Changeset 52304 for trunk/tests/phpunit/tests/kses.php

Timestamp:

12/02/2021 12:54:03 AM (3 years ago)

Author:

peterwilsoncc

Message:

KSES: Allow attributes to be restricted via callbacks.

Add callback validation to HTML tag attributes for increased flexibility over an array of values only.

In object tags, validate the data attribute via a callback to ensure it is a PDF and matches the type attribute. This prevents mime type mismatches in browsers.

Follow up to [51963].

Props Pento, dd32, swissspidy, xknown, peterwilsoncc.
Fixes #54261.

File:

• trunk/tests/phpunit/tests/kses.php (modified) (1 diff)

trunk/tests/phpunit/tests/kses.php

@@ -1518 +1518 @@
         return array(
             'valid value for type'                    => array(
-                '<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
-                '<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/pdf" data="https://example.org/foo.pdf" />',
+                '<object type="application/pdf" data="https://example.org/foo.pdf" />',
             ),
             'invalid value for type'                  => array(
-                '<object type="application/exe" data="https://wordpress.org/foo.exe" />',
+                '<object type="application/exe" data="https://example.org/foo.exe" />',
                 '',
             ),
             'multiple type attributes, last invalid'  => array(
-                '<object type="application/pdf" type="application/exe" data="https://wordpress.org/foo.pdf" />',
-                '<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/pdf" type="application/exe" data="https://example.org/foo.pdf" />',
+                '<object type="application/pdf" data="https://example.org/foo.pdf" />',
             ),
             'multiple type attributes, first uppercase, last invalid' => array(
-                '<object TYPE="application/pdf" type="application/exe" data="https://wordpress.org/foo.pdf" />',
-                '<object TYPE="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object TYPE="application/pdf" type="application/exe" data="https://example.org/foo.pdf" />',
+                '<object TYPE="application/pdf" data="https://example.org/foo.pdf" />',
             ),
             'multiple type attributes, last upper case and invalid' => array(
-                '<object type="application/pdf" TYPE="application/exe" data="https://wordpress.org/foo.pdf" />',
-                '<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/pdf" TYPE="application/exe" data="https://example.org/foo.pdf" />',
+                '<object type="application/pdf" data="https://example.org/foo.pdf" />',
             ),
             'multiple type attributes, first invalid' => array(
-                '<object type="application/exe" type="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/exe" type="application/pdf" data="https://example.org/foo.pdf" />',
                 '',
             ),
             'multiple type attributes, first upper case and invalid' => array(
-                '<object TYPE="application/exe" type="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object TYPE="application/exe" type="application/pdf" data="https://example.org/foo.pdf" />',
                 '',
             ),
             'multiple type attributes, first invalid, last uppercase' => array(
-                '<object type="application/exe" TYPE="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/exe" TYPE="application/pdf" data="https://example.org/foo.pdf" />',
                 '',
             ),
             'multiple object tags, last invalid'      => array(
-                '<object type="application/pdf" data="https://wordpress.org/foo.pdf" /><object type="application/exe" data="https://wordpress.org/foo.exe" />',
-                '<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/pdf" data="https://example.org/foo.pdf" /><object type="application/exe" data="https://example.org/foo.exe" />',
+                '<object type="application/pdf" data="https://example.org/foo.pdf" />',
             ),
             'multiple object tags, first invalid'     => array(
-                '<object type="application/exe" data="https://wordpress.org/foo.exe" /><object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
-                '<object type="application/pdf" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/exe" data="https://example.org/foo.exe" /><object type="application/pdf" data="https://example.org/foo.pdf" />',
+                '<object type="application/pdf" data="https://example.org/foo.pdf" />',
             ),
             'type attribute with partially incorrect value' => array(
-                '<object type="application/pdfa" data="https://wordpress.org/foo.pdf" />',
+                '<object type="application/pdfa" data="https://example.org/foo.pdf" />',
                 '',
             ),
             'type attribute with empty value'         => array(
-                '<object type="" data="https://wordpress.org/foo.pdf" />',
+                '<object type="" data="https://example.org/foo.pdf" />',
                 '',
             ),
             'type attribute with no value'            => array(
-                '<object type data="https://wordpress.org/foo.pdf" />',
+                '<object type data="https://example.org/foo.pdf" />',
                 '',
             ),
             'no type attribute'                       => array(
-                '<object data="https://wordpress.org/foo.pdf" />',
+                '<object data="https://example.org/foo.pdf" />',
+                '',
+            ),
+            'different protocol in url'               => array(
+                '<object type="application/pdf" data="http://example.org/foo.pdf" />',
+                '<object type="application/pdf" data="http://example.org/foo.pdf" />',
+            ),
+            'query string on url'                     => array(
+                '<object type="application/pdf" data="https://example.org/foo.pdf?lol=.pdf" />',
+                '',
+            ),
+            'fragment on url'                         => array(
+                '<object type="application/pdf" data="https://example.org/foo.pdf#lol.pdf" />',
+                '',
+            ),
+            'wrong extension'                         => array(
+                '<object type="application/pdf" data="https://example.org/foo.php" />',
+                '',
+            ),
+            'protocol relative url'                   => array(
+                '<object type="application/pdf" data="//example.org/foo.pdf" />',
+                '',
+            ),
+            'relative url'                            => array(
+                '<object type="application/pdf" data="/cat/foo.pdf" />',
                 '',
             ),