| | 483 | /** |
| | 484 | * Test results when HTML comments are allowed or disallowed. |
| | 485 | * |
| | 486 | * @dataProvider data_html_comments |
| | 487 | * @ticket 54488 |
| | 488 | */ |
| | 489 | public function test_kses_html_comments( $input, $expected, $allow ) { |
| | 490 | $output = wp_kses( $input, 'post', array(), $allow ); |
| | 491 | $this->assertSame( $expected, $output ); |
| | 492 | } |
| | 493 | |
| | 494 | /** |
| | 495 | * @ticket 54488 |
| | 496 | */ |
| | 497 | public function data_html_comments() { |
| | 498 | return array( |
| | 499 | // Test Basic validation. |
| | 500 | array( |
| | 501 | '<p>Hello world.</p><!-- html comment. -->', |
| | 502 | '<p>Hello world.</p><!-- html comment. -->', |
| | 503 | true, |
| | 504 | ), |
| | 505 | array( |
| | 506 | '<p>Hello world.</p><!-- html comment. -->', |
| | 507 | '<p>Hello world.</p>', |
| | 508 | false, |
| | 509 | ), |
| | 510 | // Test No spaces between arrows and comment. |
| | 511 | array( |
| | 512 | '<p>Hello world.</p><!--html comment.-->', |
| | 513 | '<p>Hello world.</p><!--html comment.-->', |
| | 514 | true, |
| | 515 | ), |
| | 516 | array( |
| | 517 | '<p>Hello world.</p><!--html comment.-->', |
| | 518 | '<p>Hello world.</p>', |
| | 519 | false, |
| | 520 | ), |
| | 521 | // HTML comments Inside HTML tags. |
| | 522 | array( |
| | 523 | '<p>Hello world.<!-- html comment. --></p>', |
| | 524 | '<p>Hello world.</p>', |
| | 525 | false, |
| | 526 | ), |
| | 527 | // HTML comments containing HTML tags are escaped, not stripped. |
| | 528 | array( |
| | 529 | '<p>Hello world. <!-- <a href="https://wordpress.org">WordPress.org</a> --> </p>', |
| | 530 | '<p>Hello world. <!-- <a href="https://wordpress.org">WordPress.org</a> --> </p>', |
| | 531 | true, |
| | 532 | ), |
| | 533 | array( |
| | 534 | '<p>Hello world. <!-- <a href="https://wordpress.org">WordPress.org</a> --> </p>', |
| | 535 | '<p>Hello world. <!-- <a href="https://wordpress.org">WordPress.org</a> --> </p>', |
| | 536 | false, |
| | 537 | ), |
| | 538 | // HTML comments overlapping HTML elements. |
| | 539 | array( |
| | 540 | '<p>Hello world. <!-- html comment </p> -->', |
| | 541 | '<p>Hello world. <!-- html comment </p> -->', |
| | 542 | true, |
| | 543 | ), |
| | 544 | array( |
| | 545 | '<p>Hello world. <!-- html comment </p> -->', |
| | 546 | '<p>Hello world. <!-- html comment </p> -->', |
| | 547 | false, |
| | 548 | ), |
| | 549 | // Multi-line comments. |
| | 550 | array( |
| | 551 | '<!-- |
| | 552 | html comment |
| | 553 | this is a second line |
| | 554 | this is a third line |
| | 555 | -->', |
| | 556 | '<!-- |
| | 557 | html comment |
| | 558 | this is a second line |
| | 559 | this is a third line |
| | 560 | -->', |
| | 561 | true, |
| | 562 | ), |
| | 563 | array( |
| | 564 | '<!-- |
| | 565 | html comment |
| | 566 | this is a second line |
| | 567 | this is a third line |
| | 568 | -->', |
| | 569 | '', |
| | 570 | false, |
| | 571 | ), |
| | 572 | // Conditionals are stripped. |
| | 573 | array( |
| | 574 | '<!-[if IE 6]>Hello world<![endif]-->', |
| | 575 | 'Hello world', |
| | 576 | true, |
| | 577 | ), |
| | 578 | array( |
| | 579 | '<!-[if IE 6]>Hello world<![endif]-->', |
| | 580 | 'Hello world', |
| | 581 | false, |
| | 582 | ), |
| | 583 | // Script tags are still handled properly. |
| | 584 | array( |
| | 585 | '<!-- <script>alert("XSS");</script> -->', |
| | 586 | '<!-- alert("XSS"); -->', |
| | 587 | true, |
| | 588 | ), |
| | 589 | array( |
| | 590 | '<!-- <script>alert("XSS");</script> -->', |
| | 591 | '<!-- alert("XSS"); -->', |
| | 592 | false, |
| | 593 | ), |
| | 594 | ); |
| | 595 | } |
| | 596 | |