Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/tests/phpunit/includes/parser/SanitizerTest.php

374 lines
12 KiB
PHP
Raw Normal View History

Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
<?php
Migrate from `setMwGlobals()` to `overrideConfigValue(s)` Change-Id: I3f167d0e7d59a5aa091c3095a7d96c889d6e7e78
2022-08-01 19:14:41 +00:00
use MediaWiki\MainConfigNames;
Deprecate Sanitizer::setupAttributeWhitelist/attributeWhitelist These methods should be made private in the next release, but hard-deprecate them for 1.34. Tweak the return value of the attribute whitelist to be an associative rather than a sequential array, which makes the lookup of allowed attributes more efficient and avoids an array_flip for every html element sanitized. Bug: T221677 Change-Id: I17d734937accec6c2679dbe17328cf9554bd556a
2019-04-23 17:09:36 +00:00
use Wikimedia\TestingAccessWrapper;
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
/**
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
* @group Sanitizer
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
*/
MediaWikiTestCase to MediaWikiIntegrationTestCase The name change happened some time ago, and I think its about time to start using the name name! (Done with a find and replace) My personal motivation for doing this is that I have started trying out vscode as an IDE for mediawiki development, and right now it doesn't appear to handle php aliases very well or at all. Change-Id: I412235d91ae26e4c1c6a62e0dbb7e7cf3c5ed4a6
2020-06-30 15:09:24 +00:00
class SanitizerTest extends MediaWikiIntegrationTestCase {
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
(bug 39067) Add support for HTML5 <mark> element. * whitelist <mark> in tidy and sanitizer * provides a default styling for mark elements Change-Id: I23fc2fc558ff0590be04771ef1e75fcfdf240aac
2012-08-06 10:02:49 +00:00
/**
Lots of spelling mistakes and phpdoc attributes @throw->@throws @returns->@return @seealso->@see @cover->@covers etc Change-Id: I9ae6bc3034e9790e2d66cd96473b923fe9ee7953
2013-03-11 03:16:28 +00:00
* @covers Sanitizer::removeHTMLtags
(bug 39067) Add support for HTML5 <mark> element. * whitelist <mark> in tidy and sanitizer * provides a default styling for mark elements Change-Id: I23fc2fc558ff0590be04771ef1e75fcfdf240aac
2012-08-06 10:02:49 +00:00
* @dataProvider provideHtml5Tags
*
Fixed some @params documentation (tests) Swapped some "$var type" to "type $var" or added missing types before the $var. Changed some other types to match the more common spelling. Makes beginning of some text in captial. Also added some missing @param. Change-Id: Ic8aaf0a93796b97d0fa4617c1f86ff59f4b36131
2014-04-17 18:43:42 +00:00
* @param string $tag Name of an HTML5 element (ie: 'video')
* @param bool $escaped Whether sanitizer let the tag in or escape it (ie: '&lt;video&gt;')
(bug 39067) Add support for HTML5 <mark> element. * whitelist <mark> in tidy and sanitizer * provides a default styling for mark elements Change-Id: I23fc2fc558ff0590be04771ef1e75fcfdf240aac
2012-08-06 10:02:49 +00:00
*/
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
public function testRemovehtmltagsOnHtml5Tags( $tag, $escaped ) {
Hard deprecate Sanitizer::removeHTMLtags() Rename Sanitizer::removeHTMLtags() into an @internal method named ::internalRemoveHtmlTags() so that we can deprecate external use. Code search: https://codesearch.wmcloud.org/deployed/?q=removeHTMLtags&i=nope&files=&excludeFiles=&repos= Followup-To: Ic864c01471c292f11799c4fbdac4d7d30b8bc50f Depends-On: Iaca83ed06e9c61d8366579cd2283cba653c82319 Depends-On: I1963bfe9a99198ea02ca482a5769467ce806cd58 Depends-On: I83923d8b38d33f3638cd53958dd10f257ec21f7c Depends-On: I018b34bb5f6e113056da9b04cc72d4318422adce Change-Id: I202826f8b27519f7be89643e24eda47a6e3fc9f6
2022-03-04 19:05:41 +00:00
$this->hideDeprecated( Sanitizer::class . '::removeHTMLtags' );
Update formatting 2 of n. Change-Id: I5406673e99ed53e4e330ed47f022a17177544daa
2013-02-14 11:36:35 +00:00
if ( $escaped ) {
(bug 39067) Add support for HTML5 <mark> element. * whitelist <mark> in tidy and sanitizer * provides a default styling for mark elements Change-Id: I23fc2fc558ff0590be04771ef1e75fcfdf240aac
2012-08-06 10:02:49 +00:00
$this->assertEquals( "&lt;$tag&gt;",
Sanitizer::removeHTMLtags( "<$tag>" )
);
} else {
$this->assertEquals( "<$tag></$tag>\n",
Remove codepaths which ran parser in 'untidy' mode Disabling tidy has been deprecated since 1.33. This cleans up the code paths which still used untidy output. Bug: T198214 Change-Id: I821ef3b8f59b272d983583d407b2f0794fe1e791
2020-04-01 21:24:13 +00:00
Sanitizer::removeHTMLtags( "<$tag></$tag>\n" )
(bug 39067) Add support for HTML5 <mark> element. * whitelist <mark> in tidy and sanitizer * provides a default styling for mark elements Change-Id: I23fc2fc558ff0590be04771ef1e75fcfdf240aac
2012-08-06 10:02:49 +00:00
);
}
}
Hard deprecate Sanitizer::removeHTMLtags() Rename Sanitizer::removeHTMLtags() into an @internal method named ::internalRemoveHtmlTags() so that we can deprecate external use. Code search: https://codesearch.wmcloud.org/deployed/?q=removeHTMLtags&i=nope&files=&excludeFiles=&repos= Followup-To: Ic864c01471c292f11799c4fbdac4d7d30b8bc50f Depends-On: Iaca83ed06e9c61d8366579cd2283cba653c82319 Depends-On: I1963bfe9a99198ea02ca482a5769467ce806cd58 Depends-On: I83923d8b38d33f3638cd53958dd10f257ec21f7c Depends-On: I018b34bb5f6e113056da9b04cc72d4318422adce Change-Id: I202826f8b27519f7be89643e24eda47a6e3fc9f6
2022-03-04 19:05:41 +00:00
/**
* @covers Sanitizer::internalRemoveHTMLtags
* @dataProvider provideHtml5Tags
*
* @param string $tag Name of an HTML5 element (ie: 'video')
* @param bool $escaped Whether sanitizer let the tag in or escape it (ie: '&lt;video&gt;')
*/
public function testInternalRemoveHtmlTagsOnHtml5Tags( $tag, $escaped ) {
if ( $escaped ) {
$this->assertEquals( "&lt;$tag&gt;",
Sanitizer::internalRemoveHtmlTags( "<$tag>" )
);
} else {
$this->assertEquals( "<$tag></$tag>\n",
Sanitizer::internalRemoveHtmlTags( "<$tag></$tag>\n" )
);
}
}
Add Sanitizer::removeSomeTags() which uses Remex to tokenize The existing Sanitizer::removeHTMLtags() method, in addition to having dodgy capitalization, uses regular expressions to parse the HTML. That produces corner cases like T298401 and T67747 and is not guaranteed to yield balanced or well-formed HTML. Instead, introduce and use a new Sanitizer::removeSomeTags() method which is guaranteed to always return balanced and well-formed HTML. Note that Sanitizer::removeHTMLtags()/::removeSomeTags() take a callback argument which (as far as I can tell) is never used outside core. Mark that argument as @internal, and clean up the version used by ::removeSomeTags(). Use the new ::removeSomeTags() method in the two places where DISPLAYTITLE is handled (following up on T67747). The use by the legacy parser is more difficult to replace (and would have a performace cost), so leave the old ::removeHTMLtags() method in place for that call site for now: when the legacy parser is replaced by Parsoid the need for the old ::removeHTMLtags() will go away. In a follow-up patch we'll rename ::removeHTMLtags() and mark it @internal so that we can deprecate ::removeHTMLtags() for external use. Some benchmarking code added. On my machine, with PHP 7.4, the new method tidies short 30-character title strings at a rate of about 6764/s while the tidy-based method being replaced here managed 6384/s. Sanitizer::removeHTMLtags blazes through short strings 20x faster (120,915/s); some of this difference is due to the set up cost of creating the tag whitelist and the Remex pipeline, so further optimizations could doubtless be done if Sanitizer::removeSomeTags() is more widely used. Bug: T299722 Bug: T67747 Change-Id: Ic864c01471c292f11799c4fbdac4d7d30b8bc50f
2022-01-21 22:03:26 +00:00
/**
* @covers Sanitizer::removeSomeTags
* @dataProvider provideHtml5Tags
*
* @param string $tag Name of an HTML5 element (ie: 'video')
* @param bool $escaped Whether sanitizer let the tag in or escape it (ie: '&lt;video&gt;')
*/
public function testRemoveSomeTagsOnHtml5Tags( $tag, $escaped ) {
if ( $escaped ) {
$this->assertEquals( "&lt;$tag&gt;",
Sanitizer::removeSomeTags( "<$tag>" )
);
} else {
$this->assertEquals( "<$tag></$tag>\n",
Sanitizer::removeSomeTags( "<$tag></$tag>\n" )
);
$this->assertEquals( "<$tag></$tag>",
Sanitizer::removeSomeTags( "<$tag>" )
);
}
}
Tests: Make phpunit providers "public static". Follows-up I9d2b148e57 (including phpunit/languages this time). Bug: 46434 Change-Id: I30e5efcd88c516121c454676bd7a18f9b7c8fca6
2013-03-22 02:12:37 +00:00
public static function provideHtml5Tags() {
Update formatting 2 of n. Change-Id: I5406673e99ed53e4e330ed47f022a17177544daa
2013-02-14 11:36:35 +00:00
$ESCAPED = true; # We want tag to be escaped
$VERBATIM = false; # We want to keep the tag
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
return [
[ 'data', $VERBATIM ],
[ 'mark', $VERBATIM ],
[ 'time', $VERBATIM ],
[ 'video', $ESCAPED ],
];
(bug 39067) Add support for HTML5 <mark> element. * whitelist <mark> in tidy and sanitizer * provides a default styling for mark elements Change-Id: I23fc2fc558ff0590be04771ef1e75fcfdf240aac
2012-08-06 10:02:49 +00:00
}
Add public as visibility in tests folder Add public, protected or private to function missing a visibility Enable the tests folder for the phpcs sniff Change-Id: Ibefce76ea9984c47e08c94889ea2eafca7565e2c
2019-10-09 18:24:07 +00:00
public function dataRemoveHTMLtags() {
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
return [
(bug 41545) Allow kbd, samp, and var to be nested. HTML5 has various semantics that allow -- or rather require -- <kbd> and <samp> and even <var> to be nested. eg: <kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd> eg: <var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var> This fixes the sanitizer to permit their nesting and adds test cases to ensure that some of HTML5's special semantics are permitted by our sanitizer and not broken. Change-Id: I6ad64e6eb4c9b5bdc15be513f55c58f6717c3939
2012-10-30 13:34:56 +00:00
// former testSelfClosingTag
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[
(bug 41545) Allow kbd, samp, and var to be nested. HTML5 has various semantics that allow -- or rather require -- <kbd> and <samp> and even <var> to be nested. eg: <kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd> eg: <var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var> This fixes the sanitizer to permit their nesting and adds test cases to ensure that some of HTML5's special semantics are permitted by our sanitizer and not broken. Change-Id: I6ad64e6eb4c9b5bdc15be513f55c58f6717c3939
2012-10-30 13:34:56 +00:00
'<div>Hello world</div />',
Use HTML5 semantics for self-closed HTML tags in wikitext This behavior has been deprecated and with a tracking category since 1.28. Time to remove the temporary parameter added to Sanitizer::removeHTMLtags() and (finally) tweak the behavior to match HTML5. Bug: T134423 Change-Id: I5c725175d05854139c95a2b3d8d35ff63cb6707b
2020-04-02 15:17:41 +00:00
'<div>Hello world</div>',
(bug 41545) Allow kbd, samp, and var to be nested. HTML5 has various semantics that allow -- or rather require -- <kbd> and <samp> and even <var> to be nested. eg: <kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd> eg: <var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var> This fixes the sanitizer to permit their nesting and adds test cases to ensure that some of HTML5's special semantics are permitted by our sanitizer and not broken. Change-Id: I6ad64e6eb4c9b5bdc15be513f55c58f6717c3939
2012-10-30 13:34:56 +00:00
'Self-closing closing div'
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
],
(bug 41545) Allow kbd, samp, and var to be nested. HTML5 has various semantics that allow -- or rather require -- <kbd> and <samp> and even <var> to be nested. eg: <kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd> eg: <var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var> This fixes the sanitizer to permit their nesting and adds test cases to ensure that some of HTML5's special semantics are permitted by our sanitizer and not broken. Change-Id: I6ad64e6eb4c9b5bdc15be513f55c58f6717c3939
2012-10-30 13:34:56 +00:00
// Make sure special nested HTML5 semantics are not broken
Update weblinks in comments from HTTP to HTTPS Use HTTPS instead of HTTP where the HTTP link is a redirect to the HTTPS link. Also update some defect links. Change-Id: Ic3a5eac910d098ed5c2a21e9f47c9b6ee06b2643
2016-10-13 05:34:26 +00:00
// https://html.spec.whatwg.org/multipage/semantics.html#the-kbd-element
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[
(bug 41545) Allow kbd, samp, and var to be nested. HTML5 has various semantics that allow -- or rather require -- <kbd> and <samp> and even <var> to be nested. eg: <kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd> eg: <var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var> This fixes the sanitizer to permit their nesting and adds test cases to ensure that some of HTML5's special semantics are permitted by our sanitizer and not broken. Change-Id: I6ad64e6eb4c9b5bdc15be513f55c58f6717c3939
2012-10-30 13:34:56 +00:00
'<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
'<kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd>',
'Nested <kbd>.'
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
],
Update weblinks in comments from HTTP to HTTPS Use HTTPS instead of HTTP where the HTTP link is a redirect to the HTTPS link. Also update some defect links. Change-Id: Ic3a5eac910d098ed5c2a21e9f47c9b6ee06b2643
2016-10-13 05:34:26 +00:00
// https://html.spec.whatwg.org/multipage/semantics.html#the-sub-and-sup-elements
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[
(bug 41545) Allow kbd, samp, and var to be nested. HTML5 has various semantics that allow -- or rather require -- <kbd> and <samp> and even <var> to be nested. eg: <kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd> eg: <var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var> This fixes the sanitizer to permit their nesting and adds test cases to ensure that some of HTML5's special semantics are permitted by our sanitizer and not broken. Change-Id: I6ad64e6eb4c9b5bdc15be513f55c58f6717c3939
2012-10-30 13:34:56 +00:00
'<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
'<var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var>',
'Nested <var>.'
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
],
Update weblinks in comments from HTTP to HTTPS Use HTTPS instead of HTTP where the HTTP link is a redirect to the HTTPS link. Also update some defect links. Change-Id: Ic3a5eac910d098ed5c2a21e9f47c9b6ee06b2643
2016-10-13 05:34:26 +00:00
// https://html.spec.whatwg.org/multipage/semantics.html#the-dfn-element
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
[
(bug 41545) Allow kbd, samp, and var to be nested. HTML5 has various semantics that allow -- or rather require -- <kbd> and <samp> and even <var> to be nested. eg: <kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd> eg: <var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var> This fixes the sanitizer to permit their nesting and adds test cases to ensure that some of HTML5's special semantics are permitted by our sanitizer and not broken. Change-Id: I6ad64e6eb4c9b5bdc15be513f55c58f6717c3939
2012-10-30 13:34:56 +00:00
'<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
'<dfn><abbr title="Garage Door Opener">GDO</abbr></dfn>',
'<abbr> inside <dfn>',
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
],
];
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
}
testDecodeTagAttributes now use a data provider We had a huge pile of assertEquals in a single test function, this patch convert the mess in a nicer dataprovider. The parameters passed to assertEquals() were mixed up, the expected values should be passed as the first argument, I thus exchange the first two parameters in each case. Change-Id: Ib74804a7aa84a1e59fffb8c85abbf0b95995d897
2012-11-22 10:25:30 +00:00
(bug 41545) Allow kbd, samp, and var to be nested. HTML5 has various semantics that allow -- or rather require -- <kbd> and <samp> and even <var> to be nested. eg: <kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd> eg: <var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var> This fixes the sanitizer to permit their nesting and adds test cases to ensure that some of HTML5's special semantics are permitted by our sanitizer and not broken. Change-Id: I6ad64e6eb4c9b5bdc15be513f55c58f6717c3939
2012-10-30 13:34:56 +00:00
/**
* @dataProvider dataRemoveHTMLtags
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
* @covers Sanitizer::removeHTMLtags
(bug 41545) Allow kbd, samp, and var to be nested. HTML5 has various semantics that allow -- or rather require -- <kbd> and <samp> and even <var> to be nested. eg: <kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd> eg: <var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var> This fixes the sanitizer to permit their nesting and adds test cases to ensure that some of HTML5's special semantics are permitted by our sanitizer and not broken. Change-Id: I6ad64e6eb4c9b5bdc15be513f55c58f6717c3939
2012-10-30 13:34:56 +00:00
*/
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
public function testRemoveHTMLtags( $input, $output, $msg = null ) {
Hard deprecate Sanitizer::removeHTMLtags() Rename Sanitizer::removeHTMLtags() into an @internal method named ::internalRemoveHtmlTags() so that we can deprecate external use. Code search: https://codesearch.wmcloud.org/deployed/?q=removeHTMLtags&i=nope&files=&excludeFiles=&repos= Followup-To: Ic864c01471c292f11799c4fbdac4d7d30b8bc50f Depends-On: Iaca83ed06e9c61d8366579cd2283cba653c82319 Depends-On: I1963bfe9a99198ea02ca482a5769467ce806cd58 Depends-On: I83923d8b38d33f3638cd53958dd10f257ec21f7c Depends-On: I018b34bb5f6e113056da9b04cc72d4318422adce Change-Id: I202826f8b27519f7be89643e24eda47a6e3fc9f6
2022-03-04 19:05:41 +00:00
$this->hideDeprecated( Sanitizer::class . '::removeHTMLtags' );
(bug 41545) Allow kbd, samp, and var to be nested. HTML5 has various semantics that allow -- or rather require -- <kbd> and <samp> and even <var> to be nested. eg: <kbd><kbd>Shift</kbd>+<kbd>F3</kbd></kbd> eg: <var>x<sub><var>i</var></sub></var>, <var>y<sub><var>i</var></sub></var> This fixes the sanitizer to permit their nesting and adds test cases to ensure that some of HTML5's special semantics are permitted by our sanitizer and not broken. Change-Id: I6ad64e6eb4c9b5bdc15be513f55c58f6717c3939
2012-10-30 13:34:56 +00:00
$this->assertEquals( $output, Sanitizer::removeHTMLtags( $input ), $msg );
}
testDecodeTagAttributes now use a data provider We had a huge pile of assertEquals in a single test function, this patch convert the mess in a nicer dataprovider. The parameters passed to assertEquals() were mixed up, the expected values should be passed as the first argument, I thus exchange the first two parameters in each case. Change-Id: Ib74804a7aa84a1e59fffb8c85abbf0b95995d897
2012-11-22 10:25:30 +00:00
Hard deprecate Sanitizer::removeHTMLtags() Rename Sanitizer::removeHTMLtags() into an @internal method named ::internalRemoveHtmlTags() so that we can deprecate external use. Code search: https://codesearch.wmcloud.org/deployed/?q=removeHTMLtags&i=nope&files=&excludeFiles=&repos= Followup-To: Ic864c01471c292f11799c4fbdac4d7d30b8bc50f Depends-On: Iaca83ed06e9c61d8366579cd2283cba653c82319 Depends-On: I1963bfe9a99198ea02ca482a5769467ce806cd58 Depends-On: I83923d8b38d33f3638cd53958dd10f257ec21f7c Depends-On: I018b34bb5f6e113056da9b04cc72d4318422adce Change-Id: I202826f8b27519f7be89643e24eda47a6e3fc9f6
2022-03-04 19:05:41 +00:00
/**
* @dataProvider dataRemoveHTMLtags
* @covers Sanitizer::internalRemoveHtmlTags
*/
public function testInternalRemoveHTMLtags( $input, $output, $msg = null ) {
$this->assertEquals( $output, Sanitizer::internalRemoveHtmlTags( $input ), $msg );
}
Add Sanitizer::removeSomeTags() which uses Remex to tokenize The existing Sanitizer::removeHTMLtags() method, in addition to having dodgy capitalization, uses regular expressions to parse the HTML. That produces corner cases like T298401 and T67747 and is not guaranteed to yield balanced or well-formed HTML. Instead, introduce and use a new Sanitizer::removeSomeTags() method which is guaranteed to always return balanced and well-formed HTML. Note that Sanitizer::removeHTMLtags()/::removeSomeTags() take a callback argument which (as far as I can tell) is never used outside core. Mark that argument as @internal, and clean up the version used by ::removeSomeTags(). Use the new ::removeSomeTags() method in the two places where DISPLAYTITLE is handled (following up on T67747). The use by the legacy parser is more difficult to replace (and would have a performace cost), so leave the old ::removeHTMLtags() method in place for that call site for now: when the legacy parser is replaced by Parsoid the need for the old ::removeHTMLtags() will go away. In a follow-up patch we'll rename ::removeHTMLtags() and mark it @internal so that we can deprecate ::removeHTMLtags() for external use. Some benchmarking code added. On my machine, with PHP 7.4, the new method tidies short 30-character title strings at a rate of about 6764/s while the tidy-based method being replaced here managed 6384/s. Sanitizer::removeHTMLtags blazes through short strings 20x faster (120,915/s); some of this difference is due to the set up cost of creating the tag whitelist and the Remex pipeline, so further optimizations could doubtless be done if Sanitizer::removeSomeTags() is more widely used. Bug: T299722 Bug: T67747 Change-Id: Ic864c01471c292f11799c4fbdac4d7d30b8bc50f
2022-01-21 22:03:26 +00:00
/**
* @dataProvider dataRemoveHTMLtags
* @covers Sanitizer::removeSomeTags
*/
public function testRemoveSomeTags( $input, $output, $msg = null ) {
$this->assertEquals( $output, Sanitizer::removeSomeTags( $input ), $msg );
}
(bug 36495) Sanitizer: Convert align to margin/float outside tables. Change-Id: I108cbd100cff6bade011b14d74b5bca82f2a1e5f
2012-06-29 16:24:20 +00:00
/**
* @dataProvider provideDeprecatedAttributes
Lots of spelling mistakes and phpdoc attributes @throw->@throws @returns->@return @seealso->@see @cover->@covers etc Change-Id: I9ae6bc3034e9790e2d66cd96473b923fe9ee7953
2013-03-11 03:16:28 +00:00
* @covers Sanitizer::fixTagAttributes
Deprecate Sanitizer::setupAttributeWhitelist/attributeWhitelist These methods should be made private in the next release, but hard-deprecate them for 1.34. Tweak the return value of the attribute whitelist to be an associative rather than a sequential array, which makes the lookup of allowed attributes more efficient and avoids an array_flip for every html element sanitized. Bug: T221677 Change-Id: I17d734937accec6c2679dbe17328cf9554bd556a
2019-04-23 17:09:36 +00:00
* @covers Sanitizer::validateTagAttributes
* @covers Sanitizer::validateAttributes
(bug 36495) Sanitizer: Convert align to margin/float outside tables. Change-Id: I108cbd100cff6bade011b14d74b5bca82f2a1e5f
2012-06-29 16:24:20 +00:00
*/
Add more @covers tags and test cleanup Other cleanup includes - Adding method scopes - Fixing php comments - Adding todos Change-Id: I0a231008e6a59110ffcab6af1bd8c4d3ee13f21d
2013-10-21 21:09:13 +00:00
public function testDeprecatedAttributesUnaltered( $inputAttr, $inputEl, $message = '' ) {
normalize sanitizerTest and add coverage tips * @cover let us mention which function the test is using, help out when building coverage report to make sure we only record traces for that function. * Normalized test functions so they look alike and make use of an optional message. Change-Id: I3e431b28e377f2ca21d06300537f63b2df4a3a99
2012-11-22 10:23:13 +00:00
$this->assertEquals( " $inputAttr",
Sanitizer::fixTagAttributes( $inputAttr, $inputEl ),
$message
);
Clean and repair many phpunit tests (+ fix implied configuration) This commit depends on the introduction of MediaWikiTestCase::setMwGlobals in change Iccf6ea81f4. Various tests already set their globals, but forgot to restore them afterwards, or forgot to call the parent setUp, tearDown... Either way they won't have to anymore with setMwGlobals. Consistent use of function characteristics: * protected function setUp * protected function tearDown * public static function (provide..) (Matching the function signature with PHPUnit/Framework/TestCase.php) Replaces: * public function (setUp|tearDown)\( * protected function $1( * \tfunction (setUp|tearDown)\( * \tprotected function $1( * \tfunction (data|provide)\( * \tpublic static function $1\( Also renamed a few "data#", "provider#" and "provides#" functions to "provide#" for consistency. This also removes confusion where the /media tests had a few private methods called dataFile(), which were sometimes expected to be data providers. Fixes: TimestampTest often failed due to a previous test setting a different language (it tests "1 hour ago" so need to make sure it is set to English). MWNamespaceTest became a lot cleaner now that it executes with a known context. Though the now-redundant code that was removed didn't work anyway because wgContentNamespaces isn't keyed by namespace id, it had them was values... FileBackendTest: * Fixed: "PHP Fatal: Using $this when not in object context" HttpTest * Added comment about: "PHP Fatal: Call to protected MWHttpRequest::__construct()" (too much unrelated code to fix in this commit) ExternalStoreTest * Add an assertTrue as well, without it the test is useless because regardless of whether wgExternalStores is true or false it only uses it if it is an array. Change-Id: I9d2b148e57bada64afeb7d5a99bec0e58f8e1561
2012-10-08 10:56:20 +00:00
}
public static function provideDeprecatedAttributes() {
Use more short array syntax in comments (/tests/) Change-Id: I86c73cb9447ac562a73348b4030e24ebf49a90dc
2016-07-10 15:23:29 +00:00
/** [ <attribute>, <element>, [message] ] */
Convert all array() syntax to [] Per wikitech-l consensus: https://lists.wikimedia.org/pipermail/wikitech-l/2016-February/084821.html Notes: * Disabled CallTimePassByReference due to false positives (T127163) Change-Id: I2c8ce713ce6600a0bb7bf67537c87044c7a45c4b
2016-02-17 09:09:32 +00:00
return [
[ 'clear="left"', 'br' ],
[ 'clear="all"', 'br' ],
[ 'width="100"', 'td' ],
[ 'nowrap="true"', 'td' ],
[ 'nowrap=""', 'td' ],
[ 'align="right"', 'td' ],
[ 'align="center"', 'table' ],
[ 'align="left"', 'tr' ],
[ 'align="center"', 'div' ],
[ 'align="left"', 'h1' ],
[ 'align="left"', 'p' ],
];
Followup r94465 and r94465; Add phpunit tests for Sanitizer::fixDeprecatedAttributes and fix bugs related to clear="all" and mixed/uppercase attributes and values.
2011-09-25 04:08:23 +00:00
}
Test handling of escaped CSS comments r85856 fixed a CSS injection issue but lacked testing. This test verify we properly strip out CSS comments even when the token delimiter '/*' is backslash-escaped : \2f\2a
2011-10-24 08:39:58 +00:00
Deprecate Sanitizer::setupAttributeWhitelist/attributeWhitelist These methods should be made private in the next release, but hard-deprecate them for 1.34. Tweak the return value of the attribute whitelist to be an associative rather than a sequential array, which makes the lookup of allowed attributes more efficient and avoids an array_flip for every html element sanitized. Bug: T221677 Change-Id: I17d734937accec6c2679dbe17328cf9554bd556a
2019-04-23 17:09:36 +00:00
/**
* @dataProvider provideValidateTagAttributes
* @covers Sanitizer::validateTagAttributes
* @covers Sanitizer::validateAttributes
*/
public function testValidateTagAttributes( $element, $attribs, $expected ) {
$actual = Sanitizer::validateTagAttributes( $attribs, $element );
$this->assertArrayEquals( $expected, $actual, false, true );
}
public static function provideValidateTagAttributes() {
return [
[ 'math',
Split SanitizerTest to unit and integration tests Out of 150 tests of SanitizerTest.php, 100 of them are pure unit tests they are moved to the new file in the new structure, the rest stay Change-Id: I366d37607abff4bcd624a56fb8b2299729fbc088
2019-07-08 00:05:57 +00:00
[ 'id' => 'foo bar', 'bogus' => 'stripped', 'data-foo' => 'bar' ],
[ 'id' => 'foo_bar', 'data-foo' => 'bar' ],
Deprecate Sanitizer::setupAttributeWhitelist/attributeWhitelist These methods should be made private in the next release, but hard-deprecate them for 1.34. Tweak the return value of the attribute whitelist to be an associative rather than a sequential array, which makes the lookup of allowed attributes more efficient and avoids an array_flip for every html element sanitized. Bug: T221677 Change-Id: I17d734937accec6c2679dbe17328cf9554bd556a
2019-04-23 17:09:36 +00:00
],
[ 'meta',
Split SanitizerTest to unit and integration tests Out of 150 tests of SanitizerTest.php, 100 of them are pure unit tests they are moved to the new file in the new structure, the rest stay Change-Id: I366d37607abff4bcd624a56fb8b2299729fbc088
2019-07-08 00:05:57 +00:00
[ 'id' => 'foo bar', 'itemprop' => 'foo', 'content' => 'bar' ],
[ 'itemprop' => 'foo', 'content' => 'bar' ],
Deprecate Sanitizer::setupAttributeWhitelist/attributeWhitelist These methods should be made private in the next release, but hard-deprecate them for 1.34. Tweak the return value of the attribute whitelist to be an associative rather than a sequential array, which makes the lookup of allowed attributes more efficient and avoids an array_flip for every html element sanitized. Bug: T221677 Change-Id: I17d734937accec6c2679dbe17328cf9554bd556a
2019-04-23 17:09:36 +00:00
],
Whitelist `aria-hidden` attribute in Sanitizer Bug: T204618 Change-Id: I34b9b729eccd7658d5165b6661e5fd45a733b36c
2019-10-04 18:26:06 +00:00
[ 'div',
Follow-up 0437877: SanitizerTest: Fix whitespace, test false state too Change-Id: Ibec845224493c409049b5212812e737d63abaad7
2020-02-03 23:22:26 +00:00
[ 'role' => 'presentation', 'aria-hidden' => 'true' ],
[ 'role' => 'presentation', 'aria-hidden' => 'true' ],
],
[ 'div',
[ 'role' => 'menuitem', 'aria-hidden' => 'false' ],
[ 'role' => 'menuitem', 'aria-hidden' => 'false' ],
Whitelist `aria-hidden` attribute in Sanitizer Bug: T204618 Change-Id: I34b9b729eccd7658d5165b6661e5fd45a733b36c
2019-10-04 18:26:06 +00:00
],
Deprecate Sanitizer::setupAttributeWhitelist/attributeWhitelist These methods should be made private in the next release, but hard-deprecate them for 1.34. Tweak the return value of the attribute whitelist to be an associative rather than a sequential array, which makes the lookup of allowed attributes more efficient and avoids an array_flip for every html element sanitized. Bug: T221677 Change-Id: I17d734937accec6c2679dbe17328cf9554bd556a
2019-04-23 17:09:36 +00:00
];
}
/**
Use 'list of allowed attributes' in Sanitizer, instead of 'whitelist' Bug: T254646 Change-Id: I48d1a5b318c3511fae94291d84f65e5c9cd05a27
2020-06-10 17:39:06 +00:00
* @dataProvider provideAttributesAllowed
* @covers Sanitizer::attributesAllowedInternal
Deprecate Sanitizer::setupAttributeWhitelist/attributeWhitelist These methods should be made private in the next release, but hard-deprecate them for 1.34. Tweak the return value of the attribute whitelist to be an associative rather than a sequential array, which makes the lookup of allowed attributes more efficient and avoids an array_flip for every html element sanitized. Bug: T221677 Change-Id: I17d734937accec6c2679dbe17328cf9554bd556a
2019-04-23 17:09:36 +00:00
*/
Use 'list of allowed attributes' in Sanitizer, instead of 'whitelist' Bug: T254646 Change-Id: I48d1a5b318c3511fae94291d84f65e5c9cd05a27
2020-06-10 17:39:06 +00:00
public function testAttributesAllowedInternal( $element, $attribs ) {
Deprecate Sanitizer::setupAttributeWhitelist/attributeWhitelist These methods should be made private in the next release, but hard-deprecate them for 1.34. Tweak the return value of the attribute whitelist to be an associative rather than a sequential array, which makes the lookup of allowed attributes more efficient and avoids an array_flip for every html element sanitized. Bug: T221677 Change-Id: I17d734937accec6c2679dbe17328cf9554bd556a
2019-04-23 17:09:36 +00:00
$sanitizer = TestingAccessWrapper::newFromClass( Sanitizer::class );
Use 'list of allowed attributes' in Sanitizer, instead of 'whitelist' Bug: T254646 Change-Id: I48d1a5b318c3511fae94291d84f65e5c9cd05a27
2020-06-10 17:39:06 +00:00
$actual = $sanitizer->attributesAllowedInternal( $element );
Deprecate Sanitizer::setupAttributeWhitelist/attributeWhitelist These methods should be made private in the next release, but hard-deprecate them for 1.34. Tweak the return value of the attribute whitelist to be an associative rather than a sequential array, which makes the lookup of allowed attributes more efficient and avoids an array_flip for every html element sanitized. Bug: T221677 Change-Id: I17d734937accec6c2679dbe17328cf9554bd556a
2019-04-23 17:09:36 +00:00
$this->assertArrayEquals( $attribs, array_keys( $actual ) );
}
tests: Make some PHPUnit data providers static Just methods where adding "static" to the declaration was enough, I didn't do anything with providers that used $this. Initially by search and replace. There were many mistakes which I found mostly by running the PHPStorm inspection which searches for $this usage in a static method. Later I used the PHPStorm "make static" action which avoids the more obvious mistakes. Bug: T332865 Change-Id: I47ed6692945607dfa5c139d42edbd934fa4f3a36
2023-03-23 11:36:19 +00:00
public static function provideAttributesAllowed() {
Deprecate Sanitizer::setupAttributeWhitelist/attributeWhitelist These methods should be made private in the next release, but hard-deprecate them for 1.34. Tweak the return value of the attribute whitelist to be an associative rather than a sequential array, which makes the lookup of allowed attributes more efficient and avoids an array_flip for every html element sanitized. Bug: T221677 Change-Id: I17d734937accec6c2679dbe17328cf9554bd556a
2019-04-23 17:09:36 +00:00
/** [ <element>, [ <good attribute 1>, <good attribute 2>, ...] ] */
return [
[ 'math', [ 'class', 'style', 'id', 'title' ] ],
[ 'meta', [ 'itemprop', 'content' ] ],
[ 'link', [ 'itemprop', 'href', 'title' ] ],
];
}
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
/**
* @dataProvider provideEscapeIdForStuff
*
* @covers Sanitizer::escapeIdForAttribute()
* @covers Sanitizer::escapeIdForLink()
* @covers Sanitizer::escapeIdForExternalInterwiki()
* @covers Sanitizer::escapeIdInternal()
Escape % sign if form valid percent-encoding in fragment identifiers Currently if you combine a valid percent encoding and a non escaped character that is reserved in urls in a headline, the toc link does not work. E.g. ==`%41== needs #`%2541 but we currently generate #`%41 which matches ==`A== instead. Tested in firefox and chrome Bug: T238385 Change-Id: Ice2bbf79bed612d488ed6feb7510035e9dfb33af
2020-02-15 09:24:10 +00:00
* @covers Sanitizer::escapeIdInternalUrl()
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
*
* @param string $stuff
* @param string[] $config
* @param string $id
* @param string|false $expected
* @param int|null $mode
*/
public function testEscapeIdForStuff( $stuff, array $config, $id, $expected, $mode = null ) {
$func = "Sanitizer::escapeIdFor{$stuff}";
$iwFlavor = array_pop( $config );
Migrate from `setMwGlobals()` to `overrideConfigValue(s)` Change-Id: I3f167d0e7d59a5aa091c3095a7d96c889d6e7e78
2022-08-01 19:14:41 +00:00
$this->overrideConfigValues( [
MainConfigNames::FragmentMode => $config,
MainConfigNames::ExternalInterwikiFragmentMode => $iwFlavor,
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
] );
Replace all call_user_func(_array) in all tests There is native support for all of this now in PHP, thanks to changes and additions that have been made in later versions. There should be no need any more to ever use call_user_func() or call_user_func_array(). Reviewing this should be fairly easy: Because this patch touches exclusivly tests, but no production code, there is no such thing as "insufficent test coverage". As long as CI goes green, this should be fine. Change-Id: Ib9690103687734bb5a85d3dab0e5642a07087bbc
2020-05-29 06:46:30 +00:00
$escaped = $func( $id, $mode );
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
self::assertEquals( $expected, $escaped );
}
tests: Make some PHPUnit data providers static Just methods where adding "static" to the declaration was enough, I didn't do anything with providers that used $this. Initially by search and replace. There were many mistakes which I found mostly by running the PHPStorm inspection which searches for $this usage in a static method. Later I used the PHPStorm "make static" action which avoids the more obvious mistakes. Bug: T332865 Change-Id: I47ed6692945607dfa5c139d42edbd934fa4f3a36
2023-03-23 11:36:19 +00:00
public static function provideEscapeIdForStuff() {
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
// Test inputs and outputs
Escape % sign if form valid percent-encoding in fragment identifiers Currently if you combine a valid percent encoding and a non escaped character that is reserved in urls in a headline, the toc link does not work. E.g. ==`%41== needs #`%2541 but we currently generate #`%41 which matches ==`A== instead. Tested in firefox and chrome Bug: T238385 Change-Id: Ice2bbf79bed612d488ed6feb7510035e9dfb33af
2020-02-15 09:24:10 +00:00
$text = 'foo тест_#%!\'()[]:<>&&amp;&amp;amp;%F0';
Do not double decode HTML entities for IDs * in links (T103714) * in indicators (T104196) This change removes the automatic Sanitizer::decodeCharReferences from Sanitizer::escapeId and Sanitizer::escapeIdInternal. Where decoding of HTML entities are wanted an explicit call to Sanitizer::decodeCharReferences is added. Explicit decode HTML entities in non local autocomments. (T104311) Bug: T103714 Bug: T104196 Bug: T104311 Change-Id: I88e8e2077e6f5eec2b232391f7818370894a62dc
2016-05-02 05:14:45 +00:00
$legacyEncoded = 'foo_.D1.82.D0.B5.D1.81.D1.82_.23.25.21.27.28.29.5B.5D:.3C.3E' .
Escape % sign if form valid percent-encoding in fragment identifiers Currently if you combine a valid percent encoding and a non escaped character that is reserved in urls in a headline, the toc link does not work. E.g. ==`%41== needs #`%2541 but we currently generate #`%41 which matches ==`A== instead. Tested in firefox and chrome Bug: T238385 Change-Id: Ice2bbf79bed612d488ed6feb7510035e9dfb33af
2020-02-15 09:24:10 +00:00
'.26.26amp.3B.26amp.3Bamp.3B.25F0';
$html5EncodedId = 'foo_тест_#%!\'()[]:<>&&amp;&amp;amp;%F0';
$html5EncodedHref = 'foo_тест_#%!\'()[]:<>&&amp;&amp;amp;%25F0';
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
// Settings: last element is $wgExternalInterwikiFragmentMode, the rest is $wgFragmentMode
$legacy = [ 'legacy', 'legacy' ];
$legacyNew = [ 'legacy', 'html5', 'legacy' ];
$newLegacy = [ 'html5', 'legacy', 'legacy' ];
$new = [ 'html5', 'legacy' ];
$allNew = [ 'html5', 'html5' ];
return [
// Pure legacy: how MW worked before 2017
[ 'Attribute', $legacy, $text, $legacyEncoded, Sanitizer::ID_PRIMARY ],
[ 'Attribute', $legacy, $text, false, Sanitizer::ID_FALLBACK ],
[ 'Link', $legacy, $text, $legacyEncoded ],
[ 'ExternalInterwiki', $legacy, $text, $legacyEncoded ],
// Transition to a new world: legacy links with HTML5 fallback
[ 'Attribute', $legacyNew, $text, $legacyEncoded, Sanitizer::ID_PRIMARY ],
Escape % sign if form valid percent-encoding in fragment identifiers Currently if you combine a valid percent encoding and a non escaped character that is reserved in urls in a headline, the toc link does not work. E.g. ==`%41== needs #`%2541 but we currently generate #`%41 which matches ==`A== instead. Tested in firefox and chrome Bug: T238385 Change-Id: Ice2bbf79bed612d488ed6feb7510035e9dfb33af
2020-02-15 09:24:10 +00:00
[ 'Attribute', $legacyNew, $text, $html5EncodedId, Sanitizer::ID_FALLBACK ],
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
[ 'Link', $legacyNew, $text, $legacyEncoded ],
[ 'ExternalInterwiki', $legacyNew, $text, $legacyEncoded ],
// New world: HTML5 links, legacy fallbacks
Escape % sign if form valid percent-encoding in fragment identifiers Currently if you combine a valid percent encoding and a non escaped character that is reserved in urls in a headline, the toc link does not work. E.g. ==`%41== needs #`%2541 but we currently generate #`%41 which matches ==`A== instead. Tested in firefox and chrome Bug: T238385 Change-Id: Ice2bbf79bed612d488ed6feb7510035e9dfb33af
2020-02-15 09:24:10 +00:00
[ 'Attribute', $newLegacy, $text, $html5EncodedId, Sanitizer::ID_PRIMARY ],
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
[ 'Attribute', $newLegacy, $text, $legacyEncoded, Sanitizer::ID_FALLBACK ],
Escape % sign if form valid percent-encoding in fragment identifiers Currently if you combine a valid percent encoding and a non escaped character that is reserved in urls in a headline, the toc link does not work. E.g. ==`%41== needs #`%2541 but we currently generate #`%41 which matches ==`A== instead. Tested in firefox and chrome Bug: T238385 Change-Id: Ice2bbf79bed612d488ed6feb7510035e9dfb33af
2020-02-15 09:24:10 +00:00
[ 'Link', $newLegacy, $text, $html5EncodedHref ],
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
[ 'ExternalInterwiki', $newLegacy, $text, $legacyEncoded ],
// Distant future: no legacy fallbacks, but still linking to leagacy wikis
Escape % sign if form valid percent-encoding in fragment identifiers Currently if you combine a valid percent encoding and a non escaped character that is reserved in urls in a headline, the toc link does not work. E.g. ==`%41== needs #`%2541 but we currently generate #`%41 which matches ==`A== instead. Tested in firefox and chrome Bug: T238385 Change-Id: Ice2bbf79bed612d488ed6feb7510035e9dfb33af
2020-02-15 09:24:10 +00:00
[ 'Attribute', $new, $text, $html5EncodedId, Sanitizer::ID_PRIMARY ],
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
[ 'Attribute', $new, $text, false, Sanitizer::ID_FALLBACK ],
Escape % sign if form valid percent-encoding in fragment identifiers Currently if you combine a valid percent encoding and a non escaped character that is reserved in urls in a headline, the toc link does not work. E.g. ==`%41== needs #`%2541 but we currently generate #`%41 which matches ==`A== instead. Tested in firefox and chrome Bug: T238385 Change-Id: Ice2bbf79bed612d488ed6feb7510035e9dfb33af
2020-02-15 09:24:10 +00:00
[ 'Link', $new, $text, $html5EncodedHref ],
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
[ 'ExternalInterwiki', $new, $text, $legacyEncoded ],
// Just before the heat death of universe: external interwikis are also HTML5 \m/
Escape % sign if form valid percent-encoding in fragment identifiers Currently if you combine a valid percent encoding and a non escaped character that is reserved in urls in a headline, the toc link does not work. E.g. ==`%41== needs #`%2541 but we currently generate #`%41 which matches ==`A== instead. Tested in firefox and chrome Bug: T238385 Change-Id: Ice2bbf79bed612d488ed6feb7510035e9dfb33af
2020-02-15 09:24:10 +00:00
[ 'Attribute', $allNew, $text, $html5EncodedId, Sanitizer::ID_PRIMARY ],
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
[ 'Attribute', $allNew, $text, false, Sanitizer::ID_FALLBACK ],
Escape % sign if form valid percent-encoding in fragment identifiers Currently if you combine a valid percent encoding and a non escaped character that is reserved in urls in a headline, the toc link does not work. E.g. ==`%41== needs #`%2541 but we currently generate #`%41 which matches ==`A== instead. Tested in firefox and chrome Bug: T238385 Change-Id: Ice2bbf79bed612d488ed6feb7510035e9dfb33af
2020-02-15 09:24:10 +00:00
[ 'Link', $allNew, $text, $html5EncodedHref ],
[ 'ExternalInterwiki', $allNew, $text, $html5EncodedHref ],
Make id attributes not include ascii whitespace per spec HTML5 says id attributes should not have whitespace, where whitespace is defined as LF, CR, FF, TAB or SPACE (oddly enough VT does not count). Firefox in my testing actually was fine with these except CR. Nonetheless we should follow the spec, so this converts these whitespace characters to _. I don't think this will cause any back-compat issues, since its very hard to make these characters in wikitext (other than space which was already being converted) and basically requires either Lua or html entities to make these (with FF seeming to be impossible). Bug: T238385 Depends-On: Ie6fa40798f06a358f6082110b4d8cc0028c80321 Change-Id: Ie2b7c9429691e2c491c3359d5b400d8f078aa789
2020-02-15 10:09:03 +00:00
// Whitespace
[ 'attribute', $allNew, "foo bar", 'foo_bar', Sanitizer::ID_PRIMARY ],
[ 'attribute', $allNew, "foo\fbar", 'foo_bar', Sanitizer::ID_PRIMARY ],
[ 'attribute', $allNew, "foo\nbar", 'foo_bar', Sanitizer::ID_PRIMARY ],
[ 'attribute', $allNew, "foo\tbar", 'foo_bar', Sanitizer::ID_PRIMARY ],
[ 'attribute', $allNew, "foo\rbar", 'foo_bar', Sanitizer::ID_PRIMARY ],
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
];
}
/**
* @covers Sanitizer::escapeIdInternal()
*/
public function testInvalidFragmentThrows() {
Migrate from `setMwGlobals()` to `overrideConfigValue(s)` Change-Id: I3f167d0e7d59a5aa091c3095a7d96c889d6e7e78
2022-08-01 19:14:41 +00:00
$this->overrideConfigValue( MainConfigNames::FragmentMode, [ 'boom!' ] );
phpcs: Enable MediaWiki.Commenting.PhpunitAnnotations.ForbiddenExpectedException* and make pass Change-Id: I63f97497714a32236268be6965c5e181dade6c58
2019-10-11 22:22:26 +00:00
$this->expectException( InvalidArgumentException::class );
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
Sanitizer::escapeIdForAttribute( 'This should throw' );
}
/**
* @covers Sanitizer::escapeIdForAttribute()
*/
public function testNoPrimaryFragmentModeThrows() {
Migrate from `setMwGlobals()` to `overrideConfigValue(s)` Change-Id: I3f167d0e7d59a5aa091c3095a7d96c889d6e7e78
2022-08-01 19:14:41 +00:00
$this->overrideConfigValue( MainConfigNames::FragmentMode, [ 666 => 'html5' ] );
phpcs: Enable MediaWiki.Commenting.PhpunitAnnotations.ForbiddenExpectedException* and make pass Change-Id: I63f97497714a32236268be6965c5e181dade6c58
2019-10-11 22:22:26 +00:00
$this->expectException( UnexpectedValueException::class );
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
Sanitizer::escapeIdForAttribute( 'This should throw' );
}
/**
* @covers Sanitizer::escapeIdForLink()
*/
public function testNoPrimaryFragmentModeThrows2() {
Migrate from `setMwGlobals()` to `overrideConfigValue(s)` Change-Id: I3f167d0e7d59a5aa091c3095a7d96c889d6e7e78
2022-08-01 19:14:41 +00:00
$this->overrideConfigValue( MainConfigNames::FragmentMode, [ 666 => 'html5' ] );
phpcs: Enable MediaWiki.Commenting.PhpunitAnnotations.ForbiddenExpectedException* and make pass Change-Id: I63f97497714a32236268be6965c5e181dade6c58
2019-10-11 22:22:26 +00:00
$this->expectException( UnexpectedValueException::class );
Human-readable section ID support It adds the ability to replace the current section ID escaping schema (.C0.DE) with a HTML5-compliant escaping schema that is displayed as Unicode in many modern browsers. See the linked bug for discussion of various options that were considered before the implementation. A few remarks: * Because Sanitizer::escapeId() is used in a bunch of places without escaping, I'm deprecating it without altering its behavior. * The bug described in comments for Parser::guessLegacySectionNameFromWikiText() is still there in some Edge versions that display mojibake. Bug: T152540 Change-Id: Id304010a0342efbb7ef2d56c5b8b244f2e4fb2c5
2017-06-30 00:13:12 +00:00
Sanitizer::escapeIdForLink( 'This should throw' );
}
Unset all globals unneeded for unit tests, assert correct directory * Unset globals to avoid tests that look like unit tests but actually rely on globals * move some tests out of unit directory so that the test suite will pass. * Assert that tests which extend MediaWikiUnitTestCase are in a directory with "/unit/" in its path name Depends-On: I67b37b1bde94eaa3d4298d9bd98ac57995ce93b9 Depends-On: I90921679518ee95fe393f8b1bbd9134daf0ba032 Bug: T87781 Change-Id: I16691fc8ac063705ba0c2bc63b96c4534ca8660b
2019-07-08 13:25:31 +00:00
/**
* Test escapeIdReferenceList for consistency with escapeIdForAttribute
*
* @dataProvider provideEscapeIdReferenceList
* @covers Sanitizer::escapeIdReferenceList
*/
public function testEscapeIdReferenceList( $referenceList, $id1, $id2 ) {
Hard-deprecate Sanitizer::escapeIdReferenceList() Code search: https://codesearch.wmcloud.org/search/?q=escapeIdReferenceList&i=nope&files=&repos= Followup-To: Ifce057b0c436eabec310f812394e86ee7123e7c8 Change-Id: I18f2c47ad6b4f6256d1727f24314cc3c5e13f466
2020-08-19 16:21:31 +00:00
$this->hideDeprecated( 'Sanitizer::escapeIdReferenceList' );
Unset all globals unneeded for unit tests, assert correct directory * Unset globals to avoid tests that look like unit tests but actually rely on globals * move some tests out of unit directory so that the test suite will pass. * Assert that tests which extend MediaWikiUnitTestCase are in a directory with "/unit/" in its path name Depends-On: I67b37b1bde94eaa3d4298d9bd98ac57995ce93b9 Depends-On: I90921679518ee95fe393f8b1bbd9134daf0ba032 Bug: T87781 Change-Id: I16691fc8ac063705ba0c2bc63b96c4534ca8660b
2019-07-08 13:25:31 +00:00
$this->assertEquals(
Sanitizer::escapeIdReferenceList( $referenceList ),
Sanitizer::escapeIdForAttribute( $id1 )
. ' '
. Sanitizer::escapeIdForAttribute( $id2 )
);
}
public static function provideEscapeIdReferenceList() {
/** [ <reference list>, <individual id 1>, <individual id 2> ] */
return [
[ 'foo bar', 'foo', 'bar' ],
[ '#1 #2', '#1', '#2' ],
[ '+1 +2', '+1', '+2' ],
];
}
Sanitizer: Use \u{xxxx} syntax in cleanUrl Also add a simple testcase to verify the handling of these Unicode characters. Change-Id: I611a7cf816bb6f6e61b834e48be28943f73e0908
2021-08-26 19:10:23 +00:00
/**
* Test cleanUrl
*
* @dataProvider provideCleanUrl
* @covers Sanitizer::cleanUrl
*/
public function testCleanUrl( string $input, string $output ) {
$this->assertEquals( $output, Sanitizer::cleanUrl( $input ) );
}
public static function provideCleanUrl() {
return [
[ 'http://www.example.com/file.txt', 'http://www.example.com/file.txt' ],
[
Sanitizer: Replace RFC 3454 by RFC 8264 for clearUrl RFC 3454 is obsoleted by RFC 7564 obsoleted by RFC 8264. The mapping section 3.1 "Commonly mapped to nothing" https://datatracker.ietf.org/doc/html/rfc3454#section-3.1 was replaced by section 9.13. "PrecisIgnorableProperties (M)" https://datatracker.ietf.org/doc/html/rfc8264#section-9.13 which uses the Default_Ignorable_Code_Point from https://www.unicode.org/Public/UCD/latest/ucd/DerivedCoreProperties.txt U+1806 (MONGOLIAN TODO SOFT HYPHEN) is not included anymore. Change-Id: Ib86e619ba9181cdc7f731a96c684a119527e3b76
2021-08-26 20:35:47 +00:00
"https://www.exa\u{00AD}\u{200B}\u{2060}\u{FEFF}" .
Sanitizer: Use \u{xxxx} syntax in cleanUrl Also add a simple testcase to verify the handling of these Unicode characters. Change-Id: I611a7cf816bb6f6e61b834e48be28943f73e0908
2021-08-26 19:10:23 +00:00
"\u{034F}\u{180B}\u{180C}\u{180D}\u{200C}\u{200D}" .
"\u{FE00}\u{FE08}\u{FE0F}mple.com",
'https://www.example.com'
],
];
}
Per wikitech-l discussion: Move tests from maintenance/tests/ to tests/. They're not strictly maintenance scripts, and some people want to do a selective checkout that doesn't include the tests. There's still debate on whether we should include these in the release downloads, but we had a pretty firm consensus to move this.
2010-12-14 16:26:35 +00:00
}
Reference in a new issue Copy permalink