Merge branch 'trunk' into 26962-retaining-user-info-in-user-edit-after-submit

yashyadav-mo · web-flow · commit ee9cc92a46e8 · 2026-04-13T02:45:31.000+05:30
diff --git a/tests/phpunit/tests/formatting/antispambot.php b/tests/phpunit/tests/formatting/antispambot.php
@@ -0,0 +1,73 @@
+<?php
+/**
+ * Tests for the antispambot() function.
+ *
+ * @group formatting
+ * @covers ::antispambot
+ */
+class Tests_Formatting_Antispambot extends WP_UnitTestCase {
+	/**
+	 * Ensures that antispambot will not produce invalid UTF-8 when hiding email addresses.
+	 *
+	 * Were a non-US-ASCII email address be sent into `antispambot()`, then a naive approach
+	 * to obfuscation could break apart multibyte characters and leave invalid UTF-8 as a
+	 * result.
+	 *
+	 * @ticket 31992
+	 *
+	 * @dataProvider data_returns_valid_utf8
+	 *
+	 * @param string $email    The email address to obfuscate.
+	 */
+	public function test_returns_valid_utf8( $email ) {
+		$this->assertTrue( wp_is_valid_utf8( antispambot( $email ) ) );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * return array[]
+	 */
+	public function data_returns_valid_utf8() {
+		return array(
+			'plain'                => array( 'bob@example.com' ),
+			'plain with ip'        => array( 'ace@204.32.222.14' ),
+			'deep subdomain'       => array( 'kevin@many.subdomains.make.a.happy.man.edu' ),
+			'short address'        => array( 'a@b.co' ),
+			'weird but legal dots' => array( '..@example.com' ),
+		);
+	}
+
+	/**
+	 * This tests that antispambot performs some sort of obfuscation
+	 * and that the obfuscation maps back to the original value.
+	 *
+	 * @ticket 31992
+	 *
+	 * @dataProvider data_antispambot_obfuscates
+	 *
+	 * @param string $provided The email address to obfuscate.
+	 */
+	public function test_antispambot_obfuscates( $provided ) {
+		// The only token should be the email address, so advance once and treat as a text node.
+		$obfuscated = antispambot( $provided );
+		$p          = new WP_HTML_Tag_Processor( $obfuscated );
+		$p->next_token();
+		$decoded = rawurldecode( $p->get_modifiable_text() );
+
+		$this->assertNotSame( $provided, $obfuscated, 'Should have produced an obfuscated representation.' );
+		$this->assertSame( $provided, $decoded, 'Should have decoded to the original email after restoring.' );
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array[]
+	 */
+	public function data_antispambot_obfuscates() {
+		return array(
+			array( 'example@example.com' ),
+			array( '#@example.com' ),
+		);
+	}
+}
diff --git a/tests/phpunit/tests/formatting/isEmail.php b/tests/phpunit/tests/formatting/isEmail.php
@@ -1,32 +1,44 @@
 <?php
-
 /**
+ * Tests for the is_email() function.
+ *
  * @group formatting
  *
  * @covers ::is_email
  */
 class Tests_Formatting_IsEmail extends WP_UnitTestCase {
-
 	/**
-	 * @dataProvider valid_email_provider
+	 * Ensures that valid emails are returned unchanged.
+	 *
+	 * @ticket 31992
+	 *
+	 * @dataProvider data_valid_email_provider
+	 *
+	 * @param string $email Valid email address.
 	 */
 	public function test_returns_the_email_address_if_it_is_valid( $email ) {
-		$this->assertSame( $email, is_email( $email ), "is_email() should return the email address for $email." );
+		$this->assertSame(
+			$email,
+			is_email( $email ),
+			'Should return the given email address unchanged when valid.'
+		);
 	}
 
 	/**
-	 * Data provider for valid email addresses.
+	 * Data provider.
 	 *
-	 * @return array
+	 * @return Generator
 	 */
-	public static function valid_email_provider() {
+	public static function data_valid_email_provider() {
 		$valid_emails = array(
 			'bob@example.com',
 			'phil@example.info',
+			'phil@TLA.example',
 			'ace@204.32.222.14',
 			'kevin@many.subdomains.make.a.happy.man.edu',
 			'a@b.co',
 			'bill+ted@example.com',
+			'..@example.com',
 		);
 
 		foreach ( $valid_emails as $email ) {
@@ -35,25 +47,78 @@ public static function valid_email_provider() {
 	}
 
 	/**
-	 * @dataProvider invalid_email_provider
+	 * Ensures that unrecognized email addresses are rejected.
+	 *
+	 * @ticket 31992
+	 *
+	 * @dataProvider data_invalid_email_provider
+	 *
+	 * @param string $email Invalid or unrecognized-to-WordPress email address.
 	 */
 	public function test_returns_false_if_given_an_invalid_email_address( $email ) {
-		$this->assertFalse( is_email( $email ), "is_email() should return false for $email." );
+		$this->assertFalse(
+			is_email( $email ),
+			'Should have rejected the email as invalid.'
+		);
 	}
 
 	/**
-	 * Data provider for invalid email addresses.
+	 * Data provider.
 	 *
-	 * @return array
+	 * @return Generator
 	 */
-	public static function invalid_email_provider() {
+	public static function data_invalid_email_provider() {
 		$invalid_emails = array(
 			'khaaaaaaaaaaaaaaan!',
 			'http://bob.example.com/',
 			"sif i'd give u it, spamer!1",
 			'com.exampleNOSPAMbob',
 			'bob@your mom',
 			'a@b.c',
+			'" "@b.c',
+			'"@"@b.c',
+			'a@route.org@b.c',
+			'h(aj@couc.ou', // bad comment.
+			'hi@',
+			'hi@hi@couc.ou', // double @.
+
+			/*
+			 * The next address is not deliverable as described,
+			 * SMTP servers should strip the (ab), so it is very
+			 * likely a source of confusion or a typo.
+			 * Best rejected.
+			 */
+			'(ab)cd@couc.ou',
+
+			/*
+			 * The next address is not globally deliverable,
+			 * so it may work with PHPMailer and break with
+			 * mail sending services. Best not allow users
+			 * to paint themselves into that corner. This also
+			 * avoids security problems like those that were
+			 * used to probe the WordPress server's local
+			 * network.
+			*/
+			'toto@to',
+
+			/*
+			 * Several addresses are best rejected because
+			 * we don't want to allow sending to fe80::, 192.168
+			 * and other special addresses; that too might
+			 * be used to probe the WordPress server's local
+			 * network.
+			 */
+			'to@[2001:db8::1]',
+			'to@[IPv6:2001:db8::1]',
+			'to@[192.168.1.1]',
+
+			/*
+			 * Ill-formed UTF-8 byte sequences must be rejected.
+			 * A lone continuation byte (0x80) is not valid UTF-8
+			 * whether it appears in the local part or the domain.
+			 */
+			"a\x80b@example.com",  // invalid UTF-8 in local part.
+			"abc@\x80.org",        // invalid UTF-8 in domain subdomain.
 		);
 
 		foreach ( $invalid_emails as $email ) {
diff --git a/tests/phpunit/tests/formatting/sanitizeEmail.php b/tests/phpunit/tests/formatting/sanitizeEmail.php
@@ -0,0 +1,42 @@
+<?php
+/**
+ * Tests for the sanitize_email() function.
+ *
+ * @group formatting
+ * @covers ::sanitize_email
+ */
+class Tests_Formatting_SanitizeEmail extends WP_UnitTestCase {
+	/**
+	 * This test checks that email addresses are properly sanitized.
+	 *
+	 * @ticket 31992
+	 *
+	 * @dataProvider data_sanitized_email_pairs
+	 *
+	 * @param string $address  The email address to sanitize.
+	 * @param string $expected The expected sanitized email address.
+	 */
+	public function test_returns_stripped_email_address( $address, $expected ) {
+		$this->assertSame(
+			$expected,
+			sanitize_email( $address ),
+			'Should have produced the known sanitized form of the email.'
+		);
+	}
+
+	/**
+	 * Data provider.
+	 *
+	 * @return array[]
+	 */
+	public function data_sanitized_email_pairs() {
+		return array(
+			'shorter than 6 characters'      => array( 'a@b', '' ),
+			'contains no @'                  => array( 'ab', '' ),
+			'just a TLD'                     => array( 'abc@com', '' ),
+			'plain'                          => array( 'abc@example.com', 'abc@example.com' ),
+			'invalid utf8 subdomain dropped' => array( "abc@sub.\x80.org", 'abc@sub.org' ),
+			'all subdomains invalid utf8'    => array( "abc@\x80.org", '' ),
+		);
+	}
+}
diff --git a/tests/phpunit/tests/oembed/WpEmbed.php b/tests/phpunit/tests/oembed/WpEmbed.php
@@ -2,6 +2,8 @@
 
 /**
  * @group oembed
+ *
+ * @covers WP_Embed
  */
 class Tests_WP_Embed extends WP_UnitTestCase {
 	/**
diff --git a/tests/phpunit/tests/oembed/getOembedResponseData.php b/tests/phpunit/tests/oembed/getOembedResponseData.php
@@ -2,9 +2,10 @@
 
 /**
  * @group oembed
+ *
  * @covers ::get_oembed_response_data
  */
-class Tests_oEmbed_Response_Data extends WP_UnitTestCase {
+class Tests_oEmbed_GetOembedResponseData extends WP_UnitTestCase {
 	public function set_up() {
 		parent::set_up();
 
diff --git a/tests/phpunit/tests/oembed/getPostEmbedUrl.php b/tests/phpunit/tests/oembed/getPostEmbedUrl.php
@@ -2,8 +2,10 @@
 
 /**
  * @group oembed
+ *
+ * @covers ::get_post_embed_url
  */
-class Tests_Post_Embed_URL extends WP_UnitTestCase {
+class Tests_oEmbed_GetPostEmbedUrl extends WP_UnitTestCase {
 	public function test_non_existent_post() {
 		$embed_url = get_post_embed_url( 0 );
 		$this->assertFalse( $embed_url );
diff --git a/tests/phpunit/tests/oembed/wpFilterOembedIframeTitleAttributes.php b/tests/phpunit/tests/oembed/wpFilterOembedIframeTitleAttributes.php
@@ -2,9 +2,21 @@
 
 /**
  * @group oembed
+ *
+ * @covers ::wp_filter_oembed_iframe_title_attribute
  */
-class Tests_Filter_oEmbed_Iframe_Title_Attribute extends WP_UnitTestCase {
-	public function data_filter_oembed_iframe_title_attribute() {
+class Tests_oEmbed_wpFilterOembedIframeTitleAttribute extends WP_UnitTestCase {
+
+	/**
+	 * @dataProvider data_oembed_iframe_title_attribute
+	 */
+	public function test_oembed_iframe_title_attribute( $html, $oembed_data, $url, $expected ) {
+		$actual = wp_filter_oembed_iframe_title_attribute( $html, (object) $oembed_data, $url );
+
+		$this->assertEqualHTML( $expected, $actual );
+	}
+
+	public function data_oembed_iframe_title_attribute() {
 		return array(
 			array(
 				'<p>Foo</p><iframe src=""></iframe><b>Bar</b>',
@@ -61,15 +73,6 @@ public function data_filter_oembed_iframe_title_attribute() {
 		);
 	}
 
-	/**
-	 * @dataProvider data_filter_oembed_iframe_title_attribute
-	 */
-	public function test_oembed_iframe_title_attribute( $html, $oembed_data, $url, $expected ) {
-		$actual = wp_filter_oembed_iframe_title_attribute( $html, (object) $oembed_data, $url );
-
-		$this->assertEqualHTML( $expected, $actual );
-	}
-
 	public function test_filter_oembed_iframe_title_attribute() {
 		add_filter( 'oembed_iframe_title_attribute', array( $this, '_filter_oembed_iframe_title_attribute' ) );
 
diff --git a/tests/phpunit/tests/oembed/wpFilterOembedResult.php b/tests/phpunit/tests/oembed/wpFilterOembedResult.php
@@ -2,8 +2,11 @@
 
 /**
  * @group oembed
+ *
+ * @covers ::wp_filter_oembed_result
  */
-class Tests_Filter_oEmbed_Result extends WP_UnitTestCase {
+class Tests_oEmbed_wpFilterOembedResult extends WP_UnitTestCase {
+
 	public function test_filter_oembed_result_trusted_malicious_iframe() {
 		$html = '<p></p><iframe onload="alert(1)"></iframe>';
 
@@ -154,6 +157,19 @@ public function test_filter_oembed_result_allowed_html() {
 		$this->assertEqualHTML( '<blockquote class="wp-embedded-content"><a href=""></a></blockquote><iframe class="wp-embedded-content" sandbox="allow-scripts" security="restricted" style="position: absolute; visibility: hidden;"></iframe>', $actual );
 	}
 
+	/**
+	 * @dataProvider data_wp_filter_pre_oembed_custom_result
+	 */
+	public function test_wp_filter_pre_oembed_custom_result( $html, $expected ) {
+		$data   = (object) array(
+			'type'  => 'rich',
+			'title' => 'Hola',
+			'html'  => $html,
+		);
+		$actual = _wp_oembed_get_object()->data2html( $data, 'https://untrusted.localhost' );
+		$this->assertEqualHTML( $expected, $actual );
+	}
+
 	public function data_wp_filter_pre_oembed_custom_result() {
 		return array(
 			array(
@@ -175,19 +191,6 @@ public function data_wp_filter_pre_oembed_custom_result() {
 		);
 	}
 
-	/**
-	 * @dataProvider data_wp_filter_pre_oembed_custom_result
-	 */
-	public function test_wp_filter_pre_oembed_custom_result( $html, $expected ) {
-		$data   = (object) array(
-			'type'  => 'rich',
-			'title' => 'Hola',
-			'html'  => $html,
-		);
-		$actual = _wp_oembed_get_object()->data2html( $data, 'https://untrusted.localhost' );
-		$this->assertEqualHTML( $expected, $actual );
-	}
-
 	/**
 	 * @group feed
 	 */
diff --git a/tests/phpunit/tests/oembed/wpOembed.php b/tests/phpunit/tests/oembed/wpOembed.php
