WordPress.org

Make WordPress Core


Ignore:
Timestamp:
12/12/2019 05:51:35 PM (2 years ago)
Author:
whyisjake
Message:

Prevent stored XSS through wp_targeted_link_rel().

Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.

File:
1 edited

Legend:

Unmodified
Added
Removed
  • trunk/tests/phpunit/tests/formatting/WPTargetedLinkRel.php

    r46586 r46894  
    3939    public function test_rel_with_single_quote_delimiter() {
    4040        $content  = '<p>Links: <a href="/" rel=\'existing values\' target="_blank">Existing rel</a></p>';
    41         $expected = '<p>Links: <a href="/" rel=\'existing values noopener noreferrer\' target="_blank">Existing rel</a></p>';
     41        $expected = '<p>Links: <a href="/" rel="existing values noopener noreferrer" target="_blank">Existing rel</a></p>';
    4242        $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
    4343    }
     
    5252        $content  = '<p>Links: <a href="/" rel = existing target="_blank">Existing rel</a></p>';
    5353        $expected = '<p>Links: <a href="/" rel="existing noopener noreferrer" target="_blank">Existing rel</a></p>';
    54         $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
    55     }
    56 
    57     public function test_rel_value_spaced_and_no_delimiter_and_values_to_escape() {
    58         $content  = '<p>Links: <a href="/" rel = existing"value target="_blank">Existing rel</a></p>';
    59         $expected = '<p>Links: <a href="/" rel="existing&quot;value noopener noreferrer" target="_blank">Existing rel</a></p>';
    6054        $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
    6155    }
     
    115109
    116110    /**
    117      * Ensure correct quotes are used when relation attribute (rel) is missing.
     111     * Ensure the content of style and script tags are not processed
    118112     *
    119113     * @ticket 47244
    120114     */
    121     public function test_wp_targeted_link_rel_should_use_correct_quotes() {
    122         $content  = '<p>Links: <a href=\'\/\' target=\'_blank\'>No rel<\/a><\/p>';
    123         $expected = '<p>Links: <a href=\'\/\' target=\'_blank\' rel=\'noopener noreferrer\'>No rel<\/a><\/p>';
    124         $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
    125 
    126         $content  = '<p>Links: <a href=\'\/\' target=_blank>No rel<\/a><\/p>';
    127         $expected = '<p>Links: <a href=\'\/\' target=_blank rel=\'noopener noreferrer\'>No rel<\/a><\/p>';
     115    public function test_wp_targeted_link_rel_skips_style_and_scripts() {
     116        $content  = '<style><a href="/" target=a></style><p>Links: <script>console.log("<a href=\'/\' target=a>hi</a>");</script><script>alert(1);</script>here <a href="/" target=_blank>aq</a></p><script>console.log("<a href=\'last\' target=\'_blank\'")</script>';
     117        $expected = '<style><a href="/" target=a></style><p>Links: <script>console.log("<a href=\'/\' target=a>hi</a>");</script><script>alert(1);</script>here <a href="/" target="_blank" rel="noopener noreferrer">aq</a></p><script>console.log("<a href=\'last\' target=\'_blank\'")</script>';
    128118        $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
    129119    }
     
    140130    }
    141131
     132    public function test_wp_targeted_link_rel_tab_separated_values_are_split() {
     133        $content  = "<p>Links: <a href=\"/\" target=\"_blank\" rel=\"ugc\t\tnoopener\t\">No rel</a></p>";
     134        $expected = '<p>Links: <a href="/" target="_blank" rel="ugc noopener noreferrer">No rel</a></p>';
     135        $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
     136    }
     137
    142138}
Note: See TracChangeset for help on using the changeset viewer.