Mercurial > hg > isophonics-drupal-site
comparison core/tests/Drupal/Tests/Component/Utility/SafeMarkupTest.php @ 0:4c8ae668cc8c
Initial import (non-working)
| author | Chris Cannam |
|---|---|
| date | Wed, 29 Nov 2017 16:09:58 +0000 |
| parents | |
| children | 1fec387a4317 |
comparison
equal
deleted
inserted
replaced
| -1:000000000000 | 0:4c8ae668cc8c |
|---|---|
| 1 <?php | |
| 2 | |
| 3 /** | |
| 4 * @file | |
| 5 * Contains \Drupal\Tests\Component\Utility\SafeMarkupTest. | |
| 6 */ | |
| 7 | |
| 8 namespace Drupal\Tests\Component\Utility; | |
| 9 | |
| 10 use Drupal\Component\Render\HtmlEscapedText; | |
| 11 use Drupal\Component\Utility\SafeMarkup; | |
| 12 use Drupal\Component\Render\MarkupInterface; | |
| 13 use Drupal\Component\Render\MarkupTrait; | |
| 14 use Drupal\Component\Utility\UrlHelper; | |
| 15 use PHPUnit\Framework\TestCase; | |
| 16 | |
| 17 /** | |
| 18 * Tests marking strings as safe. | |
| 19 * | |
| 20 * @group Utility | |
| 21 * @coversDefaultClass \Drupal\Component\Utility\SafeMarkup | |
| 22 */ | |
| 23 class SafeMarkupTest extends TestCase { | |
| 24 | |
| 25 /** | |
| 26 * {@inheritdoc} | |
| 27 */ | |
| 28 protected function tearDown() { | |
| 29 parent::tearDown(); | |
| 30 | |
| 31 UrlHelper::setAllowedProtocols(['http', 'https']); | |
| 32 } | |
| 33 | |
| 34 /** | |
| 35 * Tests SafeMarkup::isSafe() with different objects. | |
| 36 * | |
| 37 * @covers ::isSafe | |
| 38 */ | |
| 39 public function testIsSafe() { | |
| 40 $safe_string = $this->getMock('\Drupal\Component\Render\MarkupInterface'); | |
| 41 $this->assertTrue(SafeMarkup::isSafe($safe_string)); | |
| 42 $string_object = new SafeMarkupTestString('test'); | |
| 43 $this->assertFalse(SafeMarkup::isSafe($string_object)); | |
| 44 } | |
| 45 | |
| 46 /** | |
| 47 * Tests SafeMarkup::checkPlain(). | |
| 48 * | |
| 49 * @dataProvider providerCheckPlain | |
| 50 * @covers ::checkPlain | |
| 51 * | |
| 52 * @param string $text | |
| 53 * The text to provide to SafeMarkup::checkPlain(). | |
| 54 * @param string $expected | |
| 55 * The expected output from the function. | |
| 56 * @param string $message | |
| 57 * The message to provide as output for the test. | |
| 58 */ | |
| 59 public function testCheckPlain($text, $expected, $message) { | |
| 60 $result = SafeMarkup::checkPlain($text); | |
| 61 $this->assertTrue($result instanceof HtmlEscapedText); | |
| 62 $this->assertEquals($expected, $result, $message); | |
| 63 } | |
| 64 | |
| 65 /** | |
| 66 * Tests Drupal\Component\Render\HtmlEscapedText. | |
| 67 * | |
| 68 * Verifies that the result of SafeMarkup::checkPlain() is the same as using | |
| 69 * HtmlEscapedText directly. | |
| 70 * | |
| 71 * @dataProvider providerCheckPlain | |
| 72 * | |
| 73 * @param string $text | |
| 74 * The text to provide to the HtmlEscapedText constructor. | |
| 75 * @param string $expected | |
| 76 * The expected output from the function. | |
| 77 * @param string $message | |
| 78 * The message to provide as output for the test. | |
| 79 */ | |
| 80 public function testHtmlEscapedText($text, $expected, $message) { | |
| 81 $result = new HtmlEscapedText($text); | |
| 82 $this->assertEquals($expected, $result, $message); | |
| 83 } | |
| 84 | |
| 85 /** | |
| 86 * Data provider for testCheckPlain() and testEscapeString(). | |
| 87 * | |
| 88 * @see testCheckPlain() | |
| 89 */ | |
| 90 public function providerCheckPlain() { | |
| 91 // Checks that invalid multi-byte sequences are escaped. | |
| 92 $tests[] = ["Foo\xC0barbaz", 'Foo�barbaz', 'Escapes invalid sequence "Foo\xC0barbaz"']; | |
| 93 $tests[] = ["\xc2\"", '�"', 'Escapes invalid sequence "\xc2\""']; | |
| 94 $tests[] = ["Fooÿñ", "Fooÿñ", 'Does not escape valid sequence "Fooÿñ"']; | |
| 95 | |
| 96 // Checks that special characters are escaped. | |
| 97 $tests[] = [SafeMarkupTestMarkup::create("<script>"), '<script>', 'Escapes <script> even inside an object that implements MarkupInterface.']; | |
| 98 $tests[] = ["<script>", '<script>', 'Escapes <script>']; | |
| 99 $tests[] = ['<>&"\'', '<>&"'', 'Escapes reserved HTML characters.']; | |
| 100 $tests[] = [SafeMarkupTestMarkup::create('<>&"\''), '<>&"'', 'Escapes reserved HTML characters even inside an object that implements MarkupInterface.']; | |
| 101 | |
| 102 return $tests; | |
| 103 } | |
| 104 | |
| 105 /** | |
| 106 * Tests string formatting with SafeMarkup::format(). | |
| 107 * | |
| 108 * @dataProvider providerFormat | |
| 109 * @covers ::format | |
| 110 * | |
| 111 * @param string $string | |
| 112 * The string to run through SafeMarkup::format(). | |
| 113 * @param string[] $args | |
| 114 * The arguments to pass into SafeMarkup::format(). | |
| 115 * @param string $expected | |
| 116 * The expected result from calling the function. | |
| 117 * @param string $message | |
| 118 * The message to display as output to the test. | |
| 119 * @param bool $expected_is_safe | |
| 120 * Whether the result is expected to be safe for HTML display. | |
| 121 */ | |
| 122 public function testFormat($string, array $args, $expected, $message, $expected_is_safe) { | |
| 123 UrlHelper::setAllowedProtocols(['http', 'https', 'mailto']); | |
| 124 | |
| 125 $result = SafeMarkup::format($string, $args); | |
| 126 $this->assertEquals($expected, (string) $result, $message); | |
| 127 $this->assertEquals($expected_is_safe, $result instanceof MarkupInterface, 'SafeMarkup::format correctly sets the result as safe or not safe.'); | |
| 128 | |
| 129 foreach ($args as $arg) { | |
| 130 $this->assertSame($arg instanceof SafeMarkupTestMarkup, SafeMarkup::isSafe($arg)); | |
| 131 } | |
| 132 } | |
| 133 | |
| 134 /** | |
| 135 * Data provider for testFormat(). | |
| 136 * | |
| 137 * @see testFormat() | |
| 138 */ | |
| 139 public function providerFormat() { | |
| 140 $tests[] = ['Simple text', [], 'Simple text', 'SafeMarkup::format leaves simple text alone.', TRUE]; | |
| 141 $tests[] = ['Escaped text: @value', ['@value' => '<script>'], 'Escaped text: <script>', 'SafeMarkup::format replaces and escapes string.', TRUE]; | |
| 142 $tests[] = ['Escaped text: @value', ['@value' => SafeMarkupTestMarkup::create('<span>Safe HTML</span>')], 'Escaped text: <span>Safe HTML</span>', 'SafeMarkup::format does not escape an already safe string.', TRUE]; | |
| 143 $tests[] = ['Placeholder text: %value', ['%value' => '<script>'], 'Placeholder text: <em class="placeholder"><script></em>', 'SafeMarkup::format replaces, escapes and themes string.', TRUE]; | |
| 144 $tests[] = ['Placeholder text: %value', ['%value' => SafeMarkupTestMarkup::create('<span>Safe HTML</span>')], 'Placeholder text: <em class="placeholder"><span>Safe HTML</span></em>', 'SafeMarkup::format does not escape an already safe string themed as a placeholder.', TRUE]; | |
| 145 | |
| 146 $tests['javascript-protocol-url'] = ['Simple text <a href=":url">giraffe</a>', [':url' => 'javascript://example.com?foo&bar'], 'Simple text <a href="//example.com?foo&bar">giraffe</a>', 'Support for filtering bad protocols', TRUE]; | |
| 147 $tests['external-url'] = ['Simple text <a href=":url">giraffe</a>', [':url' => 'http://example.com?foo&bar'], 'Simple text <a href="http://example.com?foo&bar">giraffe</a>', 'Support for filtering bad protocols', TRUE]; | |
| 148 $tests['relative-url'] = ['Simple text <a href=":url">giraffe</a>', [':url' => '/node/1?foo&bar'], 'Simple text <a href="/node/1?foo&bar">giraffe</a>', 'Support for filtering bad protocols', TRUE]; | |
| 149 $tests['fragment-with-special-chars'] = ['Simple text <a href=":url">giraffe</a>', [':url' => 'http://example.com/#<'], 'Simple text <a href="http://example.com/#&lt;">giraffe</a>', 'Support for filtering bad protocols', TRUE]; | |
| 150 $tests['mailto-protocol'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => 'mailto:test@example.com'], 'Hey giraffe <a href="mailto:test@example.com">MUUUH</a>', '', TRUE]; | |
| 151 $tests['js-with-fromCharCode'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "javascript:alert(String.fromCharCode(88,83,83))"], 'Hey giraffe <a href="alert(String.fromCharCode(88,83,83))">MUUUH</a>', '', TRUE]; | |
| 152 | |
| 153 // Test some "URL" values that are not RFC 3986 compliant URLs. The result | |
| 154 // of SafeMarkup::format() should still be valid HTML (other than the | |
| 155 // value of the "href" attribute not being a valid URL), and not | |
| 156 // vulnerable to XSS. | |
| 157 $tests['non-url-with-colon'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "llamas: they are not URLs"], 'Hey giraffe <a href=" they are not URLs">MUUUH</a>', '', TRUE]; | |
| 158 $tests['non-url-with-html'] = ['Hey giraffe <a href=":url">MUUUH</a>', [':url' => "<span>not a url</span>"], 'Hey giraffe <a href="<span>not a url</span>">MUUUH</a>', '', TRUE]; | |
| 159 | |
| 160 // Tests non-standard placeholders that will not replace. | |
| 161 $tests['non-standard-placeholder'] = ['Hey hey', ['risky' => "<script>alert('foo');</script>"], 'Hey hey', '', TRUE]; | |
| 162 return $tests; | |
| 163 } | |
| 164 | |
| 165 } | |
| 166 | |
| 167 class SafeMarkupTestString { | |
| 168 | |
| 169 protected $string; | |
| 170 | |
| 171 public function __construct($string) { | |
| 172 $this->string = $string; | |
| 173 } | |
| 174 | |
| 175 public function __toString() { | |
| 176 return $this->string; | |
| 177 } | |
| 178 | |
| 179 } | |
| 180 | |
| 181 /** | |
| 182 * Marks an object's __toString() method as returning markup. | |
| 183 */ | |
| 184 class SafeMarkupTestMarkup implements MarkupInterface { | |
| 185 use MarkupTrait; | |
| 186 | |
| 187 } |