| 483 | /** |
| 484 | * Test results when HTML comments are allowed or disallowed. |
| 485 | * |
| 486 | * @dataProvider data_html_comments |
| 487 | * @ticket 54488 |
| 488 | */ |
| 489 | public function test_kses_html_comments( $input, $expected, $allow ) { |
| 490 | $output = wp_kses( $input, 'post', array(), $allow ); |
| 491 | $this->assertSame( $expected, $output ); |
| 492 | } |
| 493 | |
| 494 | /** |
| 495 | * @ticket 54488 |
| 496 | */ |
| 497 | public function data_html_comments() { |
| 498 | return array( |
| 499 | // Test Basic validation. |
| 500 | array( |
| 501 | '<p>Hello world.</p><!-- html comment. -->', |
| 502 | '<p>Hello world.</p><!-- html comment. -->', |
| 503 | true, |
| 504 | ), |
| 505 | array( |
| 506 | '<p>Hello world.</p><!-- html comment. -->', |
| 507 | '<p>Hello world.</p>', |
| 508 | false, |
| 509 | ), |
| 510 | // Test No spaces between arrows and comment. |
| 511 | array( |
| 512 | '<p>Hello world.</p><!--html comment.-->', |
| 513 | '<p>Hello world.</p><!--html comment.-->', |
| 514 | true, |
| 515 | ), |
| 516 | array( |
| 517 | '<p>Hello world.</p><!--html comment.-->', |
| 518 | '<p>Hello world.</p>', |
| 519 | false, |
| 520 | ), |
| 521 | // HTML comments Inside HTML tags. |
| 522 | array( |
| 523 | '<p>Hello world.<!-- html comment. --></p>', |
| 524 | '<p>Hello world.</p>', |
| 525 | false, |
| 526 | ), |
| 527 | // HTML comments containing HTML tags are escaped, not stripped. |
| 528 | array( |
| 529 | '<p>Hello world. <!-- <a href="https://wordpress.org">WordPress.org</a> --> </p>', |
| 530 | '<p>Hello world. <!-- <a href="https://wordpress.org">WordPress.org</a> --> </p>', |
| 531 | true, |
| 532 | ), |
| 533 | array( |
| 534 | '<p>Hello world. <!-- <a href="https://wordpress.org">WordPress.org</a> --> </p>', |
| 535 | '<p>Hello world. <!-- <a href="https://wordpress.org">WordPress.org</a> --> </p>', |
| 536 | false, |
| 537 | ), |
| 538 | // HTML comments overlapping HTML elements. |
| 539 | array( |
| 540 | '<p>Hello world. <!-- html comment </p> -->', |
| 541 | '<p>Hello world. <!-- html comment </p> -->', |
| 542 | true, |
| 543 | ), |
| 544 | array( |
| 545 | '<p>Hello world. <!-- html comment </p> -->', |
| 546 | '<p>Hello world. <!-- html comment </p> -->', |
| 547 | false, |
| 548 | ), |
| 549 | // Multi-line comments. |
| 550 | array( |
| 551 | '<!-- |
| 552 | html comment |
| 553 | this is a second line |
| 554 | this is a third line |
| 555 | -->', |
| 556 | '<!-- |
| 557 | html comment |
| 558 | this is a second line |
| 559 | this is a third line |
| 560 | -->', |
| 561 | true, |
| 562 | ), |
| 563 | array( |
| 564 | '<!-- |
| 565 | html comment |
| 566 | this is a second line |
| 567 | this is a third line |
| 568 | -->', |
| 569 | '', |
| 570 | false, |
| 571 | ), |
| 572 | // Conditionals are stripped. |
| 573 | array( |
| 574 | '<!-[if IE 6]>Hello world<![endif]-->', |
| 575 | 'Hello world', |
| 576 | true, |
| 577 | ), |
| 578 | array( |
| 579 | '<!-[if IE 6]>Hello world<![endif]-->', |
| 580 | 'Hello world', |
| 581 | false, |
| 582 | ), |
| 583 | // Script tags are still handled properly. |
| 584 | array( |
| 585 | '<!-- <script>alert("XSS");</script> -->', |
| 586 | '<!-- alert("XSS"); -->', |
| 587 | true, |
| 588 | ), |
| 589 | array( |
| 590 | '<!-- <script>alert("XSS");</script> -->', |
| 591 | '<!-- alert("XSS"); -->', |
| 592 | false, |
| 593 | ), |
| 594 | ); |
| 595 | } |
| 596 | |