| 721 | |
| 722 | /** |
| 723 | * Data attributes are globally accepted. |
| 724 | * |
| 725 | * @ticket 33121 |
| 726 | */ |
| 727 | function test_wp_kses_attr_data_attribute_is_allowed() { |
| 728 | $test = '<div data-foo="foo" data-bar="bar" datainvalid="gone" data--invaild="gone" data-also-invaild-="gone" data-two-hyphens="remains">Pens and pencils</div>'; |
| 729 | $expected = '<div data-foo="foo" data-bar="bar" data-two-hyphens="remains">Pens and pencils</div>'; |
| 730 | |
| 731 | $this->assertEquals( $expected, wp_kses_post( $test ) ); |
| 732 | } |
| 733 | |
| 734 | /** |
| 735 | * Ensure wildcard attributes block unprefixed wildcard uses. |
| 736 | * |
| 737 | * @ticket 33121 |
| 738 | */ |
| 739 | function test_wildcard_requires_hyphen_after_prefix() { |
| 740 | $allowed_html = array( |
| 741 | 'div' => array( |
| 742 | 'data-*' => true, |
| 743 | 'on-*' => true, |
| 744 | ), |
| 745 | ); |
| 746 | |
| 747 | $string = '<div datamelformed-prefix="gone" data="gone" data-="gone" onclick="alert(1)">Malformed attributes</div>'; |
| 748 | $expected = '<div>Malformed attributes</div>'; |
| 749 | |
| 750 | $actual = wp_kses( $string, $allowed_html ); |
| 751 | |
| 752 | $this->assertSame( $expected, $actual ); |
| 753 | } |
| 754 | |
| 755 | /** |
| 756 | * Ensure wildcard allows two hyphen. |
| 757 | * |
| 758 | * @ticket 33121 |
| 759 | */ |
| 760 | function test_wildcard_allows_two_hyphens() { |
| 761 | $allowed_html = array( |
| 762 | 'div' => array( |
| 763 | 'data-*' => true, |
| 764 | ), |
| 765 | ); |
| 766 | |
| 767 | $string = '<div data-wp-id="pens-and-pencils">Well formed attribute</div>'; |
| 768 | $expected = '<div data-wp-id="pens-and-pencils">Well formed attribute</div>'; |
| 769 | |
| 770 | $actual = wp_kses( $string, $allowed_html ); |
| 771 | |
| 772 | $this->assertSame( $expected, $actual ); |
| 773 | } |
| 774 | |
| 775 | /** |
| 776 | * Ensure wildcard attributes only support valid prefixes. |
| 777 | * |
| 778 | * @dataProvider data_wildcard_attribute_prefixes |
| 779 | * |
| 780 | * @ticket 33121 |
| 781 | */ |
| 782 | function test_wildcard_attribute_prefixes( $wildcard_attribute, $expected ) { |
| 783 | $allowed_html = array( |
| 784 | 'div' => array( |
| 785 | $wildcard_attribute => true, |
| 786 | ), |
| 787 | ); |
| 788 | |
| 789 | $name = str_replace( '*', strtolower( __FUNCTION__ ), $wildcard_attribute ); |
| 790 | $value = __FUNCTION__; |
| 791 | $whole = "{$name}=\"{$value}\""; |
| 792 | |
| 793 | $actual = wp_kses_attr_check( $name, $value, $whole, 'n', 'div', $allowed_html ); |
| 794 | |
| 795 | $this->assertSame( $expected, $actual ); |
| 796 | } |
| 797 | |
| 798 | /** |
| 799 | * @return array Array of arguments for wildcard testing |
| 800 | * [0] The prefix being tested. |
| 801 | * [1] The outcome of `wp_kses_attr_check` for the prefix. |
| 802 | */ |
| 803 | function data_wildcard_attribute_prefixes() { |
| 804 | return array( |
| 805 | // Ends correctly |
| 806 | array( 'data-*', true ), |
| 807 | |
| 808 | // Does not end with trialing `-`. |
| 809 | array( '33121*', false ), |
| 810 | |
| 811 | // Multiple wildcards. |
| 812 | array( '3*121-*', false ), |
| 813 | array( '33121**', false ), |
| 814 | ); |
| 815 | } |