Changeset 42343 for trunk/tests/phpunit/tests/kses.php
- Timestamp:
- 11/30/2017 11:09:33 PM (9 years ago)
- File:
-
- 1 edited
-
trunk/tests/phpunit/tests/kses.php (modified) (22 diffs)
Legend:
- Unmodified
- Added
- Removed
-
trunk/tests/phpunit/tests/kses.php
r40637 r42343 16 16 $attributes = array( 17 17 'class' => 'classname', 18 'id' => 'id',18 'id' => 'id', 19 19 'style' => 'color: red;', 20 20 'style' => 'color: red', … … 25 25 26 26 foreach ( $attributes as $name => $value ) { 27 $string = "<address $name='$value'>1 WordPress Avenue, The Internet.</address>";27 $string = "<address $name='$value'>1 WordPress Avenue, The Internet.</address>"; 28 28 $expect_string = "<address $name='" . str_replace( '; ', ';', trim( $value, ';' ) ) . "'>1 WordPress Avenue, The Internet.</address>"; 29 29 $this->assertEquals( $expect_string, wp_kses( $string, $allowedposttags ) ); … … 38 38 39 39 $attributes = array( 40 'class' => 'classname',41 'id' => 'id',42 'style' => 'color: red;',43 'title' => 'title',44 'href' => 'http://example.com',45 'rel' => 'related',46 'rev' => 'revision',47 'name' => 'name',40 'class' => 'classname', 41 'id' => 'id', 42 'style' => 'color: red;', 43 'title' => 'title', 44 'href' => 'http://example.com', 45 'rel' => 'related', 46 'rev' => 'revision', 47 'name' => 'name', 48 48 'target' => '_blank', 49 49 ); 50 50 51 51 foreach ( $attributes as $name => $value ) { 52 $string = "<a $name='$value'>I link this</a>";52 $string = "<a $name='$value'>I link this</a>"; 53 53 $expect_string = "<a $name='" . trim( $value, ';' ) . "'>I link this</a>"; 54 54 $this->assertEquals( $expect_string, wp_kses( $string, $allowedposttags ) ); … … 64 64 $attributes = array( 65 65 'class' => 'classname', 66 'id' => 'id',66 'id' => 'id', 67 67 'style' => 'color: red;', 68 68 'title' => 'title', … … 70 70 71 71 foreach ( $attributes as $name => $value ) { 72 $string = "<abbr $name='$value'>WP</abbr>";72 $string = "<abbr $name='$value'>WP</abbr>"; 73 73 $expect_string = "<abbr $name='" . trim( $value, ';' ) . "'>WP</abbr>"; 74 74 $this->assertEquals( $expect_string, wp_kses( $string, $allowedposttags ) ); … … 143 143 if ( ! empty( $result ) && $result != 'alert(1);' && $result != 'alert(1)' ) { 144 144 switch ( $k ) { 145 case 6: $this->assertEquals( 'javascript&#0000058alert(1);', $result ); break; 145 case 6: 146 $this->assertEquals( 'javascript&#0000058alert(1);', $result ); 147 break; 146 148 case 12: 147 149 $this->assertEquals( str_replace( '&', '&', $x ), $result ); 148 150 break; 149 case 22: $this->assertEquals( 'javascript&#0000058alert(1);', $result ); break; 150 case 23: $this->assertEquals( 'javascript&#0000058alert(1)//?:', $result ); break; 151 case 24: $this->assertEquals( 'feed:alert(1)', $result ); break; 152 default: $this->fail( "wp_kses_bad_protocol failed on $x. Result: $result" ); 151 case 22: 152 $this->assertEquals( 'javascript&#0000058alert(1);', $result ); 153 break; 154 case 23: 155 $this->assertEquals( 'javascript&#0000058alert(1)//?:', $result ); 156 break; 157 case 24: 158 $this->assertEquals( 'feed:alert(1)', $result ); 159 break; 160 default: 161 $this->fail( "wp_kses_bad_protocol failed on $x. Result: $result" ); 153 162 } 154 163 } … … 167 176 foreach ( $safe as $x ) { 168 177 $result = wp_kses_bad_protocol( wp_kses_normalize_entities( $x ), array( 'http', 'https', 'dummy' ) ); 169 if ( $result != $x && $result != 'http://example.org/' ) 178 if ( $result != $x && $result != 'http://example.org/' ) { 170 179 $this->fail( "wp_kses_bad_protocol incorrectly blocked $x" ); 180 } 171 181 } 172 182 } … … 175 185 $xss = simplexml_load_file( DIR_TESTDATA . '/formatting/xssAttacks.xml' ); 176 186 foreach ( $xss->attack as $attack ) { 177 if ( in_array( $attack->name, array( 'IMG Embedded commands 2', 'US-ASCII encoding', 'OBJECT w/Flash 2', 'Character Encoding Example' ) ) ) 187 if ( in_array( $attack->name, array( 'IMG Embedded commands 2', 'US-ASCII encoding', 'OBJECT w/Flash 2', 'Character Encoding Example' ) ) ) { 178 188 continue; 189 } 179 190 180 191 $code = (string) $attack->code; 181 192 182 if ( $code == 'See Below' ) 193 if ( $code == 'See Below' ) { 183 194 continue; 195 } 184 196 185 197 if ( substr( $code, 0, 4 ) == 'perl' ) { 186 $pos = strpos( $code, '"' ) + 1;187 $code = substr( $code, $pos, strrpos( $code, '"') - $pos );198 $pos = strpos( $code, '"' ) + 1; 199 $code = substr( $code, $pos, strrpos( $code, '"' ) - $pos ); 188 200 $code = str_replace( '\0', "\0", $code ); 189 201 } … … 191 203 $result = trim( wp_kses_data( $code ) ); 192 204 193 if ( $result == '' || $result == 'XSS' || $result == 'alert("XSS");' || $result == "alert('XSS');" ) 205 if ( $result == '' || $result == 'XSS' || $result == 'alert("XSS");' || $result == "alert('XSS');" ) { 194 206 continue; 207 } 195 208 196 209 switch ( $attack->name ) { 197 210 case 'XSS Locator': 198 $this->assertEquals( '\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=&{}', $result);211 $this->assertEquals( '\';alert(String.fromCharCode(88,83,83))//\\\';alert(String.fromCharCode(88,83,83))//";alert(String.fromCharCode(88,83,83))//\\";alert(String.fromCharCode(88,83,83))//-->">\'>alert(String.fromCharCode(88,83,83))=&{}', $result ); 199 212 break; 200 213 case 'XSS Quick Test': 201 $this->assertEquals( '\'\';!--"=&{()}', $result);214 $this->assertEquals( '\'\';!--"=&{()}', $result ); 202 215 break; 203 216 case 'SCRIPT w/Alert()': … … 205 218 break; 206 219 case 'SCRIPT w/Char Code': 207 $this->assertEquals( 'alert(String.fromCharCode(88,83,83))', $result);220 $this->assertEquals( 'alert(String.fromCharCode(88,83,83))', $result ); 208 221 break; 209 222 case 'IMG STYLE w/expression': 210 $this->assertEquals( 'exp/*', $result);223 $this->assertEquals( 'exp/*', $result ); 211 224 break; 212 225 case 'List-style-image': 213 $this->assertEquals( 'li {list-style-image: url("javascript:alert(\'XSS\')");}XSS', $result);226 $this->assertEquals( 'li {list-style-image: url("javascript:alert(\'XSS\')");}XSS', $result ); 214 227 break; 215 228 case 'STYLE': 216 $this->assertEquals( "alert('XSS');", $result );229 $this->assertEquals( "alert('XSS');", $result ); 217 230 break; 218 231 case 'STYLE w/background-image': 219 $this->assertEquals( '.XSS{background-image:url("javascript:alert(\'XSS\')");}<A></A>', $result);232 $this->assertEquals( '.XSS{background-image:url("javascript:alert(\'XSS\')");}<A></A>', $result ); 220 233 break; 221 234 case 'STYLE w/background': 222 $this->assertEquals( 'BODY{background:url("javascript:alert(\'XSS\')")}', $result);235 $this->assertEquals( 'BODY{background:url("javascript:alert(\'XSS\')")}', $result ); 223 236 break; 224 237 case 'Remote Stylesheet 2': … … 229 242 break; 230 243 case 'Remote Stylesheet 4': 231 $this->assertEquals( 'BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}', $result);244 $this->assertEquals( 'BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}', $result ); 232 245 break; 233 246 case 'XML data island w/CDATA': 234 $this->assertEquals( "<![CDATA[]]>", $result );247 $this->assertEquals( '<![CDATA[]]>', $result ); 235 248 break; 236 249 case 'XML data island w/comment': … … 256 269 break; 257 270 case 'Escaping JavaScript escapes': 258 $this->assertEquals( '\";alert(\'XSS\');//', $result);271 $this->assertEquals( '\";alert(\'XSS\');//', $result ); 259 272 break; 260 273 case 'STYLE w/broken up JavaScript': … … 277 290 break; 278 291 case 'Malformed IMG Tags': 279 $this->assertEquals( 'alert("XSS")">', $result);292 $this->assertEquals( 'alert("XSS")">', $result ); 280 293 break; 281 294 case 'No Quotes/Semicolons': … … 304 317 305 318 function _wp_kses_allowed_html_filter( $html, $context ) { 306 if ( 'post' == $context ) 319 if ( 'post' == $context ) { 307 320 return array( 'a' => array( 'href' => true ) ); 308 else321 } else { 309 322 return array( 'a' => array( 'href' => false ) ); 323 } 310 324 } 311 325 … … 318 332 $this->assertEquals( $allowedposttags, wp_kses_allowed_html( 'post' ) ); 319 333 320 $tags = wp_kses_allowed_html( 'post' ) 334 $tags = wp_kses_allowed_html( 'post' ); 321 335 322 336 foreach ( $tags as $tag ) { … … 341 355 $custom_tags = array( 342 356 'a' => array( 343 'href' => true,344 'rel' => true,345 'rev' => true,346 'name' => true,357 'href' => true, 358 'rel' => true, 359 'rev' => true, 360 'name' => true, 347 361 'target' => true, 348 362 ), … … 362 376 363 377 function test_hyphenated_tag() { 364 $string = "<hyphenated-tag attribute=\"value\" otherattribute=\"value2\">Alot of hyphens.</hyphenated-tag>";365 $custom_tags = array(378 $string = '<hyphenated-tag attribute="value" otherattribute="value2">Alot of hyphens.</hyphenated-tag>'; 379 $custom_tags = array( 366 380 'hyphenated-tag' => array( 367 381 'attribute' => true, … … 370 384 $expect_stripped_string = 'Alot of hyphens.'; 371 385 372 $expect_valid_string = "<hyphenated-tag attribute=\"value\">Alot of hyphens.</hyphenated-tag>";386 $expect_valid_string = '<hyphenated-tag attribute="value">Alot of hyphens.</hyphenated-tag>'; 373 387 $this->assertEquals( $expect_stripped_string, wp_kses_post( $string ) ); 374 388 $this->assertEquals( $expect_valid_string, wp_kses( $string, $custom_tags ) ); … … 563 577 array( 564 578 '<a title="hello"disabled href=# id=\'my_id\'>', 565 array( '<a ', 'title="hello"', 'disabled ', 'href=# ', "id='my_id'", ">"),579 array( '<a ', 'title="hello"', 'disabled ', 'href=# ', "id='my_id'", '>' ), 566 580 ), 567 581 array( … … 684 698 */ 685 699 function test_wp_kses_attr_no_attributes_allowed_with_empty_array() { 686 $element = 'foo';700 $element = 'foo'; 687 701 $attribute = 'title="foo" class="bar"'; 688 702 … … 694 708 */ 695 709 function test_wp_kses_attr_no_attributes_allowed_with_true() { 696 $element = 'foo';710 $element = 'foo'; 697 711 $attribute = 'title="foo" class="bar"'; 698 712 … … 704 718 */ 705 719 function test_wp_kses_attr_single_attribute_is_allowed() { 706 $element = 'foo';720 $element = 'foo'; 707 721 $attribute = 'title="foo" class="bar"'; 708 722
Note: See TracChangeset
for help on using the changeset viewer.