2016-01-18 01:19:26 +00:00
|
|
|
|
*
|
|
|
|
|
|
* @dataProvider provideEscapeIdReferenceList
|
|
|
|
|
|
* @covers Sanitizer::escapeIdReferenceList
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function testEscapeIdReferenceList( $referenceList, $id1, $id2 ) {
|
|
|
|
|
|
$this->assertEquals(
|
2017-09-30 00:24:37 +00:00
|
|
|
|
Sanitizer::escapeIdReferenceList( $referenceList ),
|
2017-06-30 00:13:12 +00:00
|
|
|
|
Sanitizer::escapeIdForAttribute( $id1 )
|
2016-01-18 01:19:26 +00:00
|
|
|
|
. ' '
|
2017-06-30 00:13:12 +00:00
|
|
|
|
. Sanitizer::escapeIdForAttribute( $id2 )
|
2016-01-18 01:19:26 +00:00
|
|
|
|
);
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public static function provideEscapeIdReferenceList() {
|
2016-07-10 15:23:29 +00:00
|
|
|
|
/** [ <reference list>, <individual id 1>, <individual id 2> ] */
|
2016-02-17 09:09:32 +00:00
|
|
|
|
return [
|
|
|
|
|
|
[ 'foo bar', 'foo', 'bar' ],
|
|
|
|
|
|
[ '#1 #2', '#1', '#2' ],
|
|
|
|
|
|
[ '+1 +2', '+1', '+2' ],
|
|
|
|
|
|
];
|
2016-01-18 01:19:26 +00:00
|
|
|
|
}
|
2017-02-10 05:31:32 +00:00
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* @dataProvider provideIsReservedDataAttribute
|
2017-12-25 07:26:52 +00:00
|
|
|
|
* @covers Sanitizer::isReservedDataAttribute
|
2017-02-10 05:31:32 +00:00
|
|
|
|
*/
|
|
|
|
|
|
public function testIsReservedDataAttribute( $attr, $expected ) {
|
|
|
|
|
|
$this->assertSame( $expected, Sanitizer::isReservedDataAttribute( $attr ) );
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public static function provideIsReservedDataAttribute() {
|
|
|
|
|
|
return [
|
|
|
|
|
|
[ 'foo', false ],
|
|
|
|
|
|
[ 'data', false ],
|
|
|
|
|
|
[ 'data-foo', false ],
|
|
|
|
|
|
[ 'data-mw', true ],
|
|
|
|
|
|
[ 'data-ooui', true ],
|
|
|
|
|
|
[ 'data-parsoid', true ],
|
|
|
|
|
|
[ 'data-mw-foo', true ],
|
|
|
|
|
|
[ 'data-ooui-foo', true ],
|
|
|
|
|
|
[ 'data-mwfoo', true ], // could be false but this is how it's implemented currently
|
|
|
|
|
|
];
|
|
|
|
|
|
}
|
2017-06-30 00:13:12 +00:00
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* @dataProvider provideEscapeIdForStuff
|
|
|
|
|
|
*
|
|
|
|
|
|
* @covers Sanitizer::escapeIdForAttribute()
|
|
|
|
|
|
* @covers Sanitizer::escapeIdForLink()
|
|
|
|
|
|
* @covers Sanitizer::escapeIdForExternalInterwiki()
|
|
|
|
|
|
* @covers Sanitizer::escapeIdInternal()
|
|
|
|
|
|
*
|
|
|
|
|
|
* @param string $stuff
|
|
|
|
|
|
* @param string[] $config
|
|
|
|
|
|
* @param string $id
|
|
|
|
|
|
* @param string|false $expected
|
|
|
|
|
|
* @param int|null $mode
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function testEscapeIdForStuff( $stuff, array $config, $id, $expected, $mode = null ) {
|
|
|
|
|
|
$func = "Sanitizer::escapeIdFor{$stuff}";
|
|
|
|
|
|
$iwFlavor = array_pop( $config );
|
|
|
|
|
|
$this->setMwGlobals( [
|
|
|
|
|
|
'wgFragmentMode' => $config,
|
|
|
|
|
|
'wgExternalInterwikiFragmentMode' => $iwFlavor,
|
|
|
|
|
|
] );
|
|
|
|
|
|
$escaped = call_user_func( $func, $id, $mode );
|
|
|
|
|
|
self::assertEquals( $expected, $escaped );
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public function provideEscapeIdForStuff() {
|
|
|
|
|
|
// Test inputs and outputs
|
2016-05-02 05:14:45 +00:00
|
|
|
|
$text = 'foo тест_#%!\'()[]:<>&&&amp;';
|
|
|
|
|
|
$legacyEncoded = 'foo_.D1.82.D0.B5.D1.81.D1.82_.23.25.21.27.28.29.5B.5D:.3C.3E' .
|
|
|
|
|
|
'.26.26amp.3B.26amp.3Bamp.3B';
|
|
|
|
|
|
$html5Encoded = 'foo_тест_#%!\'()[]:<>&&&amp;';
|
2017-06-30 00:13:12 +00:00
|
|
|
|
|
|
|
|
|
|
// Settings: last element is $wgExternalInterwikiFragmentMode, the rest is $wgFragmentMode
|
|
|
|
|
|
$legacy = [ 'legacy', 'legacy' ];
|
|
|
|
|
|
$legacyNew = [ 'legacy', 'html5', 'legacy' ];
|
|
|
|
|
|
$newLegacy = [ 'html5', 'legacy', 'legacy' ];
|
|
|
|
|
|
$new = [ 'html5', 'legacy' ];
|
|
|
|
|
|
$allNew = [ 'html5', 'html5' ];
|
|
|
|
|
|
|
|
|
|
|
|
return [
|
|
|
|
|
|
// Pure legacy: how MW worked before 2017
|
|
|
|
|
|
[ 'Attribute', $legacy, $text, $legacyEncoded, Sanitizer::ID_PRIMARY ],
|
|
|
|
|
|
[ 'Attribute', $legacy, $text, false, Sanitizer::ID_FALLBACK ],
|
|
|
|
|
|
[ 'Link', $legacy, $text, $legacyEncoded ],
|
|
|
|
|
|
[ 'ExternalInterwiki', $legacy, $text, $legacyEncoded ],
|
|
|
|
|
|
|
|
|
|
|
|
// Transition to a new world: legacy links with HTML5 fallback
|
|
|
|
|
|
[ 'Attribute', $legacyNew, $text, $legacyEncoded, Sanitizer::ID_PRIMARY ],
|
|
|
|
|
|
[ 'Attribute', $legacyNew, $text, $html5Encoded, Sanitizer::ID_FALLBACK ],
|
|
|
|
|
|
[ 'Link', $legacyNew, $text, $legacyEncoded ],
|
|
|
|
|
|
[ 'ExternalInterwiki', $legacyNew, $text, $legacyEncoded ],
|
|
|
|
|
|
|
|
|
|
|
|
// New world: HTML5 links, legacy fallbacks
|
|
|
|
|
|
[ 'Attribute', $newLegacy, $text, $html5Encoded, Sanitizer::ID_PRIMARY ],
|
|
|
|
|
|
[ 'Attribute', $newLegacy, $text, $legacyEncoded, Sanitizer::ID_FALLBACK ],
|
2017-09-01 00:48:42 +00:00
|
|
|
|
[ 'Link', $newLegacy, $text, $html5Encoded ],
|
2017-06-30 00:13:12 +00:00
|
|
|
|
[ 'ExternalInterwiki', $newLegacy, $text, $legacyEncoded ],
|
|
|
|
|
|
|
|
|
|
|
|
// Distant future: no legacy fallbacks, but still linking to leagacy wikis
|
|
|
|
|
|
[ 'Attribute', $new, $text, $html5Encoded, Sanitizer::ID_PRIMARY ],
|
|
|
|
|
|
[ 'Attribute', $new, $text, false, Sanitizer::ID_FALLBACK ],
|
2017-09-01 00:48:42 +00:00
|
|
|
|
[ 'Link', $new, $text, $html5Encoded ],
|
2017-06-30 00:13:12 +00:00
|
|
|
|
[ 'ExternalInterwiki', $new, $text, $legacyEncoded ],
|
|
|
|
|
|
|
|
|
|
|
|
// Just before the heat death of universe: external interwikis are also HTML5 \m/
|
|
|
|
|
|
[ 'Attribute', $allNew, $text, $html5Encoded, Sanitizer::ID_PRIMARY ],
|
|
|
|
|
|
[ 'Attribute', $allNew, $text, false, Sanitizer::ID_FALLBACK ],
|
2017-09-01 00:48:42 +00:00
|
|
|
|
[ 'Link', $allNew, $text, $html5Encoded ],
|
|
|
|
|
|
[ 'ExternalInterwiki', $allNew, $text, $html5Encoded ],
|
2017-06-30 00:13:12 +00:00
|
|
|
|
];
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-11-14 22:16:14 +00:00
|
|
|
|
/**
|
|
|
|
|
|
* @dataProvider provideStripAllTags
|
|
|
|
|
|
*
|
|
|
|
|
|
* @covers Sanitizer::stripAllTags()
|
2018-02-06 05:15:52 +00:00
|
|
|
|
* @covers RemexStripTagHandler
|
2017-11-14 22:16:14 +00:00
|
|
|
|
*
|
|
|
|
|
|
* @param string $input
|
|
|
|
|
|
* @param string $expected
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function testStripAllTags( $input, $expected ) {
|
|
|
|
|
|
$this->assertEquals( $expected, Sanitizer::stripAllTags( $input ) );
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public function provideStripAllTags() {
|
|
|
|
|
|
return [
|
|
|
|
|
|
[ '<p>Foo</p>', 'Foo' ],
|
2018-09-10 23:39:09 +00:00
|
|
|
|
[ '<p id="one">Foo</p><p id="two">Bar</p>', 'Foo Bar' ],
|
2017-11-14 22:16:14 +00:00
|
|
|
|
[ "<p>Foo</p>\n<p>Bar</p>", 'Foo Bar' ],
|
|
|
|
|
|
[ '<p>Hello <strong> world café</p>', 'Hello <strong> world café' ],
|
2017-11-14 22:22:31 +00:00
|
|
|
|
[
|
|
|
|
|
|
'<p><small data-foo=\'bar"<baz>quux\'><a href="./Foo">Bar</a></small> Whee!</p>',
|
|
|
|
|
|
'Bar Whee!'
|
|
|
|
|
|
],
|
2017-11-14 22:16:14 +00:00
|
|
|
|
[ '1<span class="<?php">2</span>3', '123' ],
|
|
|
|
|
|
[ '1<span class="<?">2</span>3', '123' ],
|
|
|
|
|
|
];
|
|
|
|
|
|
}
|
|
|
|
|
|
|
2017-06-30 00:13:12 +00:00
|
|
|
|
/**
|
|
|
|
|
|
* @expectedException InvalidArgumentException
|
|
|
|
|
|
* @covers Sanitizer::escapeIdInternal()
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function testInvalidFragmentThrows() {
|
|
|
|
|
|
$this->setMwGlobals( 'wgFragmentMode', [ 'boom!' ] );
|
|
|
|
|
|
Sanitizer::escapeIdForAttribute( 'This should throw' );
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* @expectedException UnexpectedValueException
|
|
|
|
|
|
* @covers Sanitizer::escapeIdForAttribute()
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function testNoPrimaryFragmentModeThrows() {
|
|
|
|
|
|
$this->setMwGlobals( 'wgFragmentMode', [ 666 => 'html5' ] );
|
|
|
|
|
|
Sanitizer::escapeIdForAttribute( 'This should throw' );
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
|
* @expectedException UnexpectedValueException
|
|
|
|
|
|
* @covers Sanitizer::escapeIdForLink()
|
|
|
|
|
|
*/
|
|
|
|
|
|
public function testNoPrimaryFragmentModeThrows2() {
|
|
|
|
|
|
$this->setMwGlobals( 'wgFragmentMode', [ 666 => 'html5' ] );
|
|
|
|
|
|
Sanitizer::escapeIdForLink( 'This should throw' );
|
|
|
|
|
|
}
|
2010-12-14 16:26:35 +00:00
|
|
|
|
}
|
