Test the handling of malicious attribute names and values

dmsnell · dmsnell · commit 4e912a9ab6c1 · 2024-01-15T16:01:30.000-06:00
diff --git a/tests/phpunit/tests/html-api/wpHtmlTemplate.php b/tests/phpunit/tests/html-api/wpHtmlTemplate.php
@@ -38,4 +38,51 @@ public function test_basic_render() {
 			'Failed to properly render template.'
 		);
 	}
+
+	/**
+	 * Ensures that basic attacks on attribute names and values are blocked.
+	 *
+	 * @ticket 60229
+	 *
+	 * @covers WP_HTML::render
+	 */
+	public function test_cannot_break_out_of_tag_with_malicious_attribute_name() {
+		$html = WP_HTML_Template::render(
+			'<div class="</%class>" ...args>',
+			array(
+				'class' => '"><script>alert("hi")</script>',
+				'args'  => array(
+					'"> double-quoted escape' => 'busted!',
+					'> tag escape'            => 'busted!',
+				),
+			)
+		);
+
+		// The output here should include an escaped `class` attribute and no others, also no other tags.
+		$processor = new WP_HTML_Tag_Processor( $html );
+		$processor->next_tag();
+
+		$this->assertSame(
+			'DIV',
+			$processor->get_tag(),
+			"Expected to find DIV tag but found {$processor->get_tag()} instead."
+		);
+
+		$this->assertSame(
+			'"><script>alert("hi")</script>',
+			$processor->get_attribute( 'class' ),
+			'Should have found escaped `class` attribute.'
+		);
+
+		$this->assertSame(
+			array( 'class' ),
+			$processor->get_attribute_names_with_prefix( '' ),
+			'Should have set `class` attribute and no others.'
+		);
+
+		$this->assertFalse(
+			$processor->next_tag(),
+			"Should not have found any other tags but found {$processor->get_tag()} instead."
+		);
+	}
 }
