You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.

HTMLDefinitionTest.php 14KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389
  1. <?php
  2. class HTMLPurifier_HTMLDefinitionTest extends HTMLPurifier_Harness
  3. {
  4. public function expectError($error = false, $message = '%s')
  5. {
  6. // Because we're testing a definition, it's vital that the cache
  7. // is turned off for tests that expect errors.
  8. $this->config->set('Cache.DefinitionImpl', null);
  9. parent::expectError($error);
  10. }
  11. public function test_parseTinyMCEAllowedList()
  12. {
  13. $def = new HTMLPurifier_HTMLDefinition();
  14. // note: this is case-sensitive, but its config schema
  15. // counterpart is not. This is generally a good thing for users,
  16. // but it's a slight internal inconsistency
  17. $this->assertEqual(
  18. $def->parseTinyMCEAllowedList(''),
  19. array(array(), array())
  20. );
  21. $this->assertEqual(
  22. $def->parseTinyMCEAllowedList('a,b,c'),
  23. array(array('a' => true, 'b' => true, 'c' => true), array())
  24. );
  25. $this->assertEqual(
  26. $def->parseTinyMCEAllowedList('a[x|y|z]'),
  27. array(array('a' => true), array('a.x' => true, 'a.y' => true, 'a.z' => true))
  28. );
  29. $this->assertEqual(
  30. $def->parseTinyMCEAllowedList('*[id]'),
  31. array(array(), array('*.id' => true))
  32. );
  33. $this->assertEqual(
  34. $def->parseTinyMCEAllowedList('a[*]'),
  35. array(array('a' => true), array('a.*' => true))
  36. );
  37. $this->assertEqual(
  38. $def->parseTinyMCEAllowedList('span[style],strong,a[href|title]'),
  39. array(array('span' => true, 'strong' => true, 'a' => true),
  40. array('span.style' => true, 'a.href' => true, 'a.title' => true))
  41. );
  42. $this->assertEqual(
  43. // alternate form:
  44. $def->parseTinyMCEAllowedList(
  45. 'span[style]
  46. strong
  47. a[href|title]
  48. '),
  49. $val = array(array('span' => true, 'strong' => true, 'a' => true),
  50. array('span.style' => true, 'a.href' => true, 'a.title' => true))
  51. );
  52. $this->assertEqual(
  53. $def->parseTinyMCEAllowedList(' span [ style ], strong'."\n\t".'a[href | title]'),
  54. $val
  55. );
  56. }
  57. public function test_Allowed()
  58. {
  59. $config1 = HTMLPurifier_Config::create(array(
  60. 'HTML.AllowedElements' => array('b', 'i', 'p', 'a'),
  61. 'HTML.AllowedAttributes' => array('a@href', '*@id')
  62. ));
  63. $config2 = HTMLPurifier_Config::create(array(
  64. 'HTML.Allowed' => 'b,i,p,a[href],*[id]'
  65. ));
  66. $this->assertEqual($config1->getHTMLDefinition(), $config2->getHTMLDefinition());
  67. }
  68. public function assertPurification_AllowedElements_p()
  69. {
  70. $this->assertPurification('<p><b>Jelly</b></p>', '<p>Jelly</p>');
  71. }
  72. public function test_AllowedElements()
  73. {
  74. $this->config->set('HTML.AllowedElements', 'p');
  75. $this->assertPurification_AllowedElements_p();
  76. }
  77. public function test_AllowedElements_multiple()
  78. {
  79. $this->config->set('HTML.AllowedElements', 'p,div');
  80. $this->assertPurification('<div><p><b>Jelly</b></p></div>', '<div><p>Jelly</p></div>');
  81. }
  82. public function test_AllowedElements_invalidElement()
  83. {
  84. $this->config->set('HTML.AllowedElements', 'obviously_invalid,p');
  85. $this->expectError(new PatternExpectation("/Element 'obviously_invalid' is not supported/"));
  86. $this->assertPurification_AllowedElements_p();
  87. }
  88. public function test_AllowedElements_invalidElement_xssAttempt()
  89. {
  90. $this->config->set('HTML.AllowedElements', '<script>,p');
  91. $this->expectError(new PatternExpectation("/Element '&lt;script&gt;' is not supported/"));
  92. $this->assertPurification_AllowedElements_p();
  93. }
  94. public function test_AllowedElements_multipleInvalidElements()
  95. {
  96. $this->config->set('HTML.AllowedElements', 'dr-wiggles,dr-pepper,p');
  97. $this->expectError(new PatternExpectation("/Element 'dr-wiggles' is not supported/"));
  98. $this->expectError(new PatternExpectation("/Element 'dr-pepper' is not supported/"));
  99. $this->assertPurification_AllowedElements_p();
  100. }
  101. public function assertPurification_AllowedAttributes_global_style()
  102. {
  103. $this->assertPurification(
  104. '<p style="font-weight:bold;" class="foo">Jelly</p><br style="clear:both;" />',
  105. '<p style="font-weight:bold;">Jelly</p><br style="clear:both;" />');
  106. }
  107. public function test_AllowedAttributes_global_preferredSyntax()
  108. {
  109. $this->config->set('HTML.AllowedElements', array('p', 'br'));
  110. $this->config->set('HTML.AllowedAttributes', 'style');
  111. $this->assertPurification_AllowedAttributes_global_style();
  112. }
  113. public function test_AllowedAttributes_global_verboseSyntax()
  114. {
  115. $this->config->set('HTML.AllowedElements', array('p', 'br'));
  116. $this->config->set('HTML.AllowedAttributes', '*@style');
  117. $this->assertPurification_AllowedAttributes_global_style();
  118. }
  119. public function test_AllowedAttributes_global_discouragedSyntax()
  120. {
  121. // Emit errors eventually
  122. $this->config->set('HTML.AllowedElements', array('p', 'br'));
  123. $this->config->set('HTML.AllowedAttributes', '*.style');
  124. $this->assertPurification_AllowedAttributes_global_style();
  125. }
  126. public function assertPurification_AllowedAttributes_local_p_style()
  127. {
  128. $this->assertPurification(
  129. '<p style="font-weight:bold;" class="foo">Jelly</p><br style="clear:both;" />',
  130. '<p style="font-weight:bold;">Jelly</p><br />');
  131. }
  132. public function test_AllowedAttributes_local_preferredSyntax()
  133. {
  134. $this->config->set('HTML.AllowedElements', array('p', 'br'));
  135. $this->config->set('HTML.AllowedAttributes', 'p@style');
  136. $this->assertPurification_AllowedAttributes_local_p_style();
  137. }
  138. public function test_AllowedAttributes_local_discouragedSyntax()
  139. {
  140. $this->config->set('HTML.AllowedElements', array('p', 'br'));
  141. $this->config->set('HTML.AllowedAttributes', 'p.style');
  142. $this->assertPurification_AllowedAttributes_local_p_style();
  143. }
  144. public function test_AllowedAttributes_multiple()
  145. {
  146. $this->config->set('HTML.AllowedElements', array('p', 'br'));
  147. $this->config->set('HTML.AllowedAttributes', 'p@style,br@class,title');
  148. $this->assertPurification(
  149. '<p style="font-weight:bold;" class="foo" title="foo">Jelly</p><br style="clear:both;" class="foo" title="foo" />',
  150. '<p style="font-weight:bold;" title="foo">Jelly</p><br class="foo" title="foo" />'
  151. );
  152. }
  153. public function test_AllowedAttributes_local_invalidAttribute()
  154. {
  155. $this->config->set('HTML.AllowedElements', array('p', 'br'));
  156. $this->config->set('HTML.AllowedAttributes', array('p@style', 'p@<foo>'));
  157. $this->expectError(new PatternExpectation("/Attribute '&lt;foo&gt;' in element 'p' not supported/"));
  158. $this->assertPurification_AllowedAttributes_local_p_style();
  159. }
  160. public function test_AllowedAttributes_global_invalidAttribute()
  161. {
  162. $this->config->set('HTML.AllowedElements', array('p', 'br'));
  163. $this->config->set('HTML.AllowedAttributes', array('style', '<foo>'));
  164. $this->expectError(new PatternExpectation("/Global attribute '&lt;foo&gt;' is not supported in any elements/"));
  165. $this->assertPurification_AllowedAttributes_global_style();
  166. }
  167. public function test_AllowedAttributes_local_invalidAttributeDueToMissingElement()
  168. {
  169. $this->config->set('HTML.AllowedElements', array('p', 'br'));
  170. $this->config->set('HTML.AllowedAttributes', 'p.style,foo.style');
  171. $this->expectError(new PatternExpectation("/Cannot allow attribute 'style' if element 'foo' is not allowed\/supported/"));
  172. $this->assertPurification_AllowedAttributes_local_p_style();
  173. }
  174. public function test_AllowedAttributes_duplicate()
  175. {
  176. $this->config->set('HTML.AllowedElements', array('p', 'br'));
  177. $this->config->set('HTML.AllowedAttributes', 'p.style,p@style');
  178. $this->assertPurification_AllowedAttributes_local_p_style();
  179. }
  180. public function test_AllowedAttributes_multipleErrors()
  181. {
  182. $this->config->set('HTML.AllowedElements', array('p', 'br'));
  183. $this->config->set('HTML.AllowedAttributes', 'p.style,foo.style,<foo>');
  184. $this->expectError(new PatternExpectation("/Cannot allow attribute 'style' if element 'foo' is not allowed\/supported/"));
  185. $this->expectError(new PatternExpectation("/Global attribute '&lt;foo&gt;' is not supported in any elements/"));
  186. $this->assertPurification_AllowedAttributes_local_p_style();
  187. }
  188. public function test_ForbiddenElements()
  189. {
  190. $this->config->set('HTML.ForbiddenElements', 'b');
  191. $this->assertPurification('<b>b</b><i>i</i>', 'b<i>i</i>');
  192. }
  193. public function test_ForbiddenElements_invalidElement()
  194. {
  195. $this->config->set('HTML.ForbiddenElements', 'obviously_incorrect');
  196. // no error!
  197. $this->assertPurification('<i>i</i>');
  198. }
  199. public function assertPurification_ForbiddenAttributes_b_style()
  200. {
  201. $this->assertPurification(
  202. '<b style="float:left;">b</b><i style="float:left;">i</i>',
  203. '<b>b</b><i style="float:left;">i</i>');
  204. }
  205. public function test_ForbiddenAttributes()
  206. {
  207. $this->config->set('HTML.ForbiddenAttributes', 'b@style');
  208. $this->assertPurification_ForbiddenAttributes_b_style();
  209. }
  210. public function test_ForbiddenAttributes_incorrectSyntax()
  211. {
  212. $this->config->set('HTML.ForbiddenAttributes', 'b.style');
  213. $this->expectError("Error with b.style: tag.attr syntax not supported for HTML.ForbiddenAttributes; use tag@attr instead");
  214. $this->assertPurification('<b style="float:left;">Test</b>');
  215. }
  216. public function test_ForbiddenAttributes_incorrectGlobalSyntax()
  217. {
  218. $this->config->set('HTML.ForbiddenAttributes', '*.style');
  219. $this->expectError("Error with *.style: *.attr syntax not supported for HTML.ForbiddenAttributes; use attr instead");
  220. $this->assertPurification('<b style="float:left;">Test</b>');
  221. }
  222. public function assertPurification_ForbiddenAttributes_style()
  223. {
  224. $this->assertPurification(
  225. '<b class="foo" style="float:left;">b</b><i style="float:left;">i</i>',
  226. '<b class="foo">b</b><i>i</i>');
  227. }
  228. public function test_ForbiddenAttributes_global()
  229. {
  230. $this->config->set('HTML.ForbiddenAttributes', 'style');
  231. $this->assertPurification_ForbiddenAttributes_style();
  232. }
  233. public function test_ForbiddenAttributes_globalVerboseFormat()
  234. {
  235. $this->config->set('HTML.ForbiddenAttributes', '*@style');
  236. $this->assertPurification_ForbiddenAttributes_style();
  237. }
  238. public function test_addAttribute()
  239. {
  240. $config = HTMLPurifier_Config::createDefault();
  241. $def = $config->getHTMLDefinition(true);
  242. $def->addAttribute('span', 'custom', 'Enum#attribute');
  243. $purifier = new HTMLPurifier($config);
  244. $input = '<span custom="attribute">Custom!</span>';
  245. $output = $purifier->purify($input);
  246. $this->assertIdentical($input, $output);
  247. }
  248. public function test_addAttribute_multiple()
  249. {
  250. $config = HTMLPurifier_Config::createDefault();
  251. $def = $config->getHTMLDefinition(true);
  252. $def->addAttribute('span', 'custom', 'Enum#attribute');
  253. $def->addAttribute('span', 'foo', 'Text');
  254. $purifier = new HTMLPurifier($config);
  255. $input = '<span custom="attribute" foo="asdf">Custom!</span>';
  256. $output = $purifier->purify($input);
  257. $this->assertIdentical($input, $output);
  258. }
  259. public function test_addElement()
  260. {
  261. $config = HTMLPurifier_Config::createDefault();
  262. $def = $config->getHTMLDefinition(true);
  263. $def->addElement('marquee', 'Inline', 'Inline', 'Common', array('width' => 'Length'));
  264. $purifier = new HTMLPurifier($config);
  265. $input = '<span><marquee width="50">Foobar</marquee></span>';
  266. $output = $purifier->purify($input);
  267. $this->assertIdentical($input, $output);
  268. }
  269. public function test_injector()
  270. {
  271. generate_mock_once('HTMLPurifier_Injector');
  272. $injector = new HTMLPurifier_InjectorMock();
  273. $injector->name = 'MyInjector';
  274. $injector->setReturnValue('checkNeeded', false);
  275. $module = $this->config->getHTMLDefinition(true)->getAnonymousModule();
  276. $module->info_injector[] = $injector;
  277. $this->assertIdentical($this->config->getHTMLDefinition()->info_injector,
  278. array(
  279. 'MyInjector' => $injector,
  280. )
  281. );
  282. }
  283. public function test_injectorMissingNeeded()
  284. {
  285. generate_mock_once('HTMLPurifier_Injector');
  286. $injector = new HTMLPurifier_InjectorMock();
  287. $injector->name = 'MyInjector';
  288. $injector->setReturnValue('checkNeeded', 'a');
  289. $module = $this->config->getHTMLDefinition(true)->getAnonymousModule();
  290. $module->info_injector[] = $injector;
  291. $this->assertIdentical($this->config->getHTMLDefinition()->info_injector,
  292. array()
  293. );
  294. }
  295. public function test_injectorIntegration()
  296. {
  297. $module = $this->config->getHTMLDefinition(true)->getAnonymousModule();
  298. $module->info_injector[] = 'Linkify';
  299. $this->assertIdentical(
  300. $this->config->getHTMLDefinition()->info_injector,
  301. array('Linkify' => new HTMLPurifier_Injector_Linkify())
  302. );
  303. }
  304. public function test_injectorIntegrationFail()
  305. {
  306. $this->config->set('HTML.Allowed', 'p');
  307. $module = $this->config->getHTMLDefinition(true)->getAnonymousModule();
  308. $module->info_injector[] = 'Linkify';
  309. $this->assertIdentical(
  310. $this->config->getHTMLDefinition()->info_injector,
  311. array()
  312. );
  313. }
  314. public function test_notAllowedRequiredAttributeError()
  315. {
  316. $this->expectError("Required attribute 'src' in element 'img' was not allowed, which means 'img' will not be allowed either");
  317. $this->config->set('HTML.Allowed', 'img[alt]');
  318. $this->config->getHTMLDefinition();
  319. }
  320. }
  321. // vim: et sw=4 sts=4