2006-09-01 17:56:55 +00:00
|
|
|
<?php
|
|
|
|
|
2007-08-04 14:51:06 +00:00
|
|
|
class HTMLPurifierTest extends HTMLPurifier_Harness
|
2006-09-01 17:56:55 +00:00
|
|
|
{
|
2007-11-25 02:24:39 +00:00
|
|
|
protected $purifier;
|
2006-09-01 17:56:55 +00:00
|
|
|
|
2006-11-22 18:17:39 +00:00
|
|
|
function testNull() {
|
|
|
|
$this->assertPurification("Null byte\0", "Null byte");
|
|
|
|
}
|
|
|
|
|
|
|
|
function testStrict() {
|
2008-04-26 03:14:01 +00:00
|
|
|
$this->config->set('HTML', 'Strict', true);
|
2006-11-22 18:17:39 +00:00
|
|
|
|
|
|
|
$this->assertPurification(
|
|
|
|
'<u>Illegal underline</u>',
|
2007-05-20 21:22:54 +00:00
|
|
|
'<span style="text-decoration:underline;">Illegal underline</span>'
|
2006-11-22 18:17:39 +00:00
|
|
|
);
|
|
|
|
|
|
|
|
$this->assertPurification(
|
|
|
|
'<blockquote>Illegal contents</blockquote>',
|
2006-11-23 03:23:35 +00:00
|
|
|
'<blockquote><p>Illegal contents</p></blockquote>'
|
2006-11-22 18:17:39 +00:00
|
|
|
);
|
|
|
|
|
2006-09-01 17:56:55 +00:00
|
|
|
}
|
2006-11-22 18:17:39 +00:00
|
|
|
|
2006-11-23 13:51:19 +00:00
|
|
|
function testDifferentAllowedElements() {
|
2006-12-15 02:12:03 +00:00
|
|
|
|
2008-04-26 03:14:01 +00:00
|
|
|
$this->config->set('HTML', 'AllowedElements', array('b', 'i', 'p', 'a'));
|
|
|
|
$this->config->set('HTML', 'AllowedAttributes', array('a.href', '*.id'));
|
2006-11-23 13:51:19 +00:00
|
|
|
|
|
|
|
$this->assertPurification(
|
|
|
|
'<p>Par.</p><p>Para<a href="http://google.com/">gr</a>aph</p>Text<b>Bol<i>d</i></b>'
|
|
|
|
);
|
|
|
|
|
|
|
|
$this->assertPurification(
|
|
|
|
'<span>Not allowed</span><a class="mef" id="foobar">Foobar</a>',
|
|
|
|
'Not allowed<a>Foobar</a>' // no ID!!!
|
|
|
|
);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2008-04-22 07:16:49 +00:00
|
|
|
function testBlacklistElements() {
|
2008-04-26 03:14:01 +00:00
|
|
|
$this->config->set('HTML', 'ForbiddenElements', array('b'));
|
|
|
|
$this->config->set('HTML', 'ForbiddenAttributes', array('a@href'));
|
|
|
|
|
2008-04-22 07:16:49 +00:00
|
|
|
$this->assertPurification(
|
|
|
|
'<p>Par.</p>'
|
|
|
|
);
|
|
|
|
$this->assertPurification(
|
|
|
|
'<b>Pa<a href="foo">r</a>.</b>',
|
|
|
|
'Pa<a>r</a>.'
|
|
|
|
);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2008-03-30 21:44:16 +00:00
|
|
|
function testDifferentAllowedCSSProperties() {
|
|
|
|
|
2008-04-26 03:14:01 +00:00
|
|
|
$this->config->set('CSS', 'AllowedProperties', array('color', 'background-color'));
|
2008-03-30 21:44:16 +00:00
|
|
|
|
|
|
|
$this->assertPurification(
|
|
|
|
'<div style="color:#f00;background-color:#ded;">red</div>'
|
|
|
|
);
|
|
|
|
|
|
|
|
$this->assertPurification(
|
|
|
|
'<div style="color:#f00;border:1px solid #000">red</div>',
|
|
|
|
'<div style="color:#f00;">red</div>'
|
|
|
|
);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2006-11-23 23:59:20 +00:00
|
|
|
function testDisableURI() {
|
|
|
|
|
2008-04-26 03:14:01 +00:00
|
|
|
$this->config->set('URI', 'Disable', true);
|
2006-11-23 23:59:20 +00:00
|
|
|
|
|
|
|
$this->assertPurification(
|
|
|
|
'<img src="foobar"/>',
|
|
|
|
''
|
|
|
|
);
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2006-12-20 23:51:09 +00:00
|
|
|
function test_purifyArray() {
|
|
|
|
|
2007-05-05 20:17:04 +00:00
|
|
|
$this->assertIdentical(
|
2006-12-20 23:51:09 +00:00
|
|
|
$this->purifier->purifyArray(
|
|
|
|
array('Good', '<b>Sketchy', 'foo' => '<script>bad</script>')
|
|
|
|
),
|
2007-06-16 19:31:45 +00:00
|
|
|
array('Good', '<b>Sketchy</b>', 'foo' => '')
|
2006-12-20 23:51:09 +00:00
|
|
|
);
|
|
|
|
|
|
|
|
$this->assertIsA($this->purifier->context, 'array');
|
|
|
|
|
|
|
|
}
|
|
|
|
|
2008-04-26 03:14:01 +00:00
|
|
|
function testAttrIDDisabledByDefault() {
|
2007-02-11 01:52:56 +00:00
|
|
|
|
|
|
|
$this->assertPurification(
|
|
|
|
'<span id="moon">foobar</span>',
|
|
|
|
'<span>foobar</span>'
|
|
|
|
);
|
|
|
|
|
2008-04-26 03:14:01 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
function testEnableAttrID() {
|
|
|
|
$this->config->set('Attr', 'EnableID', true);
|
2007-02-11 01:52:56 +00:00
|
|
|
$this->assertPurification('<span id="moon">foobar</span>');
|
2007-09-26 23:36:37 +00:00
|
|
|
$this->assertPurification('<img id="folly" src="folly.png" alt="Omigosh!" />');
|
2007-02-11 01:52:56 +00:00
|
|
|
}
|
|
|
|
|
2007-06-21 14:44:26 +00:00
|
|
|
function testScript() {
|
2008-04-26 03:14:01 +00:00
|
|
|
$this->config->set('HTML', 'Trusted', true);
|
|
|
|
|
2007-06-21 14:44:26 +00:00
|
|
|
$ideal = '<script type="text/javascript"><!--//--><![CDATA[//><!--
|
|
|
|
alert("<This is compatible with XHTML>");
|
|
|
|
//--><!]]></script>';
|
|
|
|
|
|
|
|
$this->assertPurification($ideal);
|
|
|
|
|
|
|
|
$this->assertPurification(
|
|
|
|
'<script type="text/javascript"><![CDATA[
|
|
|
|
alert("<This is compatible with XHTML>");
|
|
|
|
]]></script>',
|
|
|
|
$ideal
|
|
|
|
);
|
|
|
|
|
|
|
|
$this->assertPurification(
|
|
|
|
'<script type="text/javascript">alert("<This is compatible with XHTML>");</script>',
|
|
|
|
$ideal
|
|
|
|
);
|
|
|
|
|
|
|
|
$this->assertPurification(
|
|
|
|
'<script type="text/javascript"><!--
|
|
|
|
alert("<This is compatible with XHTML>");
|
|
|
|
//--></script>',
|
|
|
|
$ideal
|
|
|
|
);
|
|
|
|
|
|
|
|
$this->assertPurification(
|
|
|
|
'<script type="text/javascript"><![CDATA[
|
|
|
|
alert("<This is compatible with XHTML>");
|
|
|
|
//]]></script>',
|
|
|
|
$ideal
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2007-08-03 15:11:08 +00:00
|
|
|
function testGetInstance() {
|
2008-02-17 18:21:45 +00:00
|
|
|
$purifier = HTMLPurifier::getInstance();
|
|
|
|
$purifier2 = HTMLPurifier::getInstance();
|
2007-08-03 15:11:08 +00:00
|
|
|
$this->assertReference($purifier, $purifier2);
|
|
|
|
}
|
|
|
|
|
2007-08-03 21:17:15 +00:00
|
|
|
function testMakeAbsolute() {
|
2008-04-26 03:14:01 +00:00
|
|
|
$this->config->set('URI', 'Base', 'http://example.com/bar/baz.php');
|
|
|
|
$this->config->set('URI', 'MakeAbsolute', true);
|
2007-08-03 21:17:15 +00:00
|
|
|
$this->assertPurification(
|
|
|
|
'<a href="foo.txt">Foobar</a>',
|
2008-04-26 03:14:01 +00:00
|
|
|
'<a href="http://example.com/bar/foo.txt">Foobar</a>'
|
2007-08-03 21:17:15 +00:00
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2008-04-22 06:40:04 +00:00
|
|
|
function test_addFilter_deprecated() {
|
|
|
|
$this->expectError('HTMLPurifier->addFilter() is deprecated, use configuration directives in the Filter namespace or Filter.Custom');
|
|
|
|
generate_mock_once('HTMLPurifier_Filter');
|
2008-04-26 03:14:01 +00:00
|
|
|
$this->purifier->addFilter($mock = new HTMLPurifier_FilterMock());
|
2008-04-22 06:40:04 +00:00
|
|
|
$mock->expectOnce('preFilter');
|
|
|
|
$mock->expectOnce('postFilter');
|
2008-04-26 03:14:01 +00:00
|
|
|
$this->purifier->purify('foo');
|
2008-04-22 06:40:04 +00:00
|
|
|
}
|
|
|
|
|
2008-05-25 05:40:20 +00:00
|
|
|
function test_shiftJis() {
|
|
|
|
if (!function_exists('iconv')) return;
|
|
|
|
$this->config->set('Core', 'Encoding', 'Shift_JIS');
|
|
|
|
$this->config->set('Core', 'EscapeNonASCIICharacters', true);
|
|
|
|
$this->assertPurification(
|
|
|
|
"<b style=\"font-family:'¥';\">111</b>"
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
function test_shiftJisWorstCase() {
|
|
|
|
if (!function_exists('iconv')) return;
|
|
|
|
$this->config->set('Core', 'Encoding', 'Shift_JIS');
|
|
|
|
$this->assertPurification( // Notice how Yen disappears
|
|
|
|
"<b style=\"font-family:'¥';\">111</b>",
|
|
|
|
"<b style=\"font-family:'';\">111</b>"
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2008-05-27 17:47:25 +00:00
|
|
|
function test_secureMunge() {
|
|
|
|
$this->config->set('URI', 'SecureMunge', '/redirect.php?url=%s&check=%t');
|
|
|
|
$this->config->set('URI', 'SecureMungeSecretKey', 'foo');
|
|
|
|
$this->assertPurification(
|
2008-06-02 17:39:29 +00:00
|
|
|
'<a href="http://localhost">foo</a><img src="http://localhost" alt="local" />',
|
|
|
|
'<a href="/redirect.php?url=http%3A%2F%2Flocalhost&check=8e8223ae8fac24561104180ea549c21fbd111be7">foo</a><img src="http://localhost" alt="local" />'
|
2008-05-27 17:47:25 +00:00
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2008-06-10 01:18:03 +00:00
|
|
|
function test_safeObjectAndEmbed() {
|
|
|
|
$this->config->set('HTML', 'SafeObject', true);
|
|
|
|
$this->config->set('HTML', 'SafeEmbed', true);
|
|
|
|
$this->assertPurification(
|
|
|
|
'<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en"></param><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object>',
|
2008-06-12 03:12:39 +00:00
|
|
|
'<object width="425" height="344" data="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" /><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" /></object>'
|
2008-06-10 01:18:03 +00:00
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
function test_safeObjectAndEmbedWithSecureMunge() {
|
|
|
|
$this->config->set('HTML', 'SafeObject', true);
|
|
|
|
$this->config->set('HTML', 'SafeEmbed', true);
|
|
|
|
$this->config->set('URI', 'SecureMunge', '/redirect.php?url=%s&check=%t');
|
|
|
|
$this->config->set('URI', 'SecureMungeSecretKey', 'foo');
|
|
|
|
$this->assertPurification(
|
|
|
|
'<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en"></param><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object>',
|
2008-06-12 03:12:39 +00:00
|
|
|
'<object width="425" height="344" data="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" /><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" /></object>'
|
2008-06-10 01:18:03 +00:00
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2006-09-01 17:56:55 +00:00
|
|
|
}
|
|
|
|
|