Chris@0
|
1 <?php
|
Chris@0
|
2
|
Chris@0
|
3 /**
|
Chris@0
|
4 * @file
|
Chris@0
|
5 * Contains \Drupal\Tests\Component\Utility\SafeMarkupTest.
|
Chris@0
|
6 */
|
Chris@0
|
7
|
Chris@0
|
8 namespace Drupal\Tests\Component\Utility;
|
Chris@0
|
9
|
Chris@0
|
10 use Drupal\Component\Render\HtmlEscapedText;
|
Chris@0
|
11 use Drupal\Component\Utility\SafeMarkup;
|
Chris@0
|
12 use Drupal\Component\Render\MarkupInterface;
|
Chris@0
|
13 use Drupal\Component\Render\MarkupTrait;
|
Chris@0
|
14 use Drupal\Component\Utility\UrlHelper;
|
Chris@0
|
15 use PHPUnit\Framework\TestCase;
|
Chris@0
|
16
|
Chris@0
|
17 /**
|
Chris@0
|
18 * Tests marking strings as safe.
|
Chris@0
|
19 *
|
Chris@0
|
20 * @group Utility
|
Chris@17
|
21 * @group legacy
|
Chris@0
|
22 * @coversDefaultClass \Drupal\Component\Utility\SafeMarkup
|
Chris@0
|
23 */
|
Chris@0
|
24 class SafeMarkupTest extends TestCase {
|
Chris@0
|
25
|
Chris@0
|
26 /**
|
Chris@0
|
27 * {@inheritdoc}
|
Chris@0
|
28 */
|
Chris@0
|
29 protected function tearDown() {
|
Chris@0
|
30 parent::tearDown();
|
Chris@0
|
31
|
Chris@0
|
32 UrlHelper::setAllowedProtocols(['http', 'https']);
|
Chris@0
|
33 }
|
Chris@0
|
34
|
Chris@0
|
35 /**
|
Chris@0
|
36 * Tests SafeMarkup::isSafe() with different objects.
|
Chris@0
|
37 *
|
Chris@0
|
38 * @covers ::isSafe
|
Chris@17
|
39 * @expectedDeprecation SafeMarkup::isSafe() is scheduled for removal in Drupal 9.0.0. Instead, you should just check if a variable is an instance of \Drupal\Component\Render\MarkupInterface. See https://www.drupal.org/node/2549395.
|
Chris@0
|
40 */
|
Chris@0
|
41 public function testIsSafe() {
|
Chris@14
|
42 $safe_string = $this->getMockBuilder('\Drupal\Component\Render\MarkupInterface')->getMock();
|
Chris@0
|
43 $this->assertTrue(SafeMarkup::isSafe($safe_string));
|
Chris@0
|
44 $string_object = new SafeMarkupTestString('test');
|
Chris@0
|
45 $this->assertFalse(SafeMarkup::isSafe($string_object));
|
Chris@0
|
46 }
|
Chris@0
|
47
|
Chris@0
|
48 /**
|
Chris@0
|
49 * Tests SafeMarkup::checkPlain().
|
Chris@0
|
50 *
|
Chris@0
|
51 * @dataProvider providerCheckPlain
|
Chris@0
|
52 * @covers ::checkPlain
|
Chris@17
|
53 * @expectedDeprecation SafeMarkup::checkPlain() is scheduled for removal in Drupal 9.0.0. Rely on Twig's auto-escaping feature, or use the @link theme_render #plain_text @endlink key when constructing a render array that contains plain text in order to use the renderer's auto-escaping feature. If neither of these are possible, \Drupal\Component\Utility\Html::escape() can be used in places where explicit escaping is needed. See https://www.drupal.org/node/2549395.
|
Chris@0
|
54 *
|
Chris@0
|
55 * @param string $text
|
Chris@0
|
56 * The text to provide to SafeMarkup::checkPlain().
|
Chris@0
|
57 * @param string $expected
|
Chris@0
|
58 * The expected output from the function.
|
Chris@0
|
59 * @param string $message
|
Chris@0
|
60 * The message to provide as output for the test.
|
Chris@0
|
61 */
|
Chris@0
|
62 public function testCheckPlain($text, $expected, $message) {
|
Chris@0
|
63 $result = SafeMarkup::checkPlain($text);
|
Chris@0
|
64 $this->assertTrue($result instanceof HtmlEscapedText);
|
Chris@0
|
65 $this->assertEquals($expected, $result, $message);
|
Chris@0
|
66 }
|
Chris@0
|
67
|
Chris@0
|
68 /**
|
Chris@0
|
69 * Tests Drupal\Component\Render\HtmlEscapedText.
|
Chris@0
|
70 *
|
Chris@0
|
71 * Verifies that the result of SafeMarkup::checkPlain() is the same as using
|
Chris@0
|
72 * HtmlEscapedText directly.
|
Chris@0
|
73 *
|
Chris@0
|
74 * @dataProvider providerCheckPlain
|
Chris@0
|
75 *
|
Chris@0
|
76 * @param string $text
|
Chris@0
|
77 * The text to provide to the HtmlEscapedText constructor.
|
Chris@0
|
78 * @param string $expected
|
Chris@0
|
79 * The expected output from the function.
|
Chris@0
|
80 * @param string $message
|
Chris@0
|
81 * The message to provide as output for the test.
|
Chris@0
|
82 */
|
Chris@0
|
83 public function testHtmlEscapedText($text, $expected, $message) {
|
Chris@0
|
84 $result = new HtmlEscapedText($text);
|
Chris@0
|
85 $this->assertEquals($expected, $result, $message);
|
Chris@0
|
86 }
|
Chris@0
|
87
|
Chris@0
|
88 /**
|
Chris@0
|
89 * Data provider for testCheckPlain() and testEscapeString().
|
Chris@0
|
90 *
|
Chris@0
|
91 * @see testCheckPlain()
|
Chris@0
|
92 */
|
Chris@0
|
93 public function providerCheckPlain() {
|
Chris@0
|
94 // Checks that invalid multi-byte sequences are escaped.
|
Chris@0
|
95 $tests[] = ["Foo\xC0barbaz", 'Foo�barbaz', 'Escapes invalid sequence "Foo\xC0barbaz"'];
|
Chris@0
|
96 $tests[] = ["\xc2\"", '�"', 'Escapes invalid sequence "\xc2\""'];
|
Chris@0
|
97 $tests[] = ["Fooÿñ", "Fooÿñ", 'Does not escape valid sequence "Fooÿñ"'];
|
Chris@0
|
98
|
Chris@0
|
99 // Checks that special characters are escaped.
|
Chris@0
|
100 $tests[] = [SafeMarkupTestMarkup::create("<script>"), '<script>', 'Escapes <script> even inside an object that implements MarkupInterface.'];
|
Chris@0
|
101 $tests[] = ["<script>", '<script>', 'Escapes <script>'];
|
Chris@0
|
102 $tests[] = ['<>&"\'', '<>&"'', 'Escapes reserved HTML characters.'];
|
Chris@0
|
103 $tests[] = [SafeMarkupTestMarkup::create('<>&"\''), '<>&"'', 'Escapes reserved HTML characters even inside an object that implements MarkupInterface.'];
|
Chris@0
|
104
|
Chris@0
|
105 return $tests;
|
Chris@0
|
106 }
|
Chris@0
|
107
|
Chris@0
|
108 /**
|
Chris@0
|
109 * Tests string formatting with SafeMarkup::format().
|
Chris@0
|
110 *
|
Chris@0
|
111 * @dataProvider providerFormat
|
Chris@0
|
112 * @covers ::format
|
Chris@17
|
113 * @expectedDeprecation SafeMarkup::format() is scheduled for removal in Drupal 9.0.0. Use \Drupal\Component\Render\FormattableMarkup. See https://www.drupal.org/node/2549395.
|
Chris@0
|
114 *
|
Chris@0
|
115 * @param string $string
|
Chris@0
|
116 * The string to run through SafeMarkup::format().
|
Chris@0
|
117 * @param string[] $args
|
Chris@0
|
118 * The arguments to pass into SafeMarkup::format().
|
Chris@0
|
119 * @param string $expected
|
Chris@0
|
120 * The expected result from calling the function.
|
Chris@0
|
121 * @param string $message
|
Chris@0
|
122 * The message to display as output to the test.
|
Chris@0
|
123 * @param bool $expected_is_safe
|
Chris@0
|
124 * Whether the result is expected to be safe for HTML display.
|
Chris@0
|
125 */
|
Chris@0
|
126 public function testFormat($string, array $args, $expected, $message, $expected_is_safe) {
|
Chris@0
|
127 UrlHelper::setAllowedProtocols(['http', 'https', 'mailto']);
|
Chris@0
|
128
|
Chris@0
|
129 $result = SafeMarkup::format($string, $args);
|
Chris@0
|
130 $this->assertEquals($expected, (string) $result, $message);
|
Chris@0
|
131 $this->assertEquals($expected_is_safe, $result instanceof MarkupInterface, 'SafeMarkup::format correctly sets the result as safe or not safe.');
|
Chris@0
|
132 }
|
Chris@0
|
133
|
Chris@0
|
134 /**
|
Chris@0
|
135 * Data provider for testFormat().
|
Chris@0
|
136 *
|
Chris@0
|
137 * @see testFormat()
|
Chris@0
|
138 */
|
Chris@0
|
139 public function providerFormat() {
|
Chris@0
|
140 $tests[] = ['Simple text', [], 'Simple text', 'SafeMarkup::format leaves simple text alone.', TRUE];
|
Chris@0
|
141 $tests[] = ['Escaped text: @value', ['@value' => '<script>'], 'Escaped text: <script>', 'SafeMarkup::format replaces and escapes string.', TRUE];
|
Chris@0
|
142 $tests[] = ['Escaped text: @value', ['@value' => SafeMarkupTestMarkup::create('<span>Safe HTML</span>')], 'Escaped text: <span>Safe HTML</span>', 'SafeMarkup::format does not escape an already safe string.', TRUE];
|
Chris@0
|
143 $tests[] = ['Placeholder text: %value', ['%value' => '<script>'], 'Placeholder text: <em class="placeholder"><script></em>', 'SafeMarkup::format replaces, escapes and themes string.', TRUE];
|
Chris@0
|
144 $tests[] = ['Placeholder text: %value', ['%value' => SafeMarkupTestMarkup::create('<span>Safe HTML</span>')], 'Placeholder text: <em class="placeholder"><span>Safe HTML</span></em>', 'SafeMarkup::format does not escape an already safe string themed as a placeholder.', TRUE];
|
Chris@0
|
145
|
Chris@0
|
146 $tests['javascript-protocol-url'] = ['Simple text <a href=":url">giraffe</a>', [':url' => 'javascript://example.com?foo&bar'], 'Simple text <a href="//example.com?foo&bar">giraffe</a>', 'Support for filtering bad protocols', TRUE];
|
Chris@0
|
147 $tests['external-url'] = ['Simple text <a href=":url">giraffe</a>', [':url' => 'http://example.com?foo&bar'], 'Simple text <a href="http://example.com?foo&bar">giraffe</a>', 'Support for filtering bad protocols', TRUE];
|
Chris@0
|
148 $tests['relative-url'] = ['Simple text <a href=":url">giraffe</a>', [':url' => '/node/1?foo&bar'], 'Simple text <a href="/node/1?foo&bar">giraffe</a>', 'Support for filtering bad protocols', TRUE];
|
Chris@0
|
149 $tests['fragment-with-special-chars'] = ['Simple text <a href=":url">giraffe</a>', [':url' => 'http://example.com/#<'], 'Simple text <a href="http://example.com/#&lt;">giraffe</a>', 'Support for filtering bad protocols', TRUE];
|
Chris@0
|
150 $tests['mailto-protocol'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => 'mailto:test@example.com'], 'Hey giraffe <a href="mailto:test@example.com">MUUUH</a>', '', TRUE];
|
Chris@0
|
151 $tests['js-with-fromCharCode'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "javascript:alert(String.fromCharCode(88,83,83))"], 'Hey giraffe <a href="alert(String.fromCharCode(88,83,83))">MUUUH</a>', '', TRUE];
|
Chris@0
|
152
|
Chris@0
|
153 // Test some "URL" values that are not RFC 3986 compliant URLs. The result
|
Chris@0
|
154 // of SafeMarkup::format() should still be valid HTML (other than the
|
Chris@0
|
155 // value of the "href" attribute not being a valid URL), and not
|
Chris@0
|
156 // vulnerable to XSS.
|
Chris@0
|
157 $tests['non-url-with-colon'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "llamas: they are not URLs"], 'Hey giraffe <a href=" they are not URLs">MUUUH</a>', '', TRUE];
|
Chris@0
|
158 $tests['non-url-with-html'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "<span>not a url</span>"], 'Hey giraffe <a href="<span>not a url</span>">MUUUH</a>', '', TRUE];
|
Chris@0
|
159
|
Chris@0
|
160 // Tests non-standard placeholders that will not replace.
|
Chris@0
|
161 $tests['non-standard-placeholder'] = ['Hey hey', ['risky' => "<script>alert('foo');</script>"], 'Hey hey', '', TRUE];
|
Chris@0
|
162 return $tests;
|
Chris@0
|
163 }
|
Chris@0
|
164
|
Chris@0
|
165 }
|
Chris@0
|
166
|
Chris@0
|
167 class SafeMarkupTestString {
|
Chris@0
|
168
|
Chris@0
|
169 protected $string;
|
Chris@0
|
170
|
Chris@0
|
171 public function __construct($string) {
|
Chris@0
|
172 $this->string = $string;
|
Chris@0
|
173 }
|
Chris@0
|
174
|
Chris@0
|
175 public function __toString() {
|
Chris@0
|
176 return $this->string;
|
Chris@0
|
177 }
|
Chris@0
|
178
|
Chris@0
|
179 }
|
Chris@0
|
180
|
Chris@0
|
181 /**
|
Chris@0
|
182 * Marks an object's __toString() method as returning markup.
|
Chris@0
|
183 */
|
Chris@0
|
184 class SafeMarkupTestMarkup implements MarkupInterface {
|
Chris@0
|
185 use MarkupTrait;
|
Chris@0
|
186
|
Chris@0
|
187 }
|