Add various unit tests for antispambot, is_email and sanitize_email

arnt · arnt · commit 0ecc492372b7 · 2026-04-11T15:10:08.000+02:00
diff --git a/tests/phpunit/tests/formatting/antispambot.php b/tests/phpunit/tests/formatting/antispambot.php
@@ -0,0 +1,67 @@
+<?php
+/**
+ * Tests for the antispambot() function.
+ *
+ * @group formatting
+ * @covers ::antispambot
+ */
+class Tests_Formatting_Antispambot extends WP_UnitTestCase {
+
+	/**
+	 * This is basically a driveby test. While working on ticket
+	 * 31992 I noticed that there was no unit testing for
+	 * antispambot, so I added a little, just so I'd leave the code
+	 * better than I found it.
+	 *
+	 * @ticket 31992
+	 *
+	 * @dataProvider data_returns_valid_utf8
+	 * @param string $address  The email address to obfuscate.
+	 * @param bool   $validity Whether the obfuscated address should be valid UTF-8.
+	 */
+	public function test_returns_valid_utf8( $address, $validity ) {
+		$this->assertSame( wp_is_valid_utf8( antispambot( $address ) ), $validity );
+	}
+
+	/**
+	 * Data provider for test_returns_valid_utf8.
+	 */
+	public function data_returns_valid_utf8() {
+		return array(
+			'plain'                => array( 'bob@example.com', true ),
+			'plain with ip'        => array( 'ace@204.32.222.14', true ),
+			'deep subdomain'       => array( 'kevin@many.subdomains.make.a.happy.man.edu', true ),
+			'short address'        => array( 'a@b.co', true ),
+			'weird but legal dots' => array( '..@example.com', true ),
+		);
+	}
+
+	/**
+	 * This tests that antispambot performs some sort of
+	 * obfuscation, and that its obfuscated form will be rendered
+	 * sensibly by browsers.
+	 *
+	 * @dataProvider data_antispambot_obfuscates
+	 * @param string $provided  The email address to obfuscate.
+	 */
+	public function test_antispambot_obfuscates( $provided ) {
+		$obfuscated = antispambot( $provided );
+		$p          = new WP_HTML_Tag_Processor( $obfuscated );
+		$p->next_token();
+		$decoded = $p->get_modifiable_text();
+		$decoded = preg_replace_callback( '~%\d\d~', function () { }, $decoded );
+
+		$this->assertNotEquals( $provided, $obfuscated );
+		$this->assertSame( $provided, $decoded );
+	}
+
+	/**
+	 * Data provider for test_antispambot_obfuscates.
+	 */
+	public function data_antispambot_obfuscates() {
+		return array(
+			'example@example.com',
+			'#@example.com',
+		);
+	}
+}
diff --git a/tests/phpunit/tests/formatting/isEmail.php b/tests/phpunit/tests/formatting/isEmail.php
@@ -1,6 +1,7 @@
 <?php
-
 /**
+ * Tests for the is_email() function.
+ *
  * @group formatting
  *
  * @covers ::is_email
@@ -23,10 +24,12 @@ public static function valid_email_provider() {
 		$valid_emails = array(
 			'bob@example.com',
 			'phil@example.info',
+			'phil@TLA.example',
 			'ace@204.32.222.14',
 			'kevin@many.subdomains.make.a.happy.man.edu',
 			'a@b.co',
 			'bill+ted@example.com',
+			'..@example.com',
 		);
 
 		foreach ( $valid_emails as $email ) {
@@ -54,6 +57,50 @@ public static function invalid_email_provider() {
 			'com.exampleNOSPAMbob',
 			'bob@your mom',
 			'a@b.c',
+			'" "@b.c',
+			'"@"@b.c',
+			'a@route.org@b.c',
+			'h(aj@couc.ou', // bad comment.
+			'hi@',
+			'hi@hi@couc.ou', // double @.
+
+			/*
+			 * The next address is not deliverable as described,
+			 * SMTP servers should strip the (ab), so it is very
+			 * likely a source of confusion or a typo.
+			 * Best rejected.
+			 */
+			'(ab)cd@couc.ou',
+
+			/*
+			 * The next address is not globally deliverable,
+			 * so it may work with PHPMailer and break with
+			 * mail sending services. Best not allow users
+			 * to paint themselves into that corner. This also
+			 * avoids security problems like those that were
+			 * used to probe the Wordpress server's local
+			 * network.
+			*/
+			'toto@to',
+
+			/*
+			 * Several addresses are best rejected because
+			 * we don't want to allow sending to fe80::, 192.168
+			 * and other special addresses; that too might
+			 * be used to probe the Wordpress server's local
+			 * network.
+			 */
+			'to@[2001:db8::1]',
+			'to@[IPv6:2001:db8::1]',
+			'to@[192.168.1.1]',
+
+			/*
+			 * Ill-formed UTF-8 byte sequences must be rejected.
+			 * A lone continuation byte (0x80) is not valid UTF-8
+			 * whether it appears in the local part or the domain.
+			 */
+			"a\x80b@example.com",  // invalid UTF-8 in local part.
+			"abc@\x80.org",        // invalid UTF-8 in domain subdomain.
 		);
 
 		foreach ( $invalid_emails as $email ) {
diff --git a/tests/phpunit/tests/formatting/sanitizeEmail.php b/tests/phpunit/tests/formatting/sanitizeEmail.php
@@ -0,0 +1,36 @@
+<?php
+/**
+ * Tests for the sanitize_email() function.
+ *
+ * @group formatting
+ * @covers ::sanitize_email
+ */
+class Tests_Formatting_SanitizeEmail extends WP_UnitTestCase {
+
+	/**
+	 * This test checks that email addresses are properly sanitized.
+	 *
+	 * @ticket 31992
+	 * @dataProvider data_for_sanitation
+	 * @param string $address  The email address to sanitize.
+	 * @param string $expected The expected sanitized email address.
+	 */
+	public function test_returns_stripped_email_address( $address, $expected ) {
+		$this->assertSame( sanitize_email( $address ), $expected );
+	}
+
+	/**
+	 * Data provider for test_returns_stripped_email_address.
+	 */
+	public function data_for_sanitation() {
+		return array(
+			'shorter than 6 characters'      => array( 'a@b', '' ),
+			'contains no @'                  => array( 'ab', '' ),
+			'just a TLD'                     => array( 'abc@com', '' ),
+			'plain'                          => array( 'abc@example.com', 'abc@example.com' ),
+			'invalid utf8 in local'          => array( "a\x80b@example.com", '' ),
+			'invalid utf8 subdomain dropped' => array( "abc@sub.\x80.org", 'abc@sub.org' ),
+			'all subdomains invalid utf8'    => array( "abc@\x80.org", '' ),
+		);
+	}
+}
