search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
[3.1.1] Implement SafeEmbed. Also, miscellaneous bugfixes.
[htmlpurifier.git] / tests / HTMLPurifierTest.php
blob3dd97e6d9442fa75cebbe6fdc9dc6380e6fc7a29
1 <?php
2
3 class HTMLPurifierTest extends HTMLPurifier_Harness
4 {
5 protected $purifier;
6
7 function testNull() {
8 $this->assertPurification("Null byte\0", "Null byte");
9 }
10
11 function testStrict() {
12 $this->config->set('HTML', 'Strict', true);
13
14 $this->assertPurification(
15 '<u>Illegal underline</u>',
16 '<span style="text-decoration:underline;">Illegal underline</span>'
17 );
18
19 $this->assertPurification(
20 '<blockquote>Illegal contents</blockquote>',
21 '<blockquote><p>Illegal contents</p></blockquote>'
22 );
23
24 }
25
26 function testDifferentAllowedElements() {
27
28 $this->config->set('HTML', 'AllowedElements', array('b', 'i', 'p', 'a'));
29 $this->config->set('HTML', 'AllowedAttributes', array('a.href', '*.id'));
30
31 $this->assertPurification(
32 '<p>Par.</p><p>Para<a href="http://google.com/">gr</a>aph</p>Text<b>Bol<i>d</i></b>'
33 );
34
35 $this->assertPurification(
36 '<span>Not allowed</span><a class="mef" id="foobar">Foobar</a>',
37 'Not allowed<a>Foobar</a>' // no ID!!!
38 );
39
40 }
41
42 function testBlacklistElements() {
43 $this->config->set('HTML', 'ForbiddenElements', array('b'));
44 $this->config->set('HTML', 'ForbiddenAttributes', array('a@href'));
45
46 $this->assertPurification(
47 '<p>Par.</p>'
48 );
49 $this->assertPurification(
50 '<b>Pa<a href="foo">r</a>.</b>',
51 'Pa<a>r</a>.'
52 );
53
54 }
55
56 function testDifferentAllowedCSSProperties() {
57
58 $this->config->set('CSS', 'AllowedProperties', array('color', 'background-color'));
59
60 $this->assertPurification(
61 '<div style="color:#f00;background-color:#ded;">red</div>'
62 );
63
64 $this->assertPurification(
65 '<div style="color:#f00;border:1px solid #000">red</div>',
66 '<div style="color:#f00;">red</div>'
67 );
68
69 }
70
71 function testDisableURI() {
72
73 $this->config->set('URI', 'Disable', true);
74
75 $this->assertPurification(
76 '<img src="foobar"/>',
77 ''
78 );
79
80 }
81
82 function test_purifyArray() {
83
84 $this->assertIdentical(
85 $this->purifier->purifyArray(
86 array('Good', '<b>Sketchy', 'foo' => '<script>bad</script>')
87 ),
88 array('Good', '<b>Sketchy</b>', 'foo' => '')
89 );
90
91 $this->assertIsA($this->purifier->context, 'array');
92
93 }
94
95 function testAttrIDDisabledByDefault() {
96
97 $this->assertPurification(
98 '<span id="moon">foobar</span>',
99 '<span>foobar</span>'
100 );
101
102 }
103
104 function testEnableAttrID() {
105 $this->config->set('Attr', 'EnableID', true);
106 $this->assertPurification('<span id="moon">foobar</span>');
107 $this->assertPurification('<img id="folly" src="folly.png" alt="Omigosh!" />');
108 }
109
110 function testScript() {
111 $this->config->set('HTML', 'Trusted', true);
112
113 $ideal = '<script type="text/javascript"><!--//--><![CDATA[//><!--
114 alert("<This is compatible with XHTML>");
115 //--><!]]></script>';
116
117 $this->assertPurification($ideal);
118
119 $this->assertPurification(
120 '<script type="text/javascript"><![CDATA[
121 alert("<This is compatible with XHTML>");
122 ]]></script>',
123 $ideal
124 );
125
126 $this->assertPurification(
127 '<script type="text/javascript">alert("<This is compatible with XHTML>");</script>',
128 $ideal
129 );
130
131 $this->assertPurification(
132 '<script type="text/javascript"><!--
133 alert("<This is compatible with XHTML>");
134 //--></script>',
135 $ideal
136 );
137
138 $this->assertPurification(
139 '<script type="text/javascript"><![CDATA[
140 alert("<This is compatible with XHTML>");
141 //]]></script>',
142 $ideal
143 );
144 }
145
146 function testGetInstance() {
147 $purifier = HTMLPurifier::getInstance();
148 $purifier2 = HTMLPurifier::getInstance();
149 $this->assertReference($purifier, $purifier2);
150 }
151
152 function testMakeAbsolute() {
153 $this->config->set('URI', 'Base', 'http://example.com/bar/baz.php');
154 $this->config->set('URI', 'MakeAbsolute', true);
155 $this->assertPurification(
156 '<a href="foo.txt">Foobar</a>',
157 '<a href="http://example.com/bar/foo.txt">Foobar</a>'
158 );
159 }
160
161 function test_addFilter_deprecated() {
162 $this->expectError('HTMLPurifier->addFilter() is deprecated, use configuration directives in the Filter namespace or Filter.Custom');
163 generate_mock_once('HTMLPurifier_Filter');
164 $this->purifier->addFilter($mock = new HTMLPurifier_FilterMock());
165 $mock->expectOnce('preFilter');
166 $mock->expectOnce('postFilter');
167 $this->purifier->purify('foo');
168 }
169
170 function test_shiftJis() {
171 if (!function_exists('iconv')) return;
172 $this->config->set('Core', 'Encoding', 'Shift_JIS');
173 $this->config->set('Core', 'EscapeNonASCIICharacters', true);
174 $this->assertPurification(
175 "<b style=\"font-family:'&#165;';\">111</b>"
176 );
177 }
178
179 function test_shiftJisWorstCase() {
180 if (!function_exists('iconv')) return;
181 $this->config->set('Core', 'Encoding', 'Shift_JIS');
182 $this->assertPurification( // Notice how Yen disappears
183 "<b style=\"font-family:'&#165;';\">111</b>",
184 "<b style=\"font-family:'';\">111</b>"
185 );
186 }
187
188 function test_secureMunge() {
189 $this->config->set('URI', 'SecureMunge', '/redirect.php?url=%s&check=%t');
190 $this->config->set('URI', 'SecureMungeSecretKey', 'foo');
191 $this->assertPurification(
192 '<a href="http://localhost">foo</a><img src="http://localhost" alt="local" />',
193 '<a href="/redirect.php?url=http%3A%2F%2Flocalhost&amp;check=8e8223ae8fac24561104180ea549c21fbd111be7">foo</a><img src="http://localhost" alt="local" />'
194 );
195 }
196
197 function test_safeObjectAndEmbed() {
198 $this->config->set('HTML', 'SafeObject', true);
199 $this->config->set('HTML', 'SafeEmbed', true);
200 $this->assertPurification(
201 '<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en"></param><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object>',
202 '<object width="425" height="344" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" /><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" /></object>'
203 );
204 }
205
206 function test_safeObjectAndEmbedWithSecureMunge() {
207 $this->config->set('HTML', 'SafeObject', true);
208 $this->config->set('HTML', 'SafeEmbed', true);
209 $this->config->set('URI', 'SecureMunge', '/redirect.php?url=%s&check=%t');
210 $this->config->set('URI', 'SecureMungeSecretKey', 'foo');
211 $this->assertPurification(
212 '<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en"></param><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object>',
213 '<object width="425" height="344" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" /><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" /></object>'
214 );
215 }
216
217 }
218
Standards-compliant HTML filter written in PHP