|
| 1 | +<?php |
| 2 | +/** |
| 3 | + * @author Todd Burry <todd@vanillaforums.com> |
| 4 | + * @copyright 2009-2016 Vanilla Forums Inc. |
| 5 | + * @license Proprietary |
| 6 | + */ |
| 7 | + |
| 8 | +namespace Htmlawed\Tests; |
| 9 | + |
| 10 | +use Htmlawed; |
| 11 | + |
| 12 | +/** |
| 13 | + * Test the default config and spec for {@link \Htmlawed::filter()}. |
| 14 | + * |
| 15 | + * Calling the HTML filter without overriding the config should offer reasonable protection. |
| 16 | + */ |
| 17 | +class DefaultsTest extends \PHPUnit_Framework_TestCase { |
| 18 | + protected function assertFiltered($expected, $html, $message = '') { |
| 19 | + $filtered = Htmlawed::filter($html); |
| 20 | + $this->assertSame($expected, $filtered, $message); |
| 21 | + } |
| 22 | + |
| 23 | + |
| 24 | + /** |
| 25 | + * Provide data for {@link testBalance()} |
| 26 | + * |
| 27 | + * @return array Returns a test array. |
| 28 | + */ |
| 29 | + public function provideBalanceTests() { |
| 30 | + return [ |
| 31 | + ['Hi <b>there', 'Hi <b>there</b>'], |
| 32 | + ['<i>What <b>me</i> worry</b>', '<i>What <b>me</b></i> worry'], |
| 33 | + ]; |
| 34 | + } |
| 35 | + |
| 36 | + /** |
| 37 | + * Test the **balance** config setting. |
| 38 | + * |
| 39 | + * @param string $html The HTML to filter. |
| 40 | + * @param string $expected The expected filtered HTML. |
| 41 | + * @dataProvider provideBalanceTests |
| 42 | + */ |
| 43 | + public function testBalance($html, $expected) { |
| 44 | + $this->assertFiltered($expected, $html); |
| 45 | + } |
| 46 | + |
| 47 | + /** |
| 48 | + * Provide data for {@link testCommentRemoval()} |
| 49 | + * |
| 50 | + * @return array Returns a test array. |
| 51 | + */ |
| 52 | + public function provideCommentRemovalTests() { |
| 53 | + return [ |
| 54 | + 'normal' => ["<!-- comment -->\nNormal", "\nNormal"], |
| 55 | + 'inline' => ["This is<!-- not --> it", "This is it"], |
| 56 | + 'multiline' => ["<!-- Do\n it -->now", "now"] |
| 57 | + ]; |
| 58 | + } |
| 59 | + |
| 60 | + /** |
| 61 | + * Test the **comment** config setting when it is set to remove comments. |
| 62 | + * |
| 63 | + * @param string $html The HTML to filter. |
| 64 | + * @param string $expected The expected filtered HTML. |
| 65 | + * @dataProvider provideCommentRemovalTests |
| 66 | + */ |
| 67 | + public function testCommentRemoval($html, $expected) { |
| 68 | + $filtered = Htmlawed::filter($html); |
| 69 | + $this->assertSame($expected, $filtered); |
| 70 | + } |
| 71 | + |
| 72 | + /** |
| 73 | + * CSS expressions should be stripped by default. |
| 74 | + */ |
| 75 | + public function testCssExpressionStripping() { |
| 76 | + $html = '<span style="expression(alert(\'XSS\'))">foo</span>'; |
| 77 | + $expected = '<span style=" (alert(\'XSS\'))">foo</span>'; |
| 78 | + |
| 79 | + $filtered = Htmlawed::filter($html); |
| 80 | + $this->assertSame($expected, $filtered); |
| 81 | + } |
| 82 | + |
| 83 | + /** |
| 84 | + * Make sure that **deny_attribute** defaults to `on*`. |
| 85 | + */ |
| 86 | + public function testDenyAttribute() { |
| 87 | + $this->assertFiltered( |
| 88 | + '<div>...</div>', |
| 89 | + '<div onload="alert(\'XSS\')" onclick="die()">...</div>' |
| 90 | + ); |
| 91 | + } |
| 92 | +} |
0 commit comments