2011-07-04 19:51:35 +00:00
|
|
|
<?php
|
|
|
|
|
|
2019-08-26 12:24:37 +00:00
|
|
|
use MediaWiki\MediaWikiServices;
|
2019-10-06 04:54:59 +00:00
|
|
|
|
2020-06-30 15:09:24 +00:00
|
|
|
class HtmlTest extends MediaWikiIntegrationTestCase {
|
Html: Reject </script> from inlineScript() and leave rest unescaped
There are three problems with the CDATA approach:
1. It doesn't work.
HTML5 already interprets the contents of <script> tags as CDATA,
which means escaping of characters like & is not needed. In fact,
in HTML5 mode, a plain script tag with <script>0&1;</script>
would be a syntax error. Indicating it is not interpreted as
text, but as CDATA. Effectively, the only thing an HTML parser
looks for is </script>.
And that's exactly the problem. Producing an inline script
containing the characters "</string>" for legitimate reasons,
is currently broken.
No alternate wrapping or setting can make it work, either.
See also:
https://people.wikimedia.org/~krinkle/200506-html-inlinescript.html
which contains:
<script>/*<![CDATA[*/
if (true && true) {
console.log('This is a <script></script> tag (original)');
}
/*]]>*/</script>
In a browser, the script is terminated by the first "</script>",
leaving the code unfinished, throwing a SyntaxError, and outputting
the rest of the script as plain text on the page.
2. CDATA is only for XML mode, whereas MediaWiki does not support
the XML/XHTML output mode (since MediaWiki 1.22). Instead, we only
output HTML (5). Code that does need to produce XML, should use the
class from Xml.php instead.
3. It gives a false sense of security.
We could just remove the CDATA code as-is and that in itself would be an
improvement per point 2 and 3, and would break nothing per point 1.
However, this commit attempts to address the underlying bug by rejecting
the characters "</script>" from input. If this is needed in a literal,
it is the responsibility of the caller to escape it in a way that is
appropiate for how it is used (string, comment, regex, etc.).
There are two ways this can be used currently in core:
* User input as exported through JSON (e.g. mw.config, or mw.messages).
This is already fine as both FormatJson::encode and json_encode handle
escape either < or / in the string by default already.
* Previews of edits to user scripts. This is currently already broken and
causes the script to end early and produce arbitrary HTML on the page.
This commit limits the impact by refusing to output such script in a
broken way. I will further address that use case in a follow-up.
Bug: T200506
Change-Id: I67ceb34eabf2f62fd3f3841b8f1459289fad28fb
2018-08-20 00:42:15 +00:00
|
|
|
private $restoreWarnings;
|
2011-07-04 19:51:35 +00:00
|
|
|
|
2019-10-20 18:11:08 +00:00
|
|
|
protected function setUp() : void {
|
2012-10-08 10:59:55 +00:00
|
|
|
parent::setUp();
|
2012-08-30 09:56:21 +00:00
|
|
|
|
2016-03-09 16:47:58 +00:00
|
|
|
$this->setMwGlobals( [
|
2016-03-24 14:51:13 +00:00
|
|
|
'wgUseMediaWikiUIEverywhere' => false,
|
2016-03-09 16:47:58 +00:00
|
|
|
] );
|
|
|
|
|
|
2019-08-26 12:24:37 +00:00
|
|
|
$langFactory = MediaWikiServices::getInstance()->getLanguageFactory();
|
|
|
|
|
$contLangObj = $langFactory->getLanguage( 'en' );
|
2012-01-25 03:25:54 +00:00
|
|
|
|
|
|
|
|
// Hardcode namespaces during test runs,
|
|
|
|
|
// so that html output based on existing namespaces
|
|
|
|
|
// can be properly evaluated.
|
2018-10-12 18:23:02 +00:00
|
|
|
$contLangObj->setNamespaces( [
|
2012-01-25 03:25:54 +00:00
|
|
|
-2 => 'Media',
|
|
|
|
|
-1 => 'Special',
|
2013-02-14 11:22:13 +00:00
|
|
|
0 => '',
|
|
|
|
|
1 => 'Talk',
|
|
|
|
|
2 => 'User',
|
|
|
|
|
3 => 'User_talk',
|
|
|
|
|
4 => 'MyWiki',
|
|
|
|
|
5 => 'MyWiki_Talk',
|
|
|
|
|
6 => 'File',
|
|
|
|
|
7 => 'File_talk',
|
|
|
|
|
8 => 'MediaWiki',
|
|
|
|
|
9 => 'MediaWiki_talk',
|
|
|
|
|
10 => 'Template',
|
|
|
|
|
11 => 'Template_talk',
|
|
|
|
|
14 => 'Category',
|
|
|
|
|
15 => 'Category_talk',
|
|
|
|
|
100 => 'Custom',
|
|
|
|
|
101 => 'Custom_talk',
|
2016-02-17 09:09:32 +00:00
|
|
|
] );
|
2018-10-12 18:23:02 +00:00
|
|
|
$this->setContentLang( $contLangObj );
|
|
|
|
|
|
2019-08-26 12:24:37 +00:00
|
|
|
$userLangObj = $langFactory->getLanguage( 'es' );
|
2018-10-12 18:23:02 +00:00
|
|
|
$userLangObj->setNamespaces( [
|
|
|
|
|
-2 => "Medio",
|
|
|
|
|
-1 => "Especial",
|
|
|
|
|
0 => "",
|
|
|
|
|
1 => "Discusión",
|
|
|
|
|
2 => "Usuario",
|
|
|
|
|
3 => "Usuario discusión",
|
|
|
|
|
4 => "Wiki",
|
|
|
|
|
5 => "Wiki discusión",
|
|
|
|
|
6 => "Archivo",
|
|
|
|
|
7 => "Archivo discusión",
|
|
|
|
|
8 => "MediaWiki",
|
|
|
|
|
9 => "MediaWiki discusión",
|
|
|
|
|
10 => "Plantilla",
|
|
|
|
|
11 => "Plantilla discusión",
|
|
|
|
|
12 => "Ayuda",
|
|
|
|
|
13 => "Ayuda discusión",
|
|
|
|
|
14 => "Categoría",
|
|
|
|
|
15 => "Categoría discusión",
|
|
|
|
|
100 => "Personalizado",
|
|
|
|
|
101 => "Personalizado discusión",
|
|
|
|
|
] );
|
|
|
|
|
$this->setUserLang( $userLangObj );
|
|
|
|
|
|
Html: Reject </script> from inlineScript() and leave rest unescaped
There are three problems with the CDATA approach:
1. It doesn't work.
HTML5 already interprets the contents of <script> tags as CDATA,
which means escaping of characters like & is not needed. In fact,
in HTML5 mode, a plain script tag with <script>0&1;</script>
would be a syntax error. Indicating it is not interpreted as
text, but as CDATA. Effectively, the only thing an HTML parser
looks for is </script>.
And that's exactly the problem. Producing an inline script
containing the characters "</string>" for legitimate reasons,
is currently broken.
No alternate wrapping or setting can make it work, either.
See also:
https://people.wikimedia.org/~krinkle/200506-html-inlinescript.html
which contains:
<script>/*<![CDATA[*/
if (true && true) {
console.log('This is a <script></script> tag (original)');
}
/*]]>*/</script>
In a browser, the script is terminated by the first "</script>",
leaving the code unfinished, throwing a SyntaxError, and outputting
the rest of the script as plain text on the page.
2. CDATA is only for XML mode, whereas MediaWiki does not support
the XML/XHTML output mode (since MediaWiki 1.22). Instead, we only
output HTML (5). Code that does need to produce XML, should use the
class from Xml.php instead.
3. It gives a false sense of security.
We could just remove the CDATA code as-is and that in itself would be an
improvement per point 2 and 3, and would break nothing per point 1.
However, this commit attempts to address the underlying bug by rejecting
the characters "</script>" from input. If this is needed in a literal,
it is the responsibility of the caller to escape it in a way that is
appropiate for how it is used (string, comment, regex, etc.).
There are two ways this can be used currently in core:
* User input as exported through JSON (e.g. mw.config, or mw.messages).
This is already fine as both FormatJson::encode and json_encode handle
escape either < or / in the string by default already.
* Previews of edits to user scripts. This is currently already broken and
causes the script to end early and produce arbitrary HTML on the page.
This commit limits the impact by refusing to output such script in a
broken way. I will further address that use case in a follow-up.
Bug: T200506
Change-Id: I67ceb34eabf2f62fd3f3841b8f1459289fad28fb
2018-08-20 00:42:15 +00:00
|
|
|
$this->restoreWarnings = false;
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-20 18:11:08 +00:00
|
|
|
protected function tearDown() : void {
|
Html: Reject </script> from inlineScript() and leave rest unescaped
There are three problems with the CDATA approach:
1. It doesn't work.
HTML5 already interprets the contents of <script> tags as CDATA,
which means escaping of characters like & is not needed. In fact,
in HTML5 mode, a plain script tag with <script>0&1;</script>
would be a syntax error. Indicating it is not interpreted as
text, but as CDATA. Effectively, the only thing an HTML parser
looks for is </script>.
And that's exactly the problem. Producing an inline script
containing the characters "</string>" for legitimate reasons,
is currently broken.
No alternate wrapping or setting can make it work, either.
See also:
https://people.wikimedia.org/~krinkle/200506-html-inlinescript.html
which contains:
<script>/*<![CDATA[*/
if (true && true) {
console.log('This is a <script></script> tag (original)');
}
/*]]>*/</script>
In a browser, the script is terminated by the first "</script>",
leaving the code unfinished, throwing a SyntaxError, and outputting
the rest of the script as plain text on the page.
2. CDATA is only for XML mode, whereas MediaWiki does not support
the XML/XHTML output mode (since MediaWiki 1.22). Instead, we only
output HTML (5). Code that does need to produce XML, should use the
class from Xml.php instead.
3. It gives a false sense of security.
We could just remove the CDATA code as-is and that in itself would be an
improvement per point 2 and 3, and would break nothing per point 1.
However, this commit attempts to address the underlying bug by rejecting
the characters "</script>" from input. If this is needed in a literal,
it is the responsibility of the caller to escape it in a way that is
appropiate for how it is used (string, comment, regex, etc.).
There are two ways this can be used currently in core:
* User input as exported through JSON (e.g. mw.config, or mw.messages).
This is already fine as both FormatJson::encode and json_encode handle
escape either < or / in the string by default already.
* Previews of edits to user scripts. This is currently already broken and
causes the script to end early and produce arbitrary HTML on the page.
This commit limits the impact by refusing to output such script in a
broken way. I will further address that use case in a follow-up.
Bug: T200506
Change-Id: I67ceb34eabf2f62fd3f3841b8f1459289fad28fb
2018-08-20 00:42:15 +00:00
|
|
|
if ( $this->restoreWarnings ) {
|
|
|
|
|
$this->restoreWarnings = false;
|
|
|
|
|
Wikimedia\restoreWarnings();
|
|
|
|
|
}
|
2018-10-10 04:41:51 +00:00
|
|
|
|
Html: Reject </script> from inlineScript() and leave rest unescaped
There are three problems with the CDATA approach:
1. It doesn't work.
HTML5 already interprets the contents of <script> tags as CDATA,
which means escaping of characters like & is not needed. In fact,
in HTML5 mode, a plain script tag with <script>0&1;</script>
would be a syntax error. Indicating it is not interpreted as
text, but as CDATA. Effectively, the only thing an HTML parser
looks for is </script>.
And that's exactly the problem. Producing an inline script
containing the characters "</string>" for legitimate reasons,
is currently broken.
No alternate wrapping or setting can make it work, either.
See also:
https://people.wikimedia.org/~krinkle/200506-html-inlinescript.html
which contains:
<script>/*<![CDATA[*/
if (true && true) {
console.log('This is a <script></script> tag (original)');
}
/*]]>*/</script>
In a browser, the script is terminated by the first "</script>",
leaving the code unfinished, throwing a SyntaxError, and outputting
the rest of the script as plain text on the page.
2. CDATA is only for XML mode, whereas MediaWiki does not support
the XML/XHTML output mode (since MediaWiki 1.22). Instead, we only
output HTML (5). Code that does need to produce XML, should use the
class from Xml.php instead.
3. It gives a false sense of security.
We could just remove the CDATA code as-is and that in itself would be an
improvement per point 2 and 3, and would break nothing per point 1.
However, this commit attempts to address the underlying bug by rejecting
the characters "</script>" from input. If this is needed in a literal,
it is the responsibility of the caller to escape it in a way that is
appropiate for how it is used (string, comment, regex, etc.).
There are two ways this can be used currently in core:
* User input as exported through JSON (e.g. mw.config, or mw.messages).
This is already fine as both FormatJson::encode and json_encode handle
escape either < or / in the string by default already.
* Previews of edits to user scripts. This is currently already broken and
causes the script to end early and produce arbitrary HTML on the page.
This commit limits the impact by refusing to output such script in a
broken way. I will further address that use case in a follow-up.
Bug: T200506
Change-Id: I67ceb34eabf2f62fd3f3841b8f1459289fad28fb
2018-08-20 00:42:15 +00:00
|
|
|
parent::tearDown();
|
2011-07-04 19:51:35 +00:00
|
|
|
}
|
2012-08-30 09:56:21 +00:00
|
|
|
|
2018-09-04 17:44:44 +00:00
|
|
|
/**
|
|
|
|
|
* @covers Html::openElement
|
|
|
|
|
*/
|
|
|
|
|
public function testOpenElement() {
|
2021-01-02 20:32:36 +00:00
|
|
|
$this->expectNotice();
|
|
|
|
|
$this->expectNoticeMessage( 'given element name with space' );
|
2018-09-04 17:44:44 +00:00
|
|
|
Html::openElement( 'span id="x"' );
|
|
|
|
|
}
|
|
|
|
|
|
2013-10-24 10:54:02 +00:00
|
|
|
/**
|
|
|
|
|
* @covers Html::element
|
2017-04-01 01:13:09 +00:00
|
|
|
* @covers Html::rawElement
|
|
|
|
|
* @covers Html::openElement
|
|
|
|
|
* @covers Html::closeElement
|
2013-10-24 10:54:02 +00:00
|
|
|
*/
|
2012-10-08 10:59:55 +00:00
|
|
|
public function testElementBasics() {
|
|
|
|
|
$this->assertEquals(
|
2016-04-20 17:22:51 +00:00
|
|
|
'<img/>',
|
2012-10-08 10:59:55 +00:00
|
|
|
Html::element( 'img', null, '' ),
|
2016-05-18 19:54:49 +00:00
|
|
|
'Self-closing tag for short-tag elements'
|
2012-10-08 10:59:55 +00:00
|
|
|
);
|
2012-08-30 09:56:21 +00:00
|
|
|
|
2012-10-08 10:59:55 +00:00
|
|
|
$this->assertEquals(
|
|
|
|
|
'<element></element>',
|
|
|
|
|
Html::element( 'element', null, null ),
|
|
|
|
|
'Close tag for empty element (null, null)'
|
|
|
|
|
);
|
|
|
|
|
|
|
|
|
|
$this->assertEquals(
|
|
|
|
|
'<element></element>',
|
2016-02-17 09:09:32 +00:00
|
|
|
Html::element( 'element', [], '' ),
|
2012-10-08 10:59:55 +00:00
|
|
|
'Close tag for empty element (array, string)'
|
|
|
|
|
);
|
2011-07-04 19:51:35 +00:00
|
|
|
}
|
|
|
|
|
|
2013-05-10 04:04:33 +00:00
|
|
|
public function dataXmlMimeType() {
|
2016-02-17 09:09:32 +00:00
|
|
|
return [
|
2013-05-10 04:04:33 +00:00
|
|
|
// ( $mimetype, $isXmlMimeType )
|
|
|
|
|
# HTML is not an XML MimeType
|
2016-02-17 09:09:32 +00:00
|
|
|
[ 'text/html', false ],
|
2013-05-10 04:04:33 +00:00
|
|
|
# XML is an XML MimeType
|
2016-02-17 09:09:32 +00:00
|
|
|
[ 'text/xml', true ],
|
|
|
|
|
[ 'application/xml', true ],
|
2013-05-10 04:04:33 +00:00
|
|
|
# XHTML is an XML MimeType
|
2016-02-17 09:09:32 +00:00
|
|
|
[ 'application/xhtml+xml', true ],
|
2013-05-10 04:04:33 +00:00
|
|
|
# Make sure other +xml MimeTypes are supported
|
|
|
|
|
# SVG is another random MimeType even though we don't use it
|
2016-02-17 09:09:32 +00:00
|
|
|
[ 'image/svg+xml', true ],
|
2013-05-10 04:04:33 +00:00
|
|
|
# Complete random other MimeTypes are not XML
|
2016-02-17 09:09:32 +00:00
|
|
|
[ 'text/plain', false ],
|
|
|
|
|
];
|
2013-05-10 04:04:33 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @dataProvider dataXmlMimeType
|
2013-10-24 10:54:02 +00:00
|
|
|
* @covers Html::isXmlMimeType
|
2013-05-10 04:04:33 +00:00
|
|
|
*/
|
|
|
|
|
public function testXmlMimeType( $mimetype, $isXmlMimeType ) {
|
|
|
|
|
$this->assertEquals( $isXmlMimeType, Html::isXmlMimeType( $mimetype ) );
|
|
|
|
|
}
|
|
|
|
|
|
2020-12-21 02:15:17 +00:00
|
|
|
public function provideExpandAttributes() {
|
|
|
|
|
// $expect, $attributes
|
|
|
|
|
yield 'keep keys with an empty string' => [
|
2014-05-10 08:58:19 +00:00
|
|
|
' foo=""',
|
2020-12-21 02:15:17 +00:00
|
|
|
[ 'foo' => '' ]
|
|
|
|
|
];
|
|
|
|
|
yield 'False bool attribs have no output' => [
|
2011-07-04 19:51:35 +00:00
|
|
|
'',
|
2020-12-21 02:15:17 +00:00
|
|
|
[ 'selected' => false ]
|
|
|
|
|
];
|
|
|
|
|
yield 'Null bool attribs have no output' => [
|
2011-07-04 19:51:35 +00:00
|
|
|
'',
|
2020-12-21 02:15:17 +00:00
|
|
|
[ 'selected' => null ]
|
|
|
|
|
];
|
|
|
|
|
yield 'True bool attribs have output' => [
|
2016-04-20 17:22:51 +00:00
|
|
|
' selected=""',
|
2020-12-21 02:15:17 +00:00
|
|
|
[ 'selected' => true ]
|
|
|
|
|
];
|
|
|
|
|
yield 'True bool attribs have output (passed as numerical array)' => [
|
2016-04-20 17:22:51 +00:00
|
|
|
' selected=""',
|
2020-12-21 02:15:17 +00:00
|
|
|
[ 'selected' ]
|
|
|
|
|
];
|
|
|
|
|
yield 'integer value is cast to string' => [
|
2016-04-20 17:22:51 +00:00
|
|
|
' value="1"',
|
2020-12-21 02:15:17 +00:00
|
|
|
[ 'value' => 1 ]
|
|
|
|
|
];
|
|
|
|
|
yield 'float value is cast to string' => [
|
2016-04-20 17:22:51 +00:00
|
|
|
' value="1.1"',
|
2020-12-21 02:15:17 +00:00
|
|
|
[ 'value' => 1.1 ]
|
|
|
|
|
];
|
|
|
|
|
yield 'object value is converted to string' => [
|
|
|
|
|
' value="stringValue"',
|
|
|
|
|
[ 'value' => new HtmlTestValue() ]
|
|
|
|
|
];
|
|
|
|
|
yield 'Empty string is always quoted' => [
|
|
|
|
|
' empty_string=""',
|
|
|
|
|
[ 'empty_string' => '' ]
|
|
|
|
|
];
|
|
|
|
|
yield 'Simple string value needs no quotes' => [
|
|
|
|
|
' key="value"',
|
|
|
|
|
[ 'key' => 'value' ]
|
|
|
|
|
];
|
|
|
|
|
yield 'Number 1 value needs no quotes' => [
|
|
|
|
|
' one="1"',
|
|
|
|
|
[ 'one' => 1 ]
|
|
|
|
|
];
|
|
|
|
|
yield 'Number 0 value needs no quotes' => [
|
|
|
|
|
' zero="0"',
|
|
|
|
|
[ 'zero' => 0 ]
|
|
|
|
|
];
|
2014-05-10 08:58:19 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2016-02-09 21:00:38 +00:00
|
|
|
* @covers Html::expandAttributes
|
2020-12-21 02:15:17 +00:00
|
|
|
* @dataProvider provideExpandAttributes
|
2014-05-10 08:58:19 +00:00
|
|
|
*/
|
2020-12-21 02:15:17 +00:00
|
|
|
public function testExpandAttributes( string $expect, array $attribs ) {
|
|
|
|
|
$this->assertEquals( $expect, Html::expandAttributes( $attribs ) );
|
2014-05-10 08:58:19 +00:00
|
|
|
}
|
|
|
|
|
|
2020-12-21 02:15:17 +00:00
|
|
|
public function provideExpandAttributesEmpty() {
|
|
|
|
|
// $attributes
|
|
|
|
|
yield 'skip keys with null value' => [ [ 'foo' => null ] ];
|
|
|
|
|
yield 'skip keys with false value' => [ [ 'foo' => false ] ];
|
2011-07-04 19:51:35 +00:00
|
|
|
}
|
2011-09-03 03:55:23 +00:00
|
|
|
|
|
|
|
|
/**
|
2013-10-24 10:54:02 +00:00
|
|
|
* @covers Html::expandAttributes
|
2020-12-21 02:15:17 +00:00
|
|
|
* @dataProvider provideExpandAttributesEmpty
|
2011-09-03 03:55:23 +00:00
|
|
|
*/
|
2020-12-21 02:15:17 +00:00
|
|
|
public function testExpandAttributesEmpty( array $attribs ) {
|
|
|
|
|
$this->assertEmpty( Html::expandAttributes( $attribs ) );
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
public function provideExpandAttributesClass() {
|
|
|
|
|
// $expect, $classes
|
|
|
|
|
// string values
|
|
|
|
|
yield 'Normalization should strip redundant spaces' => [
|
2011-09-03 03:55:23 +00:00
|
|
|
' class="redundant spaces here"',
|
2020-12-21 02:15:17 +00:00
|
|
|
' redundant spaces here '
|
|
|
|
|
];
|
|
|
|
|
yield 'Normalization should remove duplicates in string-lists' => [
|
2011-09-03 03:55:23 +00:00
|
|
|
' class="foo bar"',
|
2020-12-21 02:15:17 +00:00
|
|
|
'foo bar foo bar bar'
|
|
|
|
|
];
|
|
|
|
|
// array values
|
|
|
|
|
yield 'Value with an empty array' => [
|
2011-09-03 03:55:23 +00:00
|
|
|
' class=""',
|
2020-12-21 02:15:17 +00:00
|
|
|
[]
|
|
|
|
|
];
|
|
|
|
|
yield 'Array with null, empty string and spaces' => [
|
2011-09-03 03:55:23 +00:00
|
|
|
' class=""',
|
2020-12-21 02:15:17 +00:00
|
|
|
[ null, '', ' ', ' ' ]
|
|
|
|
|
];
|
|
|
|
|
yield 'Normalization should remove duplicates in the array' => [
|
2011-09-03 03:55:23 +00:00
|
|
|
' class="foo bar"',
|
2020-12-21 02:15:17 +00:00
|
|
|
[ 'foo', 'bar', 'foo', 'bar', 'bar' ]
|
|
|
|
|
];
|
|
|
|
|
yield 'Normalization should remove duplicates in string-lists in the array' => [
|
2011-09-03 03:55:23 +00:00
|
|
|
' class="foo bar"',
|
2020-12-21 02:15:17 +00:00
|
|
|
[ 'foo bar', 'bar foo', 'foo', 'bar bar' ]
|
|
|
|
|
];
|
2011-10-24 17:45:45 +00:00
|
|
|
|
2020-12-21 02:15:17 +00:00
|
|
|
// Feature added in r96188 - pass attributes values as a PHP array
|
|
|
|
|
// only applies to class, rel, and accesskey
|
|
|
|
|
yield 'Associative array' => [
|
2011-10-24 17:45:45 +00:00
|
|
|
' class="booltrue one"',
|
2020-12-21 02:15:17 +00:00
|
|
|
[
|
2011-10-24 17:45:45 +00:00
|
|
|
'booltrue' => true,
|
|
|
|
|
'one' => 1,
|
|
|
|
|
|
|
|
|
|
# Method use isset() internally, make sure we do discard
|
2013-02-14 11:22:13 +00:00
|
|
|
# attributes values which have been assigned well known values
|
2011-10-24 17:45:45 +00:00
|
|
|
'emptystring' => '',
|
|
|
|
|
'boolfalse' => false,
|
|
|
|
|
'zero' => 0,
|
|
|
|
|
'null' => null,
|
2020-12-21 02:15:17 +00:00
|
|
|
]
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
// How do we handle duplicate keys in HTML attributes expansion?
|
|
|
|
|
// We could pass a "class" the values: 'GREEN' and [ 'GREEN' => false ]
|
|
|
|
|
// The latter will take precedence
|
|
|
|
|
yield 'Duplicate keys' => [
|
|
|
|
|
' class=""',
|
|
|
|
|
[
|
|
|
|
|
'GREEN',
|
|
|
|
|
'GREEN' => false,
|
|
|
|
|
'GREEN',
|
|
|
|
|
]
|
|
|
|
|
];
|
2011-10-24 17:45:45 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
2020-12-21 02:15:17 +00:00
|
|
|
* Html::expandAttributes has special features for HTML
|
|
|
|
|
* attributes that use space separated lists and also
|
|
|
|
|
* allows arrays to be used as values.
|
2011-10-24 17:45:45 +00:00
|
|
|
*
|
2013-10-24 10:54:02 +00:00
|
|
|
* @covers Html::expandAttributes
|
2020-12-21 02:15:17 +00:00
|
|
|
* @dataProvider provideExpandAttributesClass
|
2011-10-24 17:45:45 +00:00
|
|
|
*/
|
2020-12-21 02:15:17 +00:00
|
|
|
public function testExpandAttributesClass( string $expect, $classes ) {
|
2011-10-24 17:45:45 +00:00
|
|
|
$this->assertEquals(
|
2020-12-21 02:15:17 +00:00
|
|
|
$expect,
|
|
|
|
|
Html::expandAttributes( [ 'class' => $classes ] )
|
2011-10-24 17:45:45 +00:00
|
|
|
);
|
|
|
|
|
}
|
2012-01-25 03:25:54 +00:00
|
|
|
|
2014-05-10 08:58:19 +00:00
|
|
|
/**
|
|
|
|
|
* @covers Html::expandAttributes
|
|
|
|
|
*/
|
|
|
|
|
public function testExpandAttributes_ArrayOnNonListValueAttribute_ThrowsException() {
|
|
|
|
|
// Real-life test case found in the Popups extension (see Gerrit cf0fd64),
|
|
|
|
|
// when used with an outdated BetaFeatures extension (see Gerrit deda1e7)
|
2019-10-11 22:22:26 +00:00
|
|
|
$this->expectException( MWException::class );
|
2016-02-17 09:09:32 +00:00
|
|
|
Html::expandAttributes( [
|
|
|
|
|
'src' => [
|
2014-05-10 08:58:19 +00:00
|
|
|
'ltr' => 'ltr.svg',
|
|
|
|
|
'rtl' => 'rtl.svg'
|
2016-02-17 09:09:32 +00:00
|
|
|
]
|
|
|
|
|
] );
|
2014-05-10 08:58:19 +00:00
|
|
|
}
|
|
|
|
|
|
2013-10-24 10:54:02 +00:00
|
|
|
/**
|
|
|
|
|
* @covers Html::namespaceSelector
|
2017-04-01 01:13:09 +00:00
|
|
|
* @covers Html::namespaceSelectorOptions
|
2013-10-24 10:54:02 +00:00
|
|
|
*/
|
2013-10-23 22:51:31 +00:00
|
|
|
public function testNamespaceSelector() {
|
2012-01-25 03:25:54 +00:00
|
|
|
$this->assertEquals(
|
2016-04-20 17:22:51 +00:00
|
|
|
'<select id="namespace" name="namespace">' . "\n" .
|
2018-10-12 18:23:02 +00:00
|
|
|
'<option value="0">(Principal)</option>' . "\n" .
|
2016-04-20 17:22:51 +00:00
|
|
|
'<option value="1">Talk</option>' . "\n" .
|
|
|
|
|
'<option value="2">User</option>' . "\n" .
|
|
|
|
|
'<option value="3">User talk</option>' . "\n" .
|
|
|
|
|
'<option value="4">MyWiki</option>' . "\n" .
|
|
|
|
|
'<option value="5">MyWiki Talk</option>' . "\n" .
|
|
|
|
|
'<option value="6">File</option>' . "\n" .
|
|
|
|
|
'<option value="7">File talk</option>' . "\n" .
|
|
|
|
|
'<option value="8">MediaWiki</option>' . "\n" .
|
|
|
|
|
'<option value="9">MediaWiki talk</option>' . "\n" .
|
|
|
|
|
'<option value="10">Template</option>' . "\n" .
|
|
|
|
|
'<option value="11">Template talk</option>' . "\n" .
|
|
|
|
|
'<option value="14">Category</option>' . "\n" .
|
|
|
|
|
'<option value="15">Category talk</option>' . "\n" .
|
|
|
|
|
'<option value="100">Custom</option>' . "\n" .
|
|
|
|
|
'<option value="101">Custom talk</option>' . "\n" .
|
2013-02-14 11:22:13 +00:00
|
|
|
'</select>',
|
2012-01-25 03:25:54 +00:00
|
|
|
Html::namespaceSelector(),
|
|
|
|
|
'Basic namespace selector without custom options'
|
|
|
|
|
);
|
2012-03-07 19:14:20 +00:00
|
|
|
|
2012-01-25 03:25:54 +00:00
|
|
|
$this->assertEquals(
|
2016-12-27 21:14:16 +00:00
|
|
|
'<label for="mw-test-namespace">Select a namespace:</label>' . "\u{00A0}" .
|
2016-04-20 17:22:51 +00:00
|
|
|
'<select id="mw-test-namespace" name="wpNamespace">' . "\n" .
|
2018-10-12 18:23:02 +00:00
|
|
|
'<option value="all">todos</option>' . "\n" .
|
|
|
|
|
'<option value="0">(Principal)</option>' . "\n" .
|
2016-04-20 17:22:51 +00:00
|
|
|
'<option value="1">Talk</option>' . "\n" .
|
|
|
|
|
'<option value="2" selected="">User</option>' . "\n" .
|
|
|
|
|
'<option value="3">User talk</option>' . "\n" .
|
|
|
|
|
'<option value="4">MyWiki</option>' . "\n" .
|
|
|
|
|
'<option value="5">MyWiki Talk</option>' . "\n" .
|
|
|
|
|
'<option value="6">File</option>' . "\n" .
|
|
|
|
|
'<option value="7">File talk</option>' . "\n" .
|
|
|
|
|
'<option value="8">MediaWiki</option>' . "\n" .
|
|
|
|
|
'<option value="9">MediaWiki talk</option>' . "\n" .
|
|
|
|
|
'<option value="10">Template</option>' . "\n" .
|
|
|
|
|
'<option value="11">Template talk</option>' . "\n" .
|
|
|
|
|
'<option value="14">Category</option>' . "\n" .
|
|
|
|
|
'<option value="15">Category talk</option>' . "\n" .
|
|
|
|
|
'<option value="100">Custom</option>' . "\n" .
|
|
|
|
|
'<option value="101">Custom talk</option>' . "\n" .
|
2013-02-14 11:22:13 +00:00
|
|
|
'</select>',
|
2012-01-25 03:25:54 +00:00
|
|
|
Html::namespaceSelector(
|
2016-02-17 09:09:32 +00:00
|
|
|
[ 'selected' => '2', 'all' => 'all', 'label' => 'Select a namespace:' ],
|
|
|
|
|
[ 'name' => 'wpNamespace', 'id' => 'mw-test-namespace' ]
|
2012-01-25 03:25:54 +00:00
|
|
|
),
|
|
|
|
|
'Basic namespace selector with custom values'
|
|
|
|
|
);
|
2012-02-14 09:59:59 +00:00
|
|
|
|
2012-03-07 19:14:20 +00:00
|
|
|
$this->assertEquals(
|
2016-12-27 21:14:16 +00:00
|
|
|
'<label for="namespace">Select a namespace:</label>' . "\u{00A0}" .
|
2016-04-20 17:22:51 +00:00
|
|
|
'<select id="namespace" name="namespace">' . "\n" .
|
2018-10-12 18:23:02 +00:00
|
|
|
'<option value="0">(Principal)</option>' . "\n" .
|
2016-04-20 17:22:51 +00:00
|
|
|
'<option value="1">Talk</option>' . "\n" .
|
|
|
|
|
'<option value="2">User</option>' . "\n" .
|
|
|
|
|
'<option value="3">User talk</option>' . "\n" .
|
|
|
|
|
'<option value="4">MyWiki</option>' . "\n" .
|
|
|
|
|
'<option value="5">MyWiki Talk</option>' . "\n" .
|
|
|
|
|
'<option value="6">File</option>' . "\n" .
|
|
|
|
|
'<option value="7">File talk</option>' . "\n" .
|
|
|
|
|
'<option value="8">MediaWiki</option>' . "\n" .
|
|
|
|
|
'<option value="9">MediaWiki talk</option>' . "\n" .
|
|
|
|
|
'<option value="10">Template</option>' . "\n" .
|
|
|
|
|
'<option value="11">Template talk</option>' . "\n" .
|
|
|
|
|
'<option value="14">Category</option>' . "\n" .
|
|
|
|
|
'<option value="15">Category talk</option>' . "\n" .
|
|
|
|
|
'<option value="100">Custom</option>' . "\n" .
|
|
|
|
|
'<option value="101">Custom talk</option>' . "\n" .
|
2013-02-14 11:22:13 +00:00
|
|
|
'</select>',
|
2012-03-07 19:14:20 +00:00
|
|
|
Html::namespaceSelector(
|
2016-02-17 09:09:32 +00:00
|
|
|
[ 'label' => 'Select a namespace:' ]
|
2012-03-07 19:14:20 +00:00
|
|
|
),
|
|
|
|
|
'Basic namespace selector with a custom label but no id attribtue for the <select>'
|
|
|
|
|
);
|
2018-09-10 20:14:20 +00:00
|
|
|
|
|
|
|
|
$this->assertEquals(
|
|
|
|
|
'<select id="namespace" name="namespace">' . "\n" .
|
|
|
|
|
'<option value="0">(Principal)</option>' . "\n" .
|
|
|
|
|
'<option value="1">Discusión</option>' . "\n" .
|
|
|
|
|
'<option value="2">Usuario</option>' . "\n" .
|
|
|
|
|
'<option value="3">Usuario discusión</option>' . "\n" .
|
|
|
|
|
'<option value="4">Wiki</option>' . "\n" .
|
|
|
|
|
'<option value="5">Wiki discusión</option>' . "\n" .
|
|
|
|
|
'<option value="6">Archivo</option>' . "\n" .
|
|
|
|
|
'<option value="7">Archivo discusión</option>' . "\n" .
|
|
|
|
|
'<option value="8">MediaWiki</option>' . "\n" .
|
|
|
|
|
'<option value="9">MediaWiki discusión</option>' . "\n" .
|
|
|
|
|
'<option value="10">Plantilla</option>' . "\n" .
|
|
|
|
|
'<option value="11">Plantilla discusión</option>' . "\n" .
|
|
|
|
|
'<option value="12">Ayuda</option>' . "\n" .
|
|
|
|
|
'<option value="13">Ayuda discusión</option>' . "\n" .
|
|
|
|
|
'<option value="14">Categoría</option>' . "\n" .
|
|
|
|
|
'<option value="15">Categoría discusión</option>' . "\n" .
|
|
|
|
|
'<option value="100">Personalizado</option>' . "\n" .
|
|
|
|
|
'<option value="101">Personalizado discusión</option>' . "\n" .
|
|
|
|
|
'</select>',
|
|
|
|
|
Html::namespaceSelector(
|
|
|
|
|
[ 'in-user-lang' => true ]
|
|
|
|
|
),
|
|
|
|
|
'Basic namespace selector in user language'
|
|
|
|
|
);
|
2012-03-07 19:14:20 +00:00
|
|
|
}
|
|
|
|
|
|
2017-12-25 07:28:03 +00:00
|
|
|
/**
|
|
|
|
|
* @covers Html::namespaceSelector
|
|
|
|
|
*/
|
2013-10-23 22:51:31 +00:00
|
|
|
public function testCanFilterOutNamespaces() {
|
2012-03-07 19:14:20 +00:00
|
|
|
$this->assertEquals(
|
2016-04-20 17:22:51 +00:00
|
|
|
'<select id="namespace" name="namespace">' . "\n" .
|
|
|
|
|
'<option value="2">User</option>' . "\n" .
|
|
|
|
|
'<option value="4">MyWiki</option>' . "\n" .
|
|
|
|
|
'<option value="5">MyWiki Talk</option>' . "\n" .
|
|
|
|
|
'<option value="6">File</option>' . "\n" .
|
|
|
|
|
'<option value="7">File talk</option>' . "\n" .
|
|
|
|
|
'<option value="8">MediaWiki</option>' . "\n" .
|
|
|
|
|
'<option value="9">MediaWiki talk</option>' . "\n" .
|
|
|
|
|
'<option value="10">Template</option>' . "\n" .
|
|
|
|
|
'<option value="11">Template talk</option>' . "\n" .
|
|
|
|
|
'<option value="14">Category</option>' . "\n" .
|
|
|
|
|
'<option value="15">Category talk</option>' . "\n" .
|
2013-02-14 11:22:13 +00:00
|
|
|
'</select>',
|
2012-02-13 15:08:26 +00:00
|
|
|
Html::namespaceSelector(
|
2016-02-17 09:09:32 +00:00
|
|
|
[ 'exclude' => [ 0, 1, 3, 100, 101 ] ]
|
2012-02-13 15:08:26 +00:00
|
|
|
),
|
2012-02-14 09:59:59 +00:00
|
|
|
'Namespace selector namespace filtering.'
|
|
|
|
|
);
|
2019-07-04 08:02:28 +00:00
|
|
|
$this->assertEquals(
|
|
|
|
|
'<select id="namespace" name="namespace">' . "\n" .
|
|
|
|
|
'<option value="" selected="">todos</option>' . "\n" .
|
|
|
|
|
'<option value="2">User</option>' . "\n" .
|
|
|
|
|
'<option value="4">MyWiki</option>' . "\n" .
|
|
|
|
|
'<option value="5">MyWiki Talk</option>' . "\n" .
|
|
|
|
|
'<option value="6">File</option>' . "\n" .
|
|
|
|
|
'<option value="7">File talk</option>' . "\n" .
|
|
|
|
|
'<option value="8">MediaWiki</option>' . "\n" .
|
|
|
|
|
'<option value="9">MediaWiki talk</option>' . "\n" .
|
|
|
|
|
'<option value="10">Template</option>' . "\n" .
|
|
|
|
|
'<option value="11">Template talk</option>' . "\n" .
|
|
|
|
|
'<option value="14">Category</option>' . "\n" .
|
|
|
|
|
'<option value="15">Category talk</option>' . "\n" .
|
|
|
|
|
'</select>',
|
|
|
|
|
Html::namespaceSelector(
|
|
|
|
|
[ 'exclude' => [ 0, 1, 3, 100, 101 ], 'all' => '' ]
|
|
|
|
|
),
|
|
|
|
|
'Namespace selector namespace filtering with empty custom "all" option.'
|
|
|
|
|
);
|
2012-03-07 19:14:20 +00:00
|
|
|
}
|
2012-02-14 09:59:59 +00:00
|
|
|
|
2017-12-25 07:28:03 +00:00
|
|
|
/**
|
|
|
|
|
* @covers Html::namespaceSelector
|
|
|
|
|
*/
|
2013-10-23 22:51:31 +00:00
|
|
|
public function testCanDisableANamespaces() {
|
2012-03-07 19:14:20 +00:00
|
|
|
$this->assertEquals(
|
2016-04-20 17:22:51 +00:00
|
|
|
'<select id="namespace" name="namespace">' . "\n" .
|
2018-10-12 18:23:02 +00:00
|
|
|
'<option disabled="" value="0">(Principal)</option>' . "\n" .
|
2016-04-20 17:22:51 +00:00
|
|
|
'<option disabled="" value="1">Talk</option>' . "\n" .
|
|
|
|
|
'<option disabled="" value="2">User</option>' . "\n" .
|
|
|
|
|
'<option disabled="" value="3">User talk</option>' . "\n" .
|
|
|
|
|
'<option disabled="" value="4">MyWiki</option>' . "\n" .
|
|
|
|
|
'<option value="5">MyWiki Talk</option>' . "\n" .
|
|
|
|
|
'<option value="6">File</option>' . "\n" .
|
|
|
|
|
'<option value="7">File talk</option>' . "\n" .
|
|
|
|
|
'<option value="8">MediaWiki</option>' . "\n" .
|
|
|
|
|
'<option value="9">MediaWiki talk</option>' . "\n" .
|
|
|
|
|
'<option value="10">Template</option>' . "\n" .
|
|
|
|
|
'<option value="11">Template talk</option>' . "\n" .
|
|
|
|
|
'<option value="14">Category</option>' . "\n" .
|
|
|
|
|
'<option value="15">Category talk</option>' . "\n" .
|
|
|
|
|
'<option value="100">Custom</option>' . "\n" .
|
|
|
|
|
'<option value="101">Custom talk</option>' . "\n" .
|
2013-02-14 11:22:13 +00:00
|
|
|
'</select>',
|
2016-02-17 09:09:32 +00:00
|
|
|
Html::namespaceSelector( [
|
|
|
|
|
'disable' => [ 0, 1, 2, 3, 4 ]
|
|
|
|
|
] ),
|
2012-02-14 09:59:59 +00:00
|
|
|
'Namespace selector namespace disabling'
|
2012-02-13 15:08:26 +00:00
|
|
|
);
|
2012-01-25 03:25:54 +00:00
|
|
|
}
|
2012-01-30 10:39:51 +00:00
|
|
|
|
2012-08-30 09:57:22 +00:00
|
|
|
/**
|
2012-10-08 10:59:55 +00:00
|
|
|
* @dataProvider provideHtml5InputTypes
|
2013-10-24 10:54:02 +00:00
|
|
|
* @covers Html::element
|
2012-08-30 09:57:22 +00:00
|
|
|
*/
|
2013-10-23 22:51:31 +00:00
|
|
|
public function testHtmlElementAcceptsNewHtml5TypesInHtml5Mode( $HTML5InputType ) {
|
2012-08-30 09:57:22 +00:00
|
|
|
$this->assertEquals(
|
2016-04-20 17:22:51 +00:00
|
|
|
'<input type="' . $HTML5InputType . '"/>',
|
2016-02-17 09:09:32 +00:00
|
|
|
Html::element( 'input', [ 'type' => $HTML5InputType ] ),
|
2016-02-09 21:00:38 +00:00
|
|
|
'In HTML5, Html::element() should accept type="' . $HTML5InputType . '"'
|
2012-08-30 09:57:22 +00:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-15 19:11:02 +00:00
|
|
|
/**
|
|
|
|
|
* @covers Html::warningBox
|
|
|
|
|
* @covers Html::messageBox
|
|
|
|
|
*/
|
|
|
|
|
public function testWarningBox() {
|
|
|
|
|
$this->assertEquals(
|
2021-01-25 11:19:48 +00:00
|
|
|
'<div class="warningbox">warn</div>',
|
2020-12-21 02:15:17 +00:00
|
|
|
Html::warningBox( 'warn' )
|
2017-11-15 19:11:02 +00:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @covers Html::errorBox
|
|
|
|
|
* @covers Html::messageBox
|
|
|
|
|
*/
|
|
|
|
|
public function testErrorBox() {
|
|
|
|
|
$this->assertEquals(
|
2021-01-25 11:19:48 +00:00
|
|
|
'<div class="errorbox">err</div>',
|
2020-12-21 02:15:17 +00:00
|
|
|
Html::errorBox( 'err' )
|
2017-11-15 19:11:02 +00:00
|
|
|
);
|
|
|
|
|
$this->assertEquals(
|
2021-01-25 11:19:48 +00:00
|
|
|
'<div class="errorbox errorbox-custom-class"><h2>heading</h2>err</div>',
|
2020-12-21 02:15:17 +00:00
|
|
|
Html::errorBox( 'err', 'heading', 'errorbox-custom-class' )
|
2017-11-15 19:11:02 +00:00
|
|
|
);
|
2018-08-20 04:46:21 +00:00
|
|
|
$this->assertEquals(
|
2021-01-25 11:19:48 +00:00
|
|
|
'<div class="errorbox"><h2>0</h2>err</div>',
|
2020-12-21 02:15:17 +00:00
|
|
|
Html::errorBox( 'err', '0', '' )
|
2018-08-20 04:46:21 +00:00
|
|
|
);
|
2017-11-15 19:11:02 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @covers Html::successBox
|
|
|
|
|
* @covers Html::messageBox
|
|
|
|
|
*/
|
|
|
|
|
public function testSuccessBox() {
|
|
|
|
|
$this->assertEquals(
|
2021-01-25 11:19:48 +00:00
|
|
|
'<div class="successbox">great</div>',
|
2020-12-21 02:15:17 +00:00
|
|
|
Html::successBox( 'great' )
|
2017-11-15 19:11:02 +00:00
|
|
|
);
|
|
|
|
|
$this->assertEquals(
|
2021-01-25 11:19:48 +00:00
|
|
|
'<div class="successbox"><script>beware no escaping!</script></div>',
|
2020-12-21 02:15:17 +00:00
|
|
|
Html::successBox( '<script>beware no escaping!</script>' )
|
2017-11-15 19:11:02 +00:00
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2012-08-30 09:57:22 +00:00
|
|
|
/**
|
|
|
|
|
* List of input element types values introduced by HTML5
|
2016-10-13 05:34:26 +00:00
|
|
|
* Full list at https://www.w3.org/TR/html-markup/input.html
|
2012-08-30 09:57:22 +00:00
|
|
|
*/
|
2013-03-22 02:12:37 +00:00
|
|
|
public static function provideHtml5InputTypes() {
|
2016-02-17 09:09:32 +00:00
|
|
|
$types = [
|
2012-08-30 09:57:22 +00:00
|
|
|
'datetime',
|
|
|
|
|
'datetime-local',
|
|
|
|
|
'date',
|
|
|
|
|
'month',
|
|
|
|
|
'time',
|
|
|
|
|
'week',
|
|
|
|
|
'number',
|
|
|
|
|
'range',
|
|
|
|
|
'email',
|
|
|
|
|
'url',
|
|
|
|
|
'search',
|
|
|
|
|
'tel',
|
|
|
|
|
'color',
|
2016-02-17 09:09:32 +00:00
|
|
|
];
|
2020-05-29 06:20:24 +00:00
|
|
|
|
2013-02-14 11:22:13 +00:00
|
|
|
foreach ( $types as $type ) {
|
2020-05-29 06:20:24 +00:00
|
|
|
yield [ $type ];
|
2012-08-30 09:57:22 +00:00
|
|
|
}
|
|
|
|
|
}
|
2012-08-16 07:37:56 +00:00
|
|
|
|
|
|
|
|
/**
|
2012-10-30 19:06:16 +00:00
|
|
|
* Test out Html::element drops or enforces default value
|
2013-03-11 03:16:28 +00:00
|
|
|
* @covers Html::dropDefaults
|
2012-08-16 07:37:56 +00:00
|
|
|
* @dataProvider provideElementsWithAttributesHavingDefaultValues
|
|
|
|
|
*/
|
2013-10-23 22:51:31 +00:00
|
|
|
public function testDropDefaults( $expected, $element, $attribs, $message = '' ) {
|
2012-10-08 10:59:55 +00:00
|
|
|
$this->assertEquals( $expected, Html::element( $element, $attribs ), $message );
|
2012-08-16 07:37:56 +00:00
|
|
|
}
|
|
|
|
|
|
2012-10-08 10:59:55 +00:00
|
|
|
public static function provideElementsWithAttributesHavingDefaultValues() {
|
2012-08-16 07:37:56 +00:00
|
|
|
# Use cases in a concise format:
|
|
|
|
|
# <expected>, <element name>, <array of attributes> [, <message>]
|
|
|
|
|
# Will be mapped to Html::element()
|
2016-02-17 09:09:32 +00:00
|
|
|
$cases = [];
|
2012-08-30 10:49:57 +00:00
|
|
|
|
2015-09-11 13:44:59 +00:00
|
|
|
# ## Generic cases, match $attribDefault static array
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<area/>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'area', [ 'shape' => 'rect' ]
|
|
|
|
|
];
|
|
|
|
|
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<button type="submit"></button>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'button', [ 'formaction' => 'GET' ]
|
|
|
|
|
];
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<button type="submit"></button>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'button', [ 'formenctype' => 'application/x-www-form-urlencoded' ]
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
$cases[] = [ '<canvas></canvas>',
|
|
|
|
|
'canvas', [ 'height' => '150' ]
|
|
|
|
|
];
|
|
|
|
|
$cases[] = [ '<canvas></canvas>',
|
|
|
|
|
'canvas', [ 'width' => '300' ]
|
|
|
|
|
];
|
2012-08-30 10:49:57 +00:00
|
|
|
# Also check with numeric values
|
2016-02-17 09:09:32 +00:00
|
|
|
$cases[] = [ '<canvas></canvas>',
|
|
|
|
|
'canvas', [ 'height' => 150 ]
|
|
|
|
|
];
|
|
|
|
|
$cases[] = [ '<canvas></canvas>',
|
|
|
|
|
'canvas', [ 'width' => 300 ]
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
$cases[] = [ '<form></form>',
|
|
|
|
|
'form', [ 'action' => 'GET' ]
|
|
|
|
|
];
|
|
|
|
|
$cases[] = [ '<form></form>',
|
|
|
|
|
'form', [ 'autocomplete' => 'on' ]
|
|
|
|
|
];
|
|
|
|
|
$cases[] = [ '<form></form>',
|
|
|
|
|
'form', [ 'enctype' => 'application/x-www-form-urlencoded' ]
|
|
|
|
|
];
|
|
|
|
|
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<input/>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'input', [ 'formaction' => 'GET' ]
|
|
|
|
|
];
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<input/>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'input', [ 'type' => 'text' ]
|
|
|
|
|
];
|
|
|
|
|
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<keygen/>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'keygen', [ 'keytype' => 'rsa' ]
|
|
|
|
|
];
|
|
|
|
|
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<link/>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'link', [ 'media' => 'all' ]
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
$cases[] = [ '<menu></menu>',
|
|
|
|
|
'menu', [ 'type' => 'list' ]
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
$cases[] = [ '<script></script>',
|
|
|
|
|
'script', [ 'type' => 'text/javascript' ]
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
$cases[] = [ '<style></style>',
|
|
|
|
|
'style', [ 'media' => 'all' ]
|
|
|
|
|
];
|
|
|
|
|
$cases[] = [ '<style></style>',
|
|
|
|
|
'style', [ 'type' => 'text/css' ]
|
|
|
|
|
];
|
|
|
|
|
|
|
|
|
|
$cases[] = [ '<textarea></textarea>',
|
|
|
|
|
'textarea', [ 'wrap' => 'soft' ]
|
|
|
|
|
];
|
2012-08-30 10:49:57 +00:00
|
|
|
|
2015-09-11 13:44:59 +00:00
|
|
|
# ## SPECIFIC CASES
|
2012-08-30 10:49:57 +00:00
|
|
|
|
2012-10-08 10:59:55 +00:00
|
|
|
# <link type="text/css">
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<link/>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'link', [ 'type' => 'text/css' ]
|
|
|
|
|
];
|
2012-08-30 10:49:57 +00:00
|
|
|
|
2012-10-08 10:59:55 +00:00
|
|
|
# <input> specific handling
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<input type="checkbox"/>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'input', [ 'type' => 'checkbox', 'value' => 'on' ],
|
2012-08-16 07:37:56 +00:00
|
|
|
'Default value "on" is stripped of checkboxes',
|
2016-02-17 09:09:32 +00:00
|
|
|
];
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<input type="radio"/>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'input', [ 'type' => 'radio', 'value' => 'on' ],
|
2012-08-16 07:37:56 +00:00
|
|
|
'Default value "on" is stripped of radio buttons',
|
2016-02-17 09:09:32 +00:00
|
|
|
];
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<input type="submit" value="Submit"/>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'input', [ 'type' => 'submit', 'value' => 'Submit' ],
|
2012-08-16 07:37:56 +00:00
|
|
|
'Default value "Submit" is kept on submit buttons (for possible l10n issues)',
|
2016-02-17 09:09:32 +00:00
|
|
|
];
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<input type="color"/>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'input', [ 'type' => 'color', 'value' => '' ],
|
|
|
|
|
];
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<input type="range"/>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'input', [ 'type' => 'range', 'value' => '' ],
|
|
|
|
|
];
|
2012-08-16 07:37:56 +00:00
|
|
|
|
2012-10-30 19:06:16 +00:00
|
|
|
# <button> specific handling
|
2017-06-09 09:55:28 +00:00
|
|
|
# see remarks on https://msdn.microsoft.com/library/ms535211(v=vs.85).aspx
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<button type="submit"></button>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'button', [ 'type' => 'submit' ],
|
2014-04-24 10:05:52 +00:00
|
|
|
'According to standard the default type is "submit". '
|
|
|
|
|
. 'Depending on compatibility mode IE might use "button", instead.',
|
2016-02-17 09:09:32 +00:00
|
|
|
];
|
2012-10-30 19:06:16 +00:00
|
|
|
|
2014-12-12 08:41:27 +00:00
|
|
|
# <select> specific handling
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<select multiple=""></select>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'select', [ 'size' => '4', 'multiple' => true ],
|
|
|
|
|
];
|
2012-08-30 10:49:57 +00:00
|
|
|
# .. with numeric value
|
2016-04-20 17:22:51 +00:00
|
|
|
$cases[] = [ '<select multiple=""></select>',
|
2016-02-17 09:09:32 +00:00
|
|
|
'select', [ 'size' => 4, 'multiple' => true ],
|
|
|
|
|
];
|
|
|
|
|
$cases[] = [ '<select></select>',
|
|
|
|
|
'select', [ 'size' => '1', 'multiple' => false ],
|
|
|
|
|
];
|
2012-08-30 10:49:57 +00:00
|
|
|
# .. with numeric value
|
2016-02-17 09:09:32 +00:00
|
|
|
$cases[] = [ '<select></select>',
|
|
|
|
|
'select', [ 'size' => 1, 'multiple' => false ],
|
|
|
|
|
];
|
2012-08-30 10:49:57 +00:00
|
|
|
|
|
|
|
|
# Passing an array as value
|
2016-02-17 09:09:32 +00:00
|
|
|
$cases[] = [ '<a class="css-class-one css-class-two"></a>',
|
|
|
|
|
'a', [ 'class' => [ 'css-class-one', 'css-class-two' ] ],
|
2012-08-30 10:49:57 +00:00
|
|
|
"dropDefaults accepts values given as an array"
|
2016-02-17 09:09:32 +00:00
|
|
|
];
|
2012-08-30 10:49:57 +00:00
|
|
|
|
|
|
|
|
# FIXME: doDropDefault should remove defaults given in an array
|
|
|
|
|
# Expected should be '<a></a>'
|
2016-02-17 09:09:32 +00:00
|
|
|
$cases[] = [ '<a class=""></a>',
|
|
|
|
|
'a', [ 'class' => [ '', '' ] ],
|
2012-08-30 10:49:57 +00:00
|
|
|
"dropDefaults accepts values given as an array"
|
2016-02-17 09:09:32 +00:00
|
|
|
];
|
2012-08-30 10:49:57 +00:00
|
|
|
|
2020-05-29 06:20:24 +00:00
|
|
|
return $cases;
|
2012-08-16 07:37:56 +00:00
|
|
|
}
|
|
|
|
|
|
2017-12-25 07:28:03 +00:00
|
|
|
/**
|
|
|
|
|
* @covers Html::input
|
|
|
|
|
*/
|
2013-03-07 19:03:44 +00:00
|
|
|
public function testWrapperInput() {
|
|
|
|
|
$this->assertEquals(
|
2016-04-20 17:22:51 +00:00
|
|
|
'<input type="radio" value="testval" name="testname"/>',
|
2013-03-07 19:03:44 +00:00
|
|
|
Html::input( 'testname', 'testval', 'radio' ),
|
|
|
|
|
'Input wrapper with type and value.'
|
|
|
|
|
);
|
|
|
|
|
$this->assertEquals(
|
2016-04-20 17:22:51 +00:00
|
|
|
'<input name="testname"/>',
|
2013-03-07 19:03:44 +00:00
|
|
|
Html::input( 'testname' ),
|
|
|
|
|
'Input wrapper with all default values.'
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2017-12-25 07:28:03 +00:00
|
|
|
/**
|
|
|
|
|
* @covers Html::check
|
|
|
|
|
*/
|
2013-03-07 19:03:44 +00:00
|
|
|
public function testWrapperCheck() {
|
|
|
|
|
$this->assertEquals(
|
2016-04-20 17:22:51 +00:00
|
|
|
'<input type="checkbox" value="1" name="testname"/>',
|
2013-03-07 19:03:44 +00:00
|
|
|
Html::check( 'testname' ),
|
|
|
|
|
'Checkbox wrapper unchecked.'
|
|
|
|
|
);
|
|
|
|
|
$this->assertEquals(
|
2016-04-20 17:22:51 +00:00
|
|
|
'<input checked="" type="checkbox" value="1" name="testname"/>',
|
2013-03-07 19:03:44 +00:00
|
|
|
Html::check( 'testname', true ),
|
|
|
|
|
'Checkbox wrapper checked.'
|
|
|
|
|
);
|
|
|
|
|
$this->assertEquals(
|
2016-04-20 17:22:51 +00:00
|
|
|
'<input type="checkbox" value="testval" name="testname"/>',
|
2016-02-17 09:09:32 +00:00
|
|
|
Html::check( 'testname', false, [ 'value' => 'testval' ] ),
|
2013-03-07 19:03:44 +00:00
|
|
|
'Checkbox wrapper with a value override.'
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2017-12-25 07:28:03 +00:00
|
|
|
/**
|
|
|
|
|
* @covers Html::radio
|
|
|
|
|
*/
|
2013-03-07 19:03:44 +00:00
|
|
|
public function testWrapperRadio() {
|
|
|
|
|
$this->assertEquals(
|
2016-04-20 17:22:51 +00:00
|
|
|
'<input type="radio" value="1" name="testname"/>',
|
2013-03-07 19:03:44 +00:00
|
|
|
Html::radio( 'testname' ),
|
|
|
|
|
'Radio wrapper unchecked.'
|
|
|
|
|
);
|
|
|
|
|
$this->assertEquals(
|
2016-04-20 17:22:51 +00:00
|
|
|
'<input checked="" type="radio" value="1" name="testname"/>',
|
2013-03-07 19:03:44 +00:00
|
|
|
Html::radio( 'testname', true ),
|
|
|
|
|
'Radio wrapper checked.'
|
|
|
|
|
);
|
|
|
|
|
$this->assertEquals(
|
2016-04-20 17:22:51 +00:00
|
|
|
'<input type="radio" value="testval" name="testname"/>',
|
2016-02-17 09:09:32 +00:00
|
|
|
Html::radio( 'testname', false, [ 'value' => 'testval' ] ),
|
2013-03-07 19:03:44 +00:00
|
|
|
'Radio wrapper with a value override.'
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
|
2017-12-25 07:28:03 +00:00
|
|
|
/**
|
|
|
|
|
* @covers Html::label
|
|
|
|
|
*/
|
2013-03-07 19:03:44 +00:00
|
|
|
public function testWrapperLabel() {
|
|
|
|
|
$this->assertEquals(
|
2016-04-20 17:22:51 +00:00
|
|
|
'<label for="testid">testlabel</label>',
|
2013-03-07 19:03:44 +00:00
|
|
|
Html::label( 'testlabel', 'testid' ),
|
|
|
|
|
'Label wrapper'
|
|
|
|
|
);
|
|
|
|
|
}
|
2015-04-03 23:17:13 +00:00
|
|
|
|
|
|
|
|
public static function provideSrcSetImages() {
|
2016-02-17 09:09:32 +00:00
|
|
|
return [
|
|
|
|
|
[ [], '', 'when there are no images, return empty string' ],
|
|
|
|
|
[
|
|
|
|
|
[ '1x' => '1x.png', '1.5x' => '1_5x.png', '2x' => '2x.png' ],
|
2015-04-03 23:17:13 +00:00
|
|
|
'1x.png 1x, 1_5x.png 1.5x, 2x.png 2x',
|
|
|
|
|
'pixel depth keys may include a trailing "x"'
|
2016-02-17 09:09:32 +00:00
|
|
|
],
|
|
|
|
|
[
|
|
|
|
|
[ '1' => '1x.png', '1.5' => '1_5x.png', '2' => '2x.png' ],
|
2015-04-03 23:17:13 +00:00
|
|
|
'1x.png 1x, 1_5x.png 1.5x, 2x.png 2x',
|
|
|
|
|
'pixel depth keys may omit a trailing "x"'
|
2016-02-17 09:09:32 +00:00
|
|
|
],
|
2016-07-18 12:52:08 +00:00
|
|
|
[
|
|
|
|
|
[ '1' => 'small.png', '1.5' => 'large.png', '2' => 'large.png' ],
|
|
|
|
|
'small.png 1x, large.png 1.5x',
|
|
|
|
|
'omit larger duplicates'
|
|
|
|
|
],
|
|
|
|
|
[
|
|
|
|
|
[ '1' => 'small.png', '2' => 'large.png', '1.5' => 'large.png' ],
|
|
|
|
|
'small.png 1x, large.png 1.5x',
|
|
|
|
|
'omit larger duplicates in irregular order'
|
|
|
|
|
],
|
2016-02-17 09:09:32 +00:00
|
|
|
];
|
2015-04-03 23:17:13 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @dataProvider provideSrcSetImages
|
|
|
|
|
* @covers Html::srcSet
|
|
|
|
|
*/
|
|
|
|
|
public function testSrcSet( $images, $expected, $message ) {
|
|
|
|
|
$this->assertEquals( Html::srcSet( $images ), $expected, $message );
|
|
|
|
|
}
|
2018-08-07 15:16:21 +00:00
|
|
|
|
|
|
|
|
public static function provideInlineScript() {
|
|
|
|
|
return [
|
|
|
|
|
'Empty' => [
|
|
|
|
|
'',
|
|
|
|
|
'<script></script>'
|
|
|
|
|
],
|
|
|
|
|
'Simple' => [
|
|
|
|
|
'EXAMPLE.label("foo");',
|
|
|
|
|
'<script>EXAMPLE.label("foo");</script>'
|
|
|
|
|
],
|
|
|
|
|
'Ampersand' => [
|
|
|
|
|
'EXAMPLE.is(a && b);',
|
Html: Reject </script> from inlineScript() and leave rest unescaped
There are three problems with the CDATA approach:
1. It doesn't work.
HTML5 already interprets the contents of <script> tags as CDATA,
which means escaping of characters like & is not needed. In fact,
in HTML5 mode, a plain script tag with <script>0&1;</script>
would be a syntax error. Indicating it is not interpreted as
text, but as CDATA. Effectively, the only thing an HTML parser
looks for is </script>.
And that's exactly the problem. Producing an inline script
containing the characters "</string>" for legitimate reasons,
is currently broken.
No alternate wrapping or setting can make it work, either.
See also:
https://people.wikimedia.org/~krinkle/200506-html-inlinescript.html
which contains:
<script>/*<![CDATA[*/
if (true && true) {
console.log('This is a <script></script> tag (original)');
}
/*]]>*/</script>
In a browser, the script is terminated by the first "</script>",
leaving the code unfinished, throwing a SyntaxError, and outputting
the rest of the script as plain text on the page.
2. CDATA is only for XML mode, whereas MediaWiki does not support
the XML/XHTML output mode (since MediaWiki 1.22). Instead, we only
output HTML (5). Code that does need to produce XML, should use the
class from Xml.php instead.
3. It gives a false sense of security.
We could just remove the CDATA code as-is and that in itself would be an
improvement per point 2 and 3, and would break nothing per point 1.
However, this commit attempts to address the underlying bug by rejecting
the characters "</script>" from input. If this is needed in a literal,
it is the responsibility of the caller to escape it in a way that is
appropiate for how it is used (string, comment, regex, etc.).
There are two ways this can be used currently in core:
* User input as exported through JSON (e.g. mw.config, or mw.messages).
This is already fine as both FormatJson::encode and json_encode handle
escape either < or / in the string by default already.
* Previews of edits to user scripts. This is currently already broken and
causes the script to end early and produce arbitrary HTML on the page.
This commit limits the impact by refusing to output such script in a
broken way. I will further address that use case in a follow-up.
Bug: T200506
Change-Id: I67ceb34eabf2f62fd3f3841b8f1459289fad28fb
2018-08-20 00:42:15 +00:00
|
|
|
'<script>EXAMPLE.is(a && b);</script>'
|
2018-08-07 15:16:21 +00:00
|
|
|
],
|
|
|
|
|
'HTML' => [
|
|
|
|
|
'EXAMPLE.label("<a>");',
|
Html: Reject </script> from inlineScript() and leave rest unescaped
There are three problems with the CDATA approach:
1. It doesn't work.
HTML5 already interprets the contents of <script> tags as CDATA,
which means escaping of characters like & is not needed. In fact,
in HTML5 mode, a plain script tag with <script>0&1;</script>
would be a syntax error. Indicating it is not interpreted as
text, but as CDATA. Effectively, the only thing an HTML parser
looks for is </script>.
And that's exactly the problem. Producing an inline script
containing the characters "</string>" for legitimate reasons,
is currently broken.
No alternate wrapping or setting can make it work, either.
See also:
https://people.wikimedia.org/~krinkle/200506-html-inlinescript.html
which contains:
<script>/*<![CDATA[*/
if (true && true) {
console.log('This is a <script></script> tag (original)');
}
/*]]>*/</script>
In a browser, the script is terminated by the first "</script>",
leaving the code unfinished, throwing a SyntaxError, and outputting
the rest of the script as plain text on the page.
2. CDATA is only for XML mode, whereas MediaWiki does not support
the XML/XHTML output mode (since MediaWiki 1.22). Instead, we only
output HTML (5). Code that does need to produce XML, should use the
class from Xml.php instead.
3. It gives a false sense of security.
We could just remove the CDATA code as-is and that in itself would be an
improvement per point 2 and 3, and would break nothing per point 1.
However, this commit attempts to address the underlying bug by rejecting
the characters "</script>" from input. If this is needed in a literal,
it is the responsibility of the caller to escape it in a way that is
appropiate for how it is used (string, comment, regex, etc.).
There are two ways this can be used currently in core:
* User input as exported through JSON (e.g. mw.config, or mw.messages).
This is already fine as both FormatJson::encode and json_encode handle
escape either < or / in the string by default already.
* Previews of edits to user scripts. This is currently already broken and
causes the script to end early and produce arbitrary HTML on the page.
This commit limits the impact by refusing to output such script in a
broken way. I will further address that use case in a follow-up.
Bug: T200506
Change-Id: I67ceb34eabf2f62fd3f3841b8f1459289fad28fb
2018-08-20 00:42:15 +00:00
|
|
|
'<script>EXAMPLE.label("<a>");</script>'
|
2018-08-07 15:16:21 +00:00
|
|
|
],
|
Html: Reject </script> from inlineScript() and leave rest unescaped
There are three problems with the CDATA approach:
1. It doesn't work.
HTML5 already interprets the contents of <script> tags as CDATA,
which means escaping of characters like & is not needed. In fact,
in HTML5 mode, a plain script tag with <script>0&1;</script>
would be a syntax error. Indicating it is not interpreted as
text, but as CDATA. Effectively, the only thing an HTML parser
looks for is </script>.
And that's exactly the problem. Producing an inline script
containing the characters "</string>" for legitimate reasons,
is currently broken.
No alternate wrapping or setting can make it work, either.
See also:
https://people.wikimedia.org/~krinkle/200506-html-inlinescript.html
which contains:
<script>/*<![CDATA[*/
if (true && true) {
console.log('This is a <script></script> tag (original)');
}
/*]]>*/</script>
In a browser, the script is terminated by the first "</script>",
leaving the code unfinished, throwing a SyntaxError, and outputting
the rest of the script as plain text on the page.
2. CDATA is only for XML mode, whereas MediaWiki does not support
the XML/XHTML output mode (since MediaWiki 1.22). Instead, we only
output HTML (5). Code that does need to produce XML, should use the
class from Xml.php instead.
3. It gives a false sense of security.
We could just remove the CDATA code as-is and that in itself would be an
improvement per point 2 and 3, and would break nothing per point 1.
However, this commit attempts to address the underlying bug by rejecting
the characters "</script>" from input. If this is needed in a literal,
it is the responsibility of the caller to escape it in a way that is
appropiate for how it is used (string, comment, regex, etc.).
There are two ways this can be used currently in core:
* User input as exported through JSON (e.g. mw.config, or mw.messages).
This is already fine as both FormatJson::encode and json_encode handle
escape either < or / in the string by default already.
* Previews of edits to user scripts. This is currently already broken and
causes the script to end early and produce arbitrary HTML on the page.
This commit limits the impact by refusing to output such script in a
broken way. I will further address that use case in a follow-up.
Bug: T200506
Change-Id: I67ceb34eabf2f62fd3f3841b8f1459289fad28fb
2018-08-20 00:42:15 +00:00
|
|
|
'Script closing string (lower)' => [
|
2018-08-07 15:16:21 +00:00
|
|
|
'EXAMPLE.label("</script>");',
|
Html: Reject </script> from inlineScript() and leave rest unescaped
There are three problems with the CDATA approach:
1. It doesn't work.
HTML5 already interprets the contents of <script> tags as CDATA,
which means escaping of characters like & is not needed. In fact,
in HTML5 mode, a plain script tag with <script>0&1;</script>
would be a syntax error. Indicating it is not interpreted as
text, but as CDATA. Effectively, the only thing an HTML parser
looks for is </script>.
And that's exactly the problem. Producing an inline script
containing the characters "</string>" for legitimate reasons,
is currently broken.
No alternate wrapping or setting can make it work, either.
See also:
https://people.wikimedia.org/~krinkle/200506-html-inlinescript.html
which contains:
<script>/*<![CDATA[*/
if (true && true) {
console.log('This is a <script></script> tag (original)');
}
/*]]>*/</script>
In a browser, the script is terminated by the first "</script>",
leaving the code unfinished, throwing a SyntaxError, and outputting
the rest of the script as plain text on the page.
2. CDATA is only for XML mode, whereas MediaWiki does not support
the XML/XHTML output mode (since MediaWiki 1.22). Instead, we only
output HTML (5). Code that does need to produce XML, should use the
class from Xml.php instead.
3. It gives a false sense of security.
We could just remove the CDATA code as-is and that in itself would be an
improvement per point 2 and 3, and would break nothing per point 1.
However, this commit attempts to address the underlying bug by rejecting
the characters "</script>" from input. If this is needed in a literal,
it is the responsibility of the caller to escape it in a way that is
appropiate for how it is used (string, comment, regex, etc.).
There are two ways this can be used currently in core:
* User input as exported through JSON (e.g. mw.config, or mw.messages).
This is already fine as both FormatJson::encode and json_encode handle
escape either < or / in the string by default already.
* Previews of edits to user scripts. This is currently already broken and
causes the script to end early and produce arbitrary HTML on the page.
This commit limits the impact by refusing to output such script in a
broken way. I will further address that use case in a follow-up.
Bug: T200506
Change-Id: I67ceb34eabf2f62fd3f3841b8f1459289fad28fb
2018-08-20 00:42:15 +00:00
|
|
|
'<script>/* ERROR: Invalid script */</script>',
|
|
|
|
|
true,
|
2018-08-07 15:16:21 +00:00
|
|
|
],
|
Html: Reject </script> from inlineScript() and leave rest unescaped
There are three problems with the CDATA approach:
1. It doesn't work.
HTML5 already interprets the contents of <script> tags as CDATA,
which means escaping of characters like & is not needed. In fact,
in HTML5 mode, a plain script tag with <script>0&1;</script>
would be a syntax error. Indicating it is not interpreted as
text, but as CDATA. Effectively, the only thing an HTML parser
looks for is </script>.
And that's exactly the problem. Producing an inline script
containing the characters "</string>" for legitimate reasons,
is currently broken.
No alternate wrapping or setting can make it work, either.
See also:
https://people.wikimedia.org/~krinkle/200506-html-inlinescript.html
which contains:
<script>/*<![CDATA[*/
if (true && true) {
console.log('This is a <script></script> tag (original)');
}
/*]]>*/</script>
In a browser, the script is terminated by the first "</script>",
leaving the code unfinished, throwing a SyntaxError, and outputting
the rest of the script as plain text on the page.
2. CDATA is only for XML mode, whereas MediaWiki does not support
the XML/XHTML output mode (since MediaWiki 1.22). Instead, we only
output HTML (5). Code that does need to produce XML, should use the
class from Xml.php instead.
3. It gives a false sense of security.
We could just remove the CDATA code as-is and that in itself would be an
improvement per point 2 and 3, and would break nothing per point 1.
However, this commit attempts to address the underlying bug by rejecting
the characters "</script>" from input. If this is needed in a literal,
it is the responsibility of the caller to escape it in a way that is
appropiate for how it is used (string, comment, regex, etc.).
There are two ways this can be used currently in core:
* User input as exported through JSON (e.g. mw.config, or mw.messages).
This is already fine as both FormatJson::encode and json_encode handle
escape either < or / in the string by default already.
* Previews of edits to user scripts. This is currently already broken and
causes the script to end early and produce arbitrary HTML on the page.
This commit limits the impact by refusing to output such script in a
broken way. I will further address that use case in a follow-up.
Bug: T200506
Change-Id: I67ceb34eabf2f62fd3f3841b8f1459289fad28fb
2018-08-20 00:42:15 +00:00
|
|
|
'Script closing with non-standard attributes (mixed)' => [
|
|
|
|
|
'EXAMPLE.label("</SCriPT and STyLE>");',
|
|
|
|
|
'<script>/* ERROR: Invalid script */</script>',
|
|
|
|
|
true,
|
|
|
|
|
],
|
|
|
|
|
'HTML-comment-open and script-open' => [
|
|
|
|
|
// In HTML, <script> contents aren't just plain CDATA until </script>,
|
|
|
|
|
// there are levels of escaping modes, and the below sequence puts an
|
|
|
|
|
// HTML parser in a state where </script> would *not* close the script.
|
|
|
|
|
// https://html.spec.whatwg.org/multipage/parsing.html#script-data-double-escape-end-state
|
|
|
|
|
'var a = "<!--<script>";',
|
|
|
|
|
'<script>/* ERROR: Invalid script */</script>',
|
|
|
|
|
true,
|
2018-08-07 15:16:21 +00:00
|
|
|
],
|
|
|
|
|
];
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/**
|
|
|
|
|
* @dataProvider provideInlineScript
|
|
|
|
|
* @covers Html::inlineScript
|
|
|
|
|
*/
|
Html: Reject </script> from inlineScript() and leave rest unescaped
There are three problems with the CDATA approach:
1. It doesn't work.
HTML5 already interprets the contents of <script> tags as CDATA,
which means escaping of characters like & is not needed. In fact,
in HTML5 mode, a plain script tag with <script>0&1;</script>
would be a syntax error. Indicating it is not interpreted as
text, but as CDATA. Effectively, the only thing an HTML parser
looks for is </script>.
And that's exactly the problem. Producing an inline script
containing the characters "</string>" for legitimate reasons,
is currently broken.
No alternate wrapping or setting can make it work, either.
See also:
https://people.wikimedia.org/~krinkle/200506-html-inlinescript.html
which contains:
<script>/*<![CDATA[*/
if (true && true) {
console.log('This is a <script></script> tag (original)');
}
/*]]>*/</script>
In a browser, the script is terminated by the first "</script>",
leaving the code unfinished, throwing a SyntaxError, and outputting
the rest of the script as plain text on the page.
2. CDATA is only for XML mode, whereas MediaWiki does not support
the XML/XHTML output mode (since MediaWiki 1.22). Instead, we only
output HTML (5). Code that does need to produce XML, should use the
class from Xml.php instead.
3. It gives a false sense of security.
We could just remove the CDATA code as-is and that in itself would be an
improvement per point 2 and 3, and would break nothing per point 1.
However, this commit attempts to address the underlying bug by rejecting
the characters "</script>" from input. If this is needed in a literal,
it is the responsibility of the caller to escape it in a way that is
appropiate for how it is used (string, comment, regex, etc.).
There are two ways this can be used currently in core:
* User input as exported through JSON (e.g. mw.config, or mw.messages).
This is already fine as both FormatJson::encode and json_encode handle
escape either < or / in the string by default already.
* Previews of edits to user scripts. This is currently already broken and
causes the script to end early and produce arbitrary HTML on the page.
This commit limits the impact by refusing to output such script in a
broken way. I will further address that use case in a follow-up.
Bug: T200506
Change-Id: I67ceb34eabf2f62fd3f3841b8f1459289fad28fb
2018-08-20 00:42:15 +00:00
|
|
|
public function testInlineScript( $code, $expected, $error = false ) {
|
|
|
|
|
if ( $error ) {
|
|
|
|
|
Wikimedia\suppressWarnings();
|
|
|
|
|
$this->restoreWarnings = true;
|
|
|
|
|
}
|
2018-08-07 15:16:21 +00:00
|
|
|
$this->assertSame( Html::inlineScript( $code ), $expected );
|
|
|
|
|
}
|
2011-07-04 19:51:35 +00:00
|
|
|
}
|
2014-05-10 08:58:19 +00:00
|
|
|
|
|
|
|
|
class HtmlTestValue {
|
2019-10-09 18:24:07 +00:00
|
|
|
public function __toString() {
|
2014-05-10 08:58:19 +00:00
|
|
|
return 'stringValue';
|
|
|
|
|
}
|
|
|
|
|
}
|
