search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Merge in PHP5 strict changes that are applicable to PHP4.
[htmlpurifier.git] / tests / HTMLPurifier / AttrDef / URITest.php
blobf9a9ab415e077dd6411f98782c390cc0d6b1738f
1 <?php
2
3 require_once 'HTMLPurifier/AttrDefHarness.php';
4 require_once 'HTMLPurifier/AttrDef/URI.php';
5
6 // WARNING: INCOMPLETE UNIT TESTS!
7 // we also need to test all the configuration directives defined by this class
8
9 // http: is returned quite often when a URL is invalid. We have to change
10 // this behavior to just a plain old "FALSE"!
11
12 class HTMLPurifier_AttrDef_URITest extends HTMLPurifier_AttrDefHarness
13 {
14
15 var $scheme, $components, $return_components;
16
17 function testGenericURI() {
18
19 generate_mock_once('HTMLPurifier_URIScheme');
20 generate_mock_once('HTMLPurifier_URISchemeRegistry');
21
22 $old_registry = HTMLPurifier_URISchemeRegistry::instance();
23
24 // finally, lets get a copy of the actual class
25 $this->def = new HTMLPurifier_AttrDef_URI();
26
27 // initialize test inputs
28 $uri = // input URI
29 $components = // what components the URI should be parsed to
30 $return_components = // return components
31 $expect_uri = array(); // what reassembled URI to expect
32
33 //////////////////////////////////////////////////////////////////////
34
35 // test a regular instance, return identical URI
36 $uri[0] = 'http://www.example.com/webhp?q=foo#result2';
37 $components[0] = array(
38 null, // userinfo
39 'www.example.com', // host
40 null, // port
41 '/webhp', // path
42 'q=foo' // query
43 );
44
45 // test an amended URI (the actual logic is irrelevant)
46 // test that user and port get parsed correctly (3.2.1 and 3.2.3)
47 $uri[1] = 'http://user@authority.part:80/now/the/path?query#fragment';
48 $components[1] = array(
49 'user', 'authority.part', 80,
50 '/now/the/path', 'query'
51 );
52 $return_components[1] = array( // removed port (it's standard)
53 'user', 'authority.part', null, '/now/the/path', 'query'
54 );
55 $expect_uri[1] = 'http://user@authority.part/now/the/path?query#fragment';
56
57 // percent encoded characters are not resolved during generic URI
58 // parsing even though RFC 3986 defines this notation
59 // also test what happens when query/fragment are missing
60 $uri[2] = 'http://en.wikipedia.org/wiki/Clich%C3%A9';
61 $components[2] = array(
62 null, 'en.wikipedia.org', null, '/wiki/Clich%C3%A9', null
63 );
64
65 // test distinction between empty query and undefined query (above)
66 $uri[3] = 'http://www.example.com/?#';
67 $components[3] = array(null, 'www.example.com', null, '/', '');
68
69 // path is always defined, even if empty
70 $uri[4] = 'http://www.example.com';
71 $components[4] = array(null, 'www.example.com', null, '', null);
72
73 // test parsing of an opaque URI
74 $uri[5] = 'mailto:bob@example.com';
75 $components[5] = array(null, null, null, 'bob@example.com', null);
76
77 // even though we don't resolve percent entities, we have to fix
78 // improper percent-encodes. Taken one at a time:
79 // %56 - V, which is an unreserved character
80 // %fc - u with an umlaut, normalize to uppercase
81 // %GJ - invalid characters in entity, encode %
82 // %5 - prematurely terminated, encode %
83 // %FC - u with umlaut, correct
84 // note that Apache doesn't do such fixing, rather, it just claims
85 // that the browser sent a "Bad Request". See PercentEncoder.php
86 // for more details
87 $uri[6] = 'http://www.example.com/%56%fc%GJ%5%FC';
88 $components[6] = array(null, 'www.example.com', null, '/V%FC%25GJ%255%FC', null);
89 $expect_uri[6] = 'http://www.example.com/V%FC%25GJ%255%FC';
90
91 // test IPv4 address (behavior may vary with configuration)
92 $uri[7] = 'http://192.0.34.166/';
93 $components[7] = array(null, '192.0.34.166', null, '/', null);
94
95 // while it may look like an IPv4 address, it's really a reg-name.
96 // don't destroy it
97 $uri[8] = 'http://333.123.32.123/';
98 $components[8] = array(null, '333.123.32.123', null, '/', null);
99
100 // test IPv6 address, using amended form of RFC's example
101 $uri[9] = 'http://[2001:db8::7]/c=GB?objectClass?one';
102 $components[9] = array(null, '[2001:db8::7]', null, '/c=GB',
103 'objectClass?one');
104
105 // We will not implement punycode encoding, that's up to the browsers
106 // We also will not implement percent to IDNA encoding transformations:
107 // if you need to use an international domain in a link, make sure that
108 // you've got it in UTF-8 and send it in raw (no encoding).
109
110 // break the RFC a little and allow international characters
111 // WARNING: UTF-8 encoded!
112 $uri[10] = 'http://tūdaliņ.lv';
113 $components[10] = array(null, 'tūdaliņ.lv', null, '', null);
114
115 // test invalid IPv6 address and invalid reg-name
116 $uri[11] = 'http://[2001:0db8:85z3:08d3:1319:8a2e:0370:7334]';
117 $components[11] = array(null, null, null, '', null);
118 $expect_uri[11] = 'http:';
119
120 // test invalid port
121 $uri[12] = 'http://example.com:foobar';
122 $components[12] = array(null, 'example.com', null, '', null);
123 $expect_uri[12] = 'http://example.com';
124
125 // test overlarge port (max is 65535, although this isn't official)
126 $uri[13] = 'http://example.com:65536';
127 $components[13] = array(null, 'example.com', null, '', null);
128 $expect_uri[13] = 'http://example.com';
129
130 // some spec abnf tests
131
132 // "authority . path-abempty" omitted, it is a trivial case
133
134 // "path-absolute", note this is different from path-rootless
135 $uri[14] = 'http:/this/is/path';
136 $components[14] = array(null, null, null, '/this/is/path', null);
137 $expect_uri[14] = 'http:/this/is/path'; // do not munge scheme off
138
139 // scheme munging is not being tested yet, it's an extra feature
140
141 // "path-rootless" - this should not be used but is allowed
142 $uri[15] = 'http:this/is/path';
143 $components[15] = array(null, null, null, 'this/is/path', null);
144 //$expect_uri[15] = 'this/is/path'; // munge scheme off
145
146 // "path-empty" - a rather interesting case, remove the scheme
147 $uri[16] = 'http:';
148 $components[16] = array(null, null, null, '', null);
149 //$expect_uri[16] = ''; // munge scheme off
150
151 // test invalid scheme, components shouldn't be passed
152 $uri[17] = 'javascript:alert("moo");';
153 $expect_uri[17] = false;
154
155 // relative URIs - basic case
156 $uri[18] = '/a/b';
157 $components[18] = array(null, null, null, '/a/b', null);
158
159 // result of malformed tag, gracefully handle error
160 $uri[19] = 'http://www.google.com/\'>"';
161 $components[19] = array(null, 'www.google.com', null, '/', null);
162 $expect_uri[19] = 'http://www.google.com/';
163
164 // test empty
165 $uri[20] = '';
166 $components[20] = array(null, null, null, '', null);
167 $expect_uri[20] = '';
168
169 foreach ($uri as $i => $value) {
170
171 // the read in values
172 $this->config = isset($config[$i]) ? $config[$i] : HTMLPurifier_Config::createDefault();
173 $this->context = isset($context[$i]) ? $context[$i] : new HTMLPurifier_Context();
174
175 // setUpAssertDef
176 if ( isset($components[$i]) ) {
177 $this->components = $components[$i];
178 } else {
179 $this->components = false;
180 }
181 if ( isset($return_components[$i]) ) {
182 $this->return_components = $return_components[$i];
183 } else {
184 $this->return_components = $this->components;
185 }
186
187 // parameters
188 if (!isset($expect_uri[$i])) {
189 $expect_uri[$i] = $value; // untouched
190 }
191
192 $this->assertDef($value, $expect_uri[$i], true, "Test $i: %s");
193
194 }
195
196 // reset to regular implementation
197 HTMLPurifier_URISchemeRegistry::instance($old_registry);
198
199 }
200
201 function setUpAssertDef() {
202 // $fake_registry isn't the real mock, because due to PHP 4 weirdness
203 // I cannot set a default value to function parameters that are passed
204 // by reference. So we use the value instance() returns.
205 $fake_registry = new HTMLPurifier_URISchemeRegistryMock($this);
206 $registry =& HTMLPurifier_URISchemeRegistry::instance($fake_registry);
207
208 // now, let's add a pseudo-scheme to the registry
209 $this->scheme = new HTMLPurifier_URISchemeMock($this);
210
211 // here are the schemes we will support with overloaded mocks
212 $registry->setReturnReference('getScheme', $this->scheme, array('http', $this->config, $this->context));
213 $registry->setReturnReference('getScheme', $this->scheme, array('mailto', $this->config, $this->context));
214
215 // default return value is false (meaning no scheme defined: reject)
216 $registry->setReturnValue('getScheme', false, array('*', $this->config, $this->context));
217
218 if ($this->components === false) {
219 $this->scheme->expectNever('validateComponents');
220 } else {
221 $this->components[] = $this->config; // append the configuration
222 $this->components[] =& $this->context; // append context
223 $this->scheme->setReturnValue(
224 'validateComponents', $this->return_components, $this->components);
225 $this->scheme->expectOnce('validateComponents', $this->components);
226 }
227 }
228
229 function tearDownAssertDef() {
230 $this->scheme->tally();
231 }
232
233 function testIntegration() {
234
235 $this->def = new HTMLPurifier_AttrDef_URI();
236
237 $this->assertDef('http://www.google.com/');
238 $this->assertDef('javascript:bad_stuff();', false);
239 $this->assertDef('ftp://www.example.com/');
240 $this->assertDef('news:rec.alt');
241 $this->assertDef('nntp://news.example.com/324234');
242 $this->assertDef('mailto:bob@example.com');
243
244 }
245
246 function testDisableExternal() {
247
248 $this->def = new HTMLPurifier_AttrDef_URI();
249 $this->config->set('URI', 'DisableExternal', true);
250
251 $this->assertDef('/foobar.txt');
252 $this->assertDef('http://google.com/', false);
253 $this->assertDef('http://sub.example.com/alas?foo=asd', false);
254
255 $this->config->set('URI', 'Host', 'sub.example.com');
256
257 $this->assertDef('http://sub.example.com/alas?foo=asd');
258 $this->assertDef('http://example.com/teehee', false);
259 $this->assertDef('http://www.example.com/#man', false);
260 $this->assertDef('http://go.sub.example.com/perhaps?p=foo');
261
262 }
263
264 function testEmbeds() {
265
266 // embedded URI
267 $this->def = new HTMLPurifier_AttrDef_URI(true);
268
269 $this->assertDef('http://sub.example.com/alas?foo=asd');
270 $this->assertDef('mailto:foo@example.com', false);
271
272 }
273
274 function testDisableExternalResources() {
275
276 $this->config->set('URI', 'DisableExternalResources', true);
277
278 $this->def = new HTMLPurifier_AttrDef_URI();
279 $this->assertDef('http://sub.example.com/alas?foo=asd');
280 $this->assertDef('/img.png');
281
282 $this->def = new HTMLPurifier_AttrDef_URI(true);
283 $this->assertDef('http://sub.example.com/alas?foo=asd', false);
284 $this->assertDef('/img.png');
285
286 }
287
288 function testMunge() {
289
290 $this->config->set('URI', 'Munge', 'http://www.google.com/url?q=%s');
291 $this->def = new HTMLPurifier_AttrDef_URI();
292
293 $this->assertDef(
294 'http://www.example.com/',
295 'http://www.google.com/url?q=http%3A%2F%2Fwww.example.com%2F'
296 );
297
298 $this->assertDef('index.html');
299 $this->assertDef('javascript:foobar();', false);
300
301 }
302
303 function testBlacklist() {
304
305 $this->config->set('URI', 'HostBlacklist', array('example.com', 'moo'));
306
307 $this->assertDef('foo.txt');
308 $this->assertDef('http://www.google.com/example.com/moo');
309
310 $this->assertDef('http://example.com/#23', false);
311 $this->assertDef('https://sub.domain.example.com/foobar', false);
312 $this->assertDef('http://example.com.example.net/?whoo=foo', false);
313 $this->assertDef('ftp://moo-moo.net/foo/foo/', false);
314
315 }
316
317 function testWhitelist() {
318 /*
319 $this->config->set('URI', 'HostPolicy', 'DenyAll');
320 $this->config->set('URI', 'HostWhitelist', array(null, 'google.com'));
321
322 $this->assertDef('http://example.com/fo/google.com', false);
323 $this->assertDef('server.txt');
324 $this->assertDef('ftp://www.google.com/?t=a');
325 $this->assertDef('http://google.com.tricky.spamsite.net', false);
326 */
327 }
328
329 }
330
331 ?>
Standards-compliant HTML filter written in PHP