Changeset 46907 for branches/5.1/tests/phpunit/tests/formatting/WPTargetedLinkRel.php

Timestamp:

12/12/2019 06:36:20 PM (6 years ago)

Author:

whyisjake

Message:

Ensure that a user can publish_posts before making a post sticky.
Props: danielbachhuber, whyisjake, peterwilson, xknown.
Prevent stored XSS through wp_targeted_link_rel().
Props: vortfu, whyisjake, peterwilsoncc, xknown, SergeyBiryukov, flaviozavan.
Update wp_kses_bad_protocol() to recognize : on uri attributes,
wp_kses_bad_protocol() makes sure to validate that uri attributes don't contain invalid/or not allowed protocols. While this works fine in most cases, there's a risk that by using the colon html5 named entity, one is able to bypass this function.
Brings r46895 to the 5.3 branch.
Props: xknown, nickdaugherty, peterwilsoncc.
Prevent stored XSS in the block editor.
Brings r46896 to the 5.3 branch.
Prevent escaped unicode characters become unescaped in unsafe HTML during JSON decoding.
Props: aduth, epiqueras.

Location:

branches/5.1

Files:

• . (modified) (1 prop)
• tests/phpunit/tests/formatting/WPTargetedLinkRel.php (modified) (3 diffs)

branches/5.1/tests/phpunit/tests/formatting/WPTargetedLinkRel.php

@@ -39 +39 @@
     public function test_rel_with_single_quote_delimiter() {
         $content  = '<p>Links: <a href="/" rel=\'existing values\' target="_blank">Existing rel</a></p>';
-        $expected = '<p>Links: <a href="/" rel=\'existing values noopener noreferrer\' target="_blank">Existing rel</a></p>';
+        $expected = '<p>Links: <a href="/" rel="existing values noopener noreferrer" target="_blank">Existing rel</a></p>';
         $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
     }
@@ -52 +52 @@
         $content  = '<p>Links: <a href="/" rel = existing target="_blank">Existing rel</a></p>';
         $expected = '<p>Links: <a href="/" rel="existing noopener noreferrer" target="_blank">Existing rel</a></p>';
-        $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
-    }
-
-    public function test_rel_value_spaced_and_no_delimiter_and_values_to_escape() {
-        $content  = '<p>Links: <a href="/" rel = existing"value target="_blank">Existing rel</a></p>';
-        $expected = '<p>Links: <a href="/" rel="existing&quot;value noopener noreferrer" target="_blank">Existing rel</a></p>';
         $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
     }
@@ -102 +96 @@
         $this->assertEquals( $expected, $post->post_content );
     }
+
+    /**
+     * Ensure JSON format is preserved when relation attribute (rel) is missing.
+     *
+     * @ticket 46316
+     */
+    public function test_wp_targeted_link_rel_should_preserve_json() {
+        $content  = '<p>Links: <a href=\"\/\" target=\"_blank\">No rel<\/a><\/p>';
+        $expected = '<p>Links: <a href=\"\/\" target=\"_blank\" rel=\"noopener noreferrer\">No rel<\/a><\/p>';
+        $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
+    }
+
+    /**
+     * Ensure the content of style and script tags are not processed
+     *
+     * @ticket 47244
+     */
+    public function test_wp_targeted_link_rel_skips_style_and_scripts() {
+        $content  = '<style><a href="/" target=a></style><p>Links: <script>console.log("<a href=\'/\' target=a>hi</a>");</script><script>alert(1);</script>here <a href="/" target=_blank>aq</a></p><script>console.log("<a href=\'last\' target=\'_blank\'")</script>';
+        $expected = '<style><a href="/" target=a></style><p>Links: <script>console.log("<a href=\'/\' target=a>hi</a>");</script><script>alert(1);</script>here <a href="/" target="_blank" rel="noopener noreferrer">aq</a></p><script>console.log("<a href=\'last\' target=\'_blank\'")</script>';
+        $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
+    }
+
+    /**
+     * Ensure entirely serialized content is ignored.
+     *
+     * @ticket 46402
+     */
+    public function test_ignore_entirely_serialized_content() {
+        $content  = 'a:1:{s:4:"html";s:52:"<p>Links: <a href="/" target="_blank">No Rel</a></p>";}';
+        $expected = 'a:1:{s:4:"html";s:52:"<p>Links: <a href="/" target="_blank">No Rel</a></p>";}';
+        $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
+    }
+
+    public function test_wp_targeted_link_rel_tab_separated_values_are_split() {
+        $content  = "<p>Links: <a href=\"/\" target=\"_blank\" rel=\"ugc\t\tnoopener\t\">No rel</a></p>";
+        $expected = '<p>Links: <a href="/" target="_blank" rel="ugc noopener noreferrer">No rel</a></p>';
+        $this->assertEquals( $expected, wp_targeted_link_rel( $content ) );
+    }
+
 }