Changeset 46901 for branches/5.2/tests/phpunit/tests/formatting/WPTargetedLinkRel.php

Timestamp:

12/12/2019 06:17:35 PM (5 years ago)

Author:

whyisjake

Message:

Ensure that a user can publish_posts before making a post sticky.

Props: danielbachhuber, whyisjake, peterwilson, xknown.

Prevent stored XSS through wp_targeted_link_rel().

Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.

Update wp_kses_bad_protocol() to recognize : on uri attributes,

wp_kses_bad_protocol() makes sure to validate that uri attributes don’t contain invalid/or not allowed protocols. While this works fine in most cases, there’s a risk that by using the colon html5 named entity, one is able to bypass this function.

Brings r46895 to the 5.3 branch.

Props: xknown, nickdaugherty, peterwilsoncc.

Prevent stored XSS in the block editor.

Brings r46896 to the 5.3 branch.

Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.

Props: aduth, epiqueras.

Location:

branches/5.2

Files:

• . (modified) (1 prop)
• tests/phpunit/tests/formatting/WPTargetedLinkRel.php (modified) (3 diffs)

branches/5.2/tests/phpunit/tests/formatting/WPTargetedLinkRel.php

@@ -39 +39 @@
     public function test_rel_with_single_quote_delimiter() {
         $content  = '<p>Links: <a href="/" rel=\'existing values\' target="_blank">Existing rel</a></p>';
-        $expected = '<p>Links: <a href="/" rel=\'existing values noopener noreferrer\' target="_blank">Existing rel</a></p>';
+        $expected = '<p>Links: <a href="/" rel="existing values noopener noreferrer" target="_blank">Existing rel</a></p>';
         $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
     }
@@ -52 +52 @@
         $content  = '<p>Links: <a href="/" rel = existing target="_blank">Existing rel</a></p>';
         $expected = '<p>Links: <a href="/" rel="existing noopener noreferrer" target="_blank">Existing rel</a></p>';
-        $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
-    }
-
-    public function test_rel_value_spaced_and_no_delimiter_and_values_to_escape() {
-        $content  = '<p>Links: <a href="/" rel = existing"value target="_blank">Existing rel</a></p>';
-        $expected = '<p>Links: <a href="/" rel="existing&quot;value noopener noreferrer" target="_blank">Existing rel</a></p>';
         $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
     }
@@ -115 +109 @@
 
     /**
-     * Ensure correct quotes are used when relation attribute (rel) is missing.
+     * Ensure the content of style and script tags are not processed
      *
      * @ticket 47244
      */
-    public function test_wp_targeted_link_rel_should_use_correct_quotes() {
-        $content  = '<p>Links: <a href=\'\/\' target=\'_blank\'>No rel<\/a><\/p>';
-        $expected = '<p>Links: <a href=\'\/\' target=\'_blank\' rel=\'noopener noreferrer\'>No rel<\/a><\/p>';
-        $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
-
-        $content  = '<p>Links: <a href=\'\/\' target=_blank>No rel<\/a><\/p>';
-        $expected = '<p>Links: <a href=\'\/\' target=_blank rel=\'noopener noreferrer\'>No rel<\/a><\/p>';
+    public function test_wp_targeted_link_rel_skips_style_and_scripts() {
+        $content  = '<style><a href="/" target=a></style><p>Links: <script>console.log("<a href=\'/\' target=a>hi</a>");</script><script>alert(1);</script>here <a href="/" target=_blank>aq</a></p><script>console.log("<a href=\'last\' target=\'_blank\'")</script>';
+        $expected = '<style><a href="/" target=a></style><p>Links: <script>console.log("<a href=\'/\' target=a>hi</a>");</script><script>alert(1);</script>here <a href="/" target="_blank" rel="noopener noreferrer">aq</a></p><script>console.log("<a href=\'last\' target=\'_blank\'")</script>';
         $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
     }
+
+    /**
+     * Ensure entirely serialized content is ignored.
+     *
+     * @ticket 46402
+     */
+    public function test_ignore_entirely_serialized_content() {
+        $content  = 'a:1:{s:4:"html";s:52:"<p>Links: <a href="/" target="_blank">No Rel</a></p>";}';
+        $expected = 'a:1:{s:4:"html";s:52:"<p>Links: <a href="/" target="_blank">No Rel</a></p>";}';
+        $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
+    }
+
+    public function test_wp_targeted_link_rel_tab_separated_values_are_split() {
+        $content  = "<p>Links: <a href=\"/\" target=\"_blank\" rel=\"ugc\t\tnoopener\t\">No rel</a></p>";
+        $expected = '<p>Links: <a href="/" target="_blank" rel="ugc noopener noreferrer">No rel</a></p>';
+        $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
+    }
+
 }