Thijs/wiki.techinc.nl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
wiki.techinc.nl/tests/phpunit
History
C. Scott Ananian 5f21cc528e SECURITY: Sanitize data- attributes 
CVE-2025-61638

Previously, if you managed to get data- attributes with e.g spaces or
slashes in the name into validateAttributes(), then the rest of the
attribute name would not be validated and get concatenated into HTML
that would eventually be parsed as separate attributes (or even tag
contents and new markup, if you had a > in the name). I don’t think this
was possible via regular <p> parsing, as decodeTagAttributes() would
decode the attributes differently in that case, but it was possible via
various wikitext constructs, including {{#tag:}}.

Tighten the regex to throw out such invalid attributes, and add a few
tests in this direction. More refactoring, and especially more tests,
can happen later, once this chaneg is public and we can benefit from CI.

Bug: T401099
Change-Id: Id095a3278083dbedba083d5aa3c1cbaa379a682f
Co-Authored-By: Lucas Werkmeister <lucas.werkmeister@wikimedia.de>
2025-10-02 19:21:42 +00:00
..
data Forward-compat data for SelserContext w/ JSON-encoded Content 2025-09-10 14:08:31 -04:00
docs Add namespace to maintenance/includes classes 2024-10-09 11:02:09 -04:00
includes SECURITY: Sanitize data- attributes 2025-10-02 19:21:42 +00:00
integration/includes Forward-compat data for SelserContext w/ JSON-encoded Content 2025-09-10 14:08:31 -04:00
maintenance tests: Use namespaced classes 2024-10-21 18:53:02 +02:00
mocks logger: Make log() methods return void 2025-06-18 02:21:42 +00:00
structure Skip 'ext.pageviewinfo' module in ResourcesTest to avoid CI failure 2025-09-16 15:13:58 +00:00
suites tests: add skins to PHPUnit "extensions:unit" test suite 2025-09-17 01:03:38 +00:00
tests
unit Use JsonCodec to serialize SelserContext 2025-09-10 14:08:31 -04:00
bootstrap.common.php
bootstrap.integration.php
bootstrap.maintenance.php
bootstrap.php phpunit: Fix bootstrap script when no extensions are installed 2025-02-21 22:24:30 +00:00
DynamicPropertyTestHelper.php Drop PHP 7.4/8.0 support from master (forward-port from MW 1.42) 2025-06-18 10:53:22 +01:00
getPHPUnitExtensionsAndSkins.php phpunit: Fix bootstrap script when no extensions are installed 2025-02-21 22:24:30 +00:00
HamcrestPHPUnitIntegration.php
JsonSchemaAssertionTrait.php
MediaWikiCoversValidator.php
MediaWikiDeprecatedConfigPHPUnitExtension.php
MediaWikiGroupValidator.php
MediaWikiIntegrationTestCase.php title: Reset cached Title objects between tests 2025-05-27 12:35:10 +00:00
MediaWikiLangTestCase.php
MediaWikiLoggerPHPUnitExtension.php
MediaWikiPHPUnitResultPrinter.php
MediaWikiTeardownPHPUnitExtension.php
MediaWikiTestCaseTrait.php Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
MediaWikiUnitTestCase.php
MWTestDox.php
phpunit.php phpunit: Don't override --bootstrap if supplied 2025-01-13 15:14:27 +00:00
README.md
ResourceLoaderTestCase.php Use explicit nullable type on parameter arguments 2024-10-16 20:58:33 +02:00
suite.xml
TestSelectQueryBuilder.php Expand tests for rename user maintenance scripts 2024-10-08 21:51:59 +01:00

README.md

MediaWiki PHPUnit tests

WARNING: Integration tests may be destructive and alter or remove parts of your local database. We try to use temporary tables where possible, but you must never run tests on a production server or on a wiki where you don't want to lose data.

Running tests

If you haven't already, run composer update (specifically without --no-dev) in the MediaWiki core directory. This will install PHPUnit.

To read about how to run specific tests, refer to:

https://www.mediawiki.org/wiki/Manual:PHP_unit_testing/Running_the_tests

Writing tests

A guide to writing PHPUnit tests for MediaWiki can be found at:

https://www.mediawiki.org/wiki/Manual:PHP_unit_testing