annotate core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php @ 19:fa3358dc1485 tip

Add ndrum files
author Chris Cannam
date Wed, 28 Aug 2019 13:14:47 +0100
parents 129ea1e6d783
children
rev   line source
Chris@0 1 <?php
Chris@0 2
Chris@0 3 /**
Chris@0 4 * @file
Chris@0 5 * Contains \Drupal\Tests\Component\Utility\SafeMarkupTest.
Chris@0 6 */
Chris@0 7
Chris@0 8 namespace Drupal\Tests\Component\Utility;
Chris@0 9
Chris@0 10 use Drupal\Component\Render\HtmlEscapedText;
Chris@0 11 use Drupal\Component\Utility\SafeMarkup;
Chris@0 12 use Drupal\Component\Render\MarkupInterface;
Chris@0 13 use Drupal\Component\Render\MarkupTrait;
Chris@0 14 use Drupal\Component\Utility\UrlHelper;
Chris@0 15 use PHPUnit\Framework\TestCase;
Chris@0 16
Chris@0 17 /**
Chris@0 18 * Tests marking strings as safe.
Chris@0 19 *
Chris@0 20 * @group Utility
Chris@17 21 * @group legacy
Chris@0 22 * @coversDefaultClass \Drupal\Component\Utility\SafeMarkup
Chris@0 23 */
Chris@0 24 class SafeMarkupTest extends TestCase {
Chris@0 25
Chris@0 26 /**
Chris@0 27 * {@inheritdoc}
Chris@0 28 */
Chris@0 29 protected function tearDown() {
Chris@0 30 parent::tearDown();
Chris@0 31
Chris@0 32 UrlHelper::setAllowedProtocols(['http', 'https']);
Chris@0 33 }
Chris@0 34
Chris@0 35 /**
Chris@0 36 * Tests SafeMarkup::isSafe() with different objects.
Chris@0 37 *
Chris@0 38 * @covers ::isSafe
Chris@17 39 * @expectedDeprecation SafeMarkup::isSafe() is scheduled for removal in Drupal 9.0.0. Instead, you should just check if a variable is an instance of \Drupal\Component\Render\MarkupInterface. See https://www.drupal.org/node/2549395.
Chris@0 40 */
Chris@0 41 public function testIsSafe() {
Chris@14 42 $safe_string = $this->getMockBuilder('\Drupal\Component\Render\MarkupInterface')->getMock();
Chris@0 43 $this->assertTrue(SafeMarkup::isSafe($safe_string));
Chris@0 44 $string_object = new SafeMarkupTestString('test');
Chris@0 45 $this->assertFalse(SafeMarkup::isSafe($string_object));
Chris@0 46 }
Chris@0 47
Chris@0 48 /**
Chris@0 49 * Tests SafeMarkup::checkPlain().
Chris@0 50 *
Chris@0 51 * @dataProvider providerCheckPlain
Chris@0 52 * @covers ::checkPlain
Chris@17 53 * @expectedDeprecation SafeMarkup::checkPlain() is scheduled for removal in Drupal 9.0.0. Rely on Twig's auto-escaping feature, or use the @link theme_render #plain_text @endlink key when constructing a render array that contains plain text in order to use the renderer's auto-escaping feature. If neither of these are possible, \Drupal\Component\Utility\Html::escape() can be used in places where explicit escaping is needed. See https://www.drupal.org/node/2549395.
Chris@0 54 *
Chris@0 55 * @param string $text
Chris@0 56 * The text to provide to SafeMarkup::checkPlain().
Chris@0 57 * @param string $expected
Chris@0 58 * The expected output from the function.
Chris@0 59 * @param string $message
Chris@0 60 * The message to provide as output for the test.
Chris@0 61 */
Chris@0 62 public function testCheckPlain($text, $expected, $message) {
Chris@0 63 $result = SafeMarkup::checkPlain($text);
Chris@0 64 $this->assertTrue($result instanceof HtmlEscapedText);
Chris@0 65 $this->assertEquals($expected, $result, $message);
Chris@0 66 }
Chris@0 67
Chris@0 68 /**
Chris@0 69 * Tests Drupal\Component\Render\HtmlEscapedText.
Chris@0 70 *
Chris@0 71 * Verifies that the result of SafeMarkup::checkPlain() is the same as using
Chris@0 72 * HtmlEscapedText directly.
Chris@0 73 *
Chris@0 74 * @dataProvider providerCheckPlain
Chris@0 75 *
Chris@0 76 * @param string $text
Chris@0 77 * The text to provide to the HtmlEscapedText constructor.
Chris@0 78 * @param string $expected
Chris@0 79 * The expected output from the function.
Chris@0 80 * @param string $message
Chris@0 81 * The message to provide as output for the test.
Chris@0 82 */
Chris@0 83 public function testHtmlEscapedText($text, $expected, $message) {
Chris@0 84 $result = new HtmlEscapedText($text);
Chris@0 85 $this->assertEquals($expected, $result, $message);
Chris@0 86 }
Chris@0 87
Chris@0 88 /**
Chris@0 89 * Data provider for testCheckPlain() and testEscapeString().
Chris@0 90 *
Chris@0 91 * @see testCheckPlain()
Chris@0 92 */
Chris@0 93 public function providerCheckPlain() {
Chris@0 94 // Checks that invalid multi-byte sequences are escaped.
Chris@0 95 $tests[] = ["Foo\xC0barbaz", 'Foo�barbaz', 'Escapes invalid sequence "Foo\xC0barbaz"'];
Chris@0 96 $tests[] = ["\xc2\"", '�&quot;', 'Escapes invalid sequence "\xc2\""'];
Chris@0 97 $tests[] = ["Fooÿñ", "Fooÿñ", 'Does not escape valid sequence "Fooÿñ"'];
Chris@0 98
Chris@0 99 // Checks that special characters are escaped.
Chris@0 100 $tests[] = [SafeMarkupTestMarkup::create("<script>"), '&lt;script&gt;', 'Escapes &lt;script&gt; even inside an object that implements MarkupInterface.'];
Chris@0 101 $tests[] = ["<script>", '&lt;script&gt;', 'Escapes &lt;script&gt;'];
Chris@0 102 $tests[] = ['<>&"\'', '&lt;&gt;&amp;&quot;&#039;', 'Escapes reserved HTML characters.'];
Chris@0 103 $tests[] = [SafeMarkupTestMarkup::create('<>&"\''), '&lt;&gt;&amp;&quot;&#039;', 'Escapes reserved HTML characters even inside an object that implements MarkupInterface.'];
Chris@0 104
Chris@0 105 return $tests;
Chris@0 106 }
Chris@0 107
Chris@0 108 /**
Chris@0 109 * Tests string formatting with SafeMarkup::format().
Chris@0 110 *
Chris@0 111 * @dataProvider providerFormat
Chris@0 112 * @covers ::format
Chris@17 113 * @expectedDeprecation SafeMarkup::format() is scheduled for removal in Drupal 9.0.0. Use \Drupal\Component\Render\FormattableMarkup. See https://www.drupal.org/node/2549395.
Chris@0 114 *
Chris@0 115 * @param string $string
Chris@0 116 * The string to run through SafeMarkup::format().
Chris@0 117 * @param string[] $args
Chris@0 118 * The arguments to pass into SafeMarkup::format().
Chris@0 119 * @param string $expected
Chris@0 120 * The expected result from calling the function.
Chris@0 121 * @param string $message
Chris@0 122 * The message to display as output to the test.
Chris@0 123 * @param bool $expected_is_safe
Chris@0 124 * Whether the result is expected to be safe for HTML display.
Chris@0 125 */
Chris@0 126 public function testFormat($string, array $args, $expected, $message, $expected_is_safe) {
Chris@0 127 UrlHelper::setAllowedProtocols(['http', 'https', 'mailto']);
Chris@0 128
Chris@0 129 $result = SafeMarkup::format($string, $args);
Chris@0 130 $this->assertEquals($expected, (string) $result, $message);
Chris@0 131 $this->assertEquals($expected_is_safe, $result instanceof MarkupInterface, 'SafeMarkup::format correctly sets the result as safe or not safe.');
Chris@0 132 }
Chris@0 133
Chris@0 134 /**
Chris@0 135 * Data provider for testFormat().
Chris@0 136 *
Chris@0 137 * @see testFormat()
Chris@0 138 */
Chris@0 139 public function providerFormat() {
Chris@0 140 $tests[] = ['Simple text', [], 'Simple text', 'SafeMarkup::format leaves simple text alone.', TRUE];
Chris@0 141 $tests[] = ['Escaped text: @value', ['@value' => '<script>'], 'Escaped text: &lt;script&gt;', 'SafeMarkup::format replaces and escapes string.', TRUE];
Chris@0 142 $tests[] = ['Escaped text: @value', ['@value' => SafeMarkupTestMarkup::create('<span>Safe HTML</span>')], 'Escaped text: <span>Safe HTML</span>', 'SafeMarkup::format does not escape an already safe string.', TRUE];
Chris@0 143 $tests[] = ['Placeholder text: %value', ['%value' => '<script>'], 'Placeholder text: <em class="placeholder">&lt;script&gt;</em>', 'SafeMarkup::format replaces, escapes and themes string.', TRUE];
Chris@0 144 $tests[] = ['Placeholder text: %value', ['%value' => SafeMarkupTestMarkup::create('<span>Safe HTML</span>')], 'Placeholder text: <em class="placeholder"><span>Safe HTML</span></em>', 'SafeMarkup::format does not escape an already safe string themed as a placeholder.', TRUE];
Chris@0 145
Chris@0 146 $tests['javascript-protocol-url'] = ['Simple text <a href=":url">giraffe</a>', [':url' => 'javascript://example.com?foo&bar'], 'Simple text <a href="//example.com?foo&amp;bar">giraffe</a>', 'Support for filtering bad protocols', TRUE];
Chris@0 147 $tests['external-url'] = ['Simple text <a href=":url">giraffe</a>', [':url' => 'http://example.com?foo&bar'], 'Simple text <a href="http://example.com?foo&amp;bar">giraffe</a>', 'Support for filtering bad protocols', TRUE];
Chris@0 148 $tests['relative-url'] = ['Simple text <a href=":url">giraffe</a>', [':url' => '/node/1?foo&bar'], 'Simple text <a href="/node/1?foo&amp;bar">giraffe</a>', 'Support for filtering bad protocols', TRUE];
Chris@0 149 $tests['fragment-with-special-chars'] = ['Simple text <a href=":url">giraffe</a>', [':url' => 'http://example.com/#&lt;'], 'Simple text <a href="http://example.com/#&amp;lt;">giraffe</a>', 'Support for filtering bad protocols', TRUE];
Chris@0 150 $tests['mailto-protocol'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => 'mailto:test@example.com'], 'Hey giraffe <a href="mailto:test@example.com">MUUUH</a>', '', TRUE];
Chris@0 151 $tests['js-with-fromCharCode'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "javascript:alert(String.fromCharCode(88,83,83))"], 'Hey giraffe <a href="alert(String.fromCharCode(88,83,83))">MUUUH</a>', '', TRUE];
Chris@0 152
Chris@0 153 // Test some "URL" values that are not RFC 3986 compliant URLs. The result
Chris@0 154 // of SafeMarkup::format() should still be valid HTML (other than the
Chris@0 155 // value of the "href" attribute not being a valid URL), and not
Chris@0 156 // vulnerable to XSS.
Chris@0 157 $tests['non-url-with-colon'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "llamas: they are not URLs"], 'Hey giraffe <a href=" they are not URLs">MUUUH</a>', '', TRUE];
Chris@0 158 $tests['non-url-with-html'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "<span>not a url</span>"], 'Hey giraffe <a href="&lt;span&gt;not a url&lt;/span&gt;">MUUUH</a>', '', TRUE];
Chris@0 159
Chris@0 160 // Tests non-standard placeholders that will not replace.
Chris@0 161 $tests['non-standard-placeholder'] = ['Hey hey', ['risky' => "<script>alert('foo');</script>"], 'Hey hey', '', TRUE];
Chris@0 162 return $tests;
Chris@0 163 }
Chris@0 164
Chris@0 165 }
Chris@0 166
Chris@0 167 class SafeMarkupTestString {
Chris@0 168
Chris@0 169 protected $string;
Chris@0 170
Chris@0 171 public function __construct($string) {
Chris@0 172 $this->string = $string;
Chris@0 173 }
Chris@0 174
Chris@0 175 public function __toString() {
Chris@0 176 return $this->string;
Chris@0 177 }
Chris@0 178
Chris@0 179 }
Chris@0 180
Chris@0 181 /**
Chris@0 182 * Marks an object's __toString() method as returning markup.
Chris@0 183 */
Chris@0 184 class SafeMarkupTestMarkup implements MarkupInterface {
Chris@0 185 use MarkupTrait;
Chris@0 186
Chris@0 187 }