2006-08-12 01:12:35 +00:00
|
|
|
<?php
|
|
|
|
|
|
2007-08-01 18:34:46 +00:00
|
|
|
/**
|
|
|
|
|
* @todo Aim for complete code coverage with mocks
|
|
|
|
|
*/
|
2006-08-12 01:12:35 +00:00
|
|
|
class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
|
|
|
|
|
{
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
public function setUp()
|
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->def = new HTMLPurifier_AttrDef_URI();
|
2007-08-01 01:48:51 +00:00
|
|
|
parent::setUp();
|
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
public function testIntegration()
|
|
|
|
|
{
|
2006-08-12 19:11:21 +00:00
|
|
|
$this->assertDef('http://www.google.com/');
|
2007-08-01 13:15:33 +00:00
|
|
|
$this->assertDef('http:', '');
|
|
|
|
|
$this->assertDef('http:/foo', '/foo');
|
2006-08-12 19:11:21 +00:00
|
|
|
$this->assertDef('javascript:bad_stuff();', false);
|
|
|
|
|
$this->assertDef('ftp://www.example.com/');
|
|
|
|
|
$this->assertDef('news:rec.alt');
|
|
|
|
|
$this->assertDef('nntp://news.example.com/324234');
|
|
|
|
|
$this->assertDef('mailto:bob@example.com');
|
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
public function testIntegrationWithPercentEncoder()
|
|
|
|
|
{
|
2007-08-01 18:34:46 +00:00
|
|
|
$this->assertDef(
|
|
|
|
|
'http://www.example.com/%56%fc%GJ%5%FC',
|
|
|
|
|
'http://www.example.com/V%FC%25GJ%255%FC'
|
|
|
|
|
);
|
2006-11-12 03:35:41 +00:00
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
public function testPercentEncoding()
|
|
|
|
|
{
|
2008-05-14 02:19:00 +00:00
|
|
|
$this->assertDef(
|
|
|
|
|
'http:colon:mercenary',
|
|
|
|
|
'colon%3Amercenary'
|
|
|
|
|
);
|
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
public function testPercentEncodingPreserve()
|
|
|
|
|
{
|
2008-05-14 02:19:00 +00:00
|
|
|
$this->assertDef(
|
|
|
|
|
'http://www.example.com/abcABC123-_.!~*()\''
|
|
|
|
|
);
|
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
public function testEmbeds()
|
|
|
|
|
{
|
2006-11-17 23:09:10 +00:00
|
|
|
$this->def = new HTMLPurifier_AttrDef_URI(true);
|
|
|
|
|
$this->assertDef('http://sub.example.com/alas?foo=asd');
|
|
|
|
|
$this->assertDef('mailto:foo@example.com', false);
|
2006-11-23 23:59:20 +00:00
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
public function testConfigMunge()
|
|
|
|
|
{
|
2009-02-20 00:17:49 +00:00
|
|
|
$this->config->set('URI.Munge', 'http://www.google.com/url?q=%s');
|
2006-11-24 00:29:16 +00:00
|
|
|
$this->assertDef(
|
|
|
|
|
'http://www.example.com/',
|
|
|
|
|
'http://www.google.com/url?q=http%3A%2F%2Fwww.example.com%2F'
|
|
|
|
|
);
|
|
|
|
|
$this->assertDef('index.html');
|
|
|
|
|
$this->assertDef('javascript:foobar();', false);
|
2006-11-26 23:14:12 +00:00
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
public function testDefaultSchemeRemovedInBlank()
|
|
|
|
|
{
|
2007-08-02 01:41:37 +00:00
|
|
|
$this->assertDef('http:', '');
|
2007-08-02 01:12:27 +00:00
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
public function testDefaultSchemeRemovedInRelativeURI()
|
|
|
|
|
{
|
2007-08-02 01:41:37 +00:00
|
|
|
$this->assertDef('http:/foo/bar', '/foo/bar');
|
2007-08-02 01:12:27 +00:00
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
public function testDefaultSchemeNotRemovedInAbsoluteURI()
|
|
|
|
|
{
|
2007-08-02 01:41:37 +00:00
|
|
|
$this->assertDef('http://example.com/foo/bar');
|
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
public function testAltSchemeNotRemoved()
|
|
|
|
|
{
|
2007-08-02 01:41:37 +00:00
|
|
|
$this->assertDef('mailto:this-looks-like-a-path@example.com');
|
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
public function testResolveNullSchemeAmbiguity()
|
|
|
|
|
{
|
Dramatically rewrite null host URI handling.
Basically, browsers don't parse what should be valid URIs correctly, so
we have to go through some backbends to accomodate them. Specifically,
for browseable URIs, the following URIs have unintended behavior:
- ///example.com
- http:/example.com
- http:///example.com
Furthermore, if the path begins with //, modifying these URLs must
be done with care, as if you remove the host-name component, the
parse tree changes.
I've modified the engine to follow correct URI semantics as much
as possible while outputting browser compatible code, and invalidate
the URI in cases where we can't deal. There has been a refactoring
of URIScheme so that this important check is always performed,
introducing a new member variable allow_empty_host which is true
on data, file, mailto and news schemes.
This also fixes bypass bugs on URI.Munge.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-01-25 18:56:46 +00:00
|
|
|
$this->assertDef('///foo', '/foo');
|
|
|
|
|
}
|
|
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
public function testResolveNullSchemeDoubleAmbiguity()
|
|
|
|
|
{
|
Dramatically rewrite null host URI handling.
Basically, browsers don't parse what should be valid URIs correctly, so
we have to go through some backbends to accomodate them. Specifically,
for browseable URIs, the following URIs have unintended behavior:
- ///example.com
- http:/example.com
- http:///example.com
Furthermore, if the path begins with //, modifying these URLs must
be done with care, as if you remove the host-name component, the
parse tree changes.
I've modified the engine to follow correct URI semantics as much
as possible while outputting browser compatible code, and invalidate
the URI in cases where we can't deal. There has been a refactoring
of URIScheme so that this important check is always performed,
introducing a new member variable allow_empty_host which is true
on data, file, mailto and news schemes.
This also fixes bypass bugs on URI.Munge.
Signed-off-by: Edward Z. Yang <ezyang@mit.edu>
2011-01-25 18:56:46 +00:00
|
|
|
$this->config->set('URI.Host', 'example.com');
|
|
|
|
|
$this->assertDef('////foo', '//example.com//foo');
|
|
|
|
|
}
|
|
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
public function testURIDefinitionValidation()
|
|
|
|
|
{
|
2007-08-02 01:41:37 +00:00
|
|
|
$parser = new HTMLPurifier_URIParser();
|
|
|
|
|
$uri = $parser->parse('http://example.com');
|
2009-02-20 00:17:49 +00:00
|
|
|
$this->config->set('URI.DefinitionID', 'HTMLPurifier_AttrDef_URITest->testURIDefinitionValidation');
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2007-08-02 01:41:37 +00:00
|
|
|
generate_mock_once('HTMLPurifier_URIDefinition');
|
|
|
|
|
$uri_def = new HTMLPurifier_URIDefinitionMock();
|
|
|
|
|
$uri_def->expectOnce('filter', array($uri, '*', '*'));
|
|
|
|
|
$uri_def->setReturnValue('filter', true, array($uri, '*', '*'));
|
2008-05-26 16:26:47 +00:00
|
|
|
$uri_def->expectOnce('postFilter', array($uri, '*', '*'));
|
|
|
|
|
$uri_def->setReturnValue('postFilter', true, array($uri, '*', '*'));
|
2007-08-02 01:41:37 +00:00
|
|
|
$uri_def->setup = true;
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2008-04-23 02:40:17 +00:00
|
|
|
// Since definitions are no longer passed by reference, we need
|
|
|
|
|
// to muck around with the cache to insert our mock. This is
|
|
|
|
|
// technically a little bad, since the cache shouldn't change
|
|
|
|
|
// behavior, but I don't feel too good about letting users
|
|
|
|
|
// overload entire definitions.
|
|
|
|
|
generate_mock_once('HTMLPurifier_DefinitionCache');
|
|
|
|
|
$cache_mock = new HTMLPurifier_DefinitionCacheMock();
|
|
|
|
|
$cache_mock->setReturnValue('get', $uri_def);
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2008-04-23 02:40:17 +00:00
|
|
|
generate_mock_once('HTMLPurifier_DefinitionCacheFactory');
|
|
|
|
|
$factory_mock = new HTMLPurifier_DefinitionCacheFactoryMock();
|
|
|
|
|
$old = HTMLPurifier_DefinitionCacheFactory::instance();
|
|
|
|
|
HTMLPurifier_DefinitionCacheFactory::instance($factory_mock);
|
|
|
|
|
$factory_mock->setReturnValue('create', $cache_mock);
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2007-08-02 01:41:37 +00:00
|
|
|
$this->assertDef('http://example.com');
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2008-04-23 02:40:17 +00:00
|
|
|
HTMLPurifier_DefinitionCacheFactory::instance($old);
|
2007-08-02 01:12:27 +00:00
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2013-07-16 11:56:14 +00:00
|
|
|
public function test_make()
|
|
|
|
|
{
|
2008-06-09 01:23:05 +00:00
|
|
|
$factory = new HTMLPurifier_AttrDef_URI();
|
|
|
|
|
$def = $factory->make('');
|
|
|
|
|
$def2 = new HTMLPurifier_AttrDef_URI();
|
|
|
|
|
$this->assertIdentical($def, $def2);
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2008-06-09 01:23:05 +00:00
|
|
|
$def = $factory->make('embedded');
|
|
|
|
|
$def2 = new HTMLPurifier_AttrDef_URI(true);
|
|
|
|
|
$this->assertIdentical($def, $def2);
|
|
|
|
|
}
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2007-08-02 01:12:27 +00:00
|
|
|
/*
|
2013-07-16 11:56:14 +00:00
|
|
|
public function test_validate_configWhitelist()
|
|
|
|
|
{
|
2009-02-20 00:17:49 +00:00
|
|
|
$this->config->set('URI.HostPolicy', 'DenyAll');
|
|
|
|
|
$this->config->set('URI.HostWhitelist', array(null, 'google.com'));
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2007-08-02 01:12:27 +00:00
|
|
|
$this->assertDef('http://example.com/fo/google.com', false);
|
|
|
|
|
$this->assertDef('server.txt');
|
|
|
|
|
$this->assertDef('ftp://www.google.com/?t=a');
|
|
|
|
|
$this->assertDef('http://google.com.tricky.spamsite.net', false);
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2007-08-02 01:12:27 +00:00
|
|
|
}
|
|
|
|
|
*/
|
2008-12-06 07:28:20 +00:00
|
|
|
|
2006-08-12 01:12:35 +00:00
|
|
|
}
|
|
|
|
|
|
2008-12-06 09:24:59 +00:00
|
|
|
// vim: et sw=4 sts=4
|
