tests/HTMLPurifierTest.php

   1 <?php
   2
   3 class HTMLPurifierTest extends HTMLPurifier_Harness
   4 {
   5     protected $purifier;
   6
   7     function testNull() {
   8         $this->assertPurification("Null byte\0", "Null byte");
   9     }
  10
  11     function testStrict() {
  12         $this->config->set('HTML', 'Strict', true);
  13
  14         $this->assertPurification(
  15             '<u>Illegal underline</u>',
  16             '<span style="text-decoration:underline;">Illegal underline</span>'
  17         );
  18
  19         $this->assertPurification(
  20             '<blockquote>Illegal contents</blockquote>',
  21             '<blockquote><p>Illegal contents</p></blockquote>'
  22         );
  23
  24     }
  25
  26     function testDifferentAllowedElements() {
  27
  28         $this->config->set('HTML', 'AllowedElements', array('b', 'i', 'p', 'a'));
  29         $this->config->set('HTML', 'AllowedAttributes', array('a.href', '*.id'));
  30
  31         $this->assertPurification(
  32             '<p>Par.</p><p>Para<a href="http://google.com/">gr</a>aph</p>Text<b>Bol<i>d</i></b>'
  33         );
  34
  35         $this->assertPurification(
  36             '<span>Not allowed</span><a class="mef" id="foobar">Foobar</a>',
  37             'Not allowed<a>Foobar</a>' // no ID!!!
  38         );
  39
  40     }
  41
  42     function testBlacklistElements() {
  43         $this->config->set('HTML', 'ForbiddenElements', array('b'));
  44         $this->config->set('HTML', 'ForbiddenAttributes', array('a@href'));
  45
  46         $this->assertPurification(
  47             '<p>Par.</p>'
  48         );
  49         $this->assertPurification(
  50             '<b>Pa<a href="foo">r</a>.</b>',
  51             'Pa<a>r</a>.'
  52         );
  53
  54     }
  55
  56     function testDifferentAllowedCSSProperties() {
  57
  58         $this->config->set('CSS', 'AllowedProperties', array('color', 'background-color'));
  59
  60         $this->assertPurification(
  61             '<div style="color:#f00;background-color:#ded;">red</div>'
  62         );
  63
  64         $this->assertPurification(
  65             '<div style="color:#f00;border:1px solid #000">red</div>',
  66             '<div style="color:#f00;">red</div>'
  67         );
  68
  69     }
  70
  71     function testDisableURI() {
  72
  73         $this->config->set('URI', 'Disable', true);
  74
  75         $this->assertPurification(
  76             '<img src="foobar"/>',
  77             ''
  78         );
  79
  80     }
  81
  82     function test_purifyArray() {
  83
  84         $this->assertIdentical(
  85             $this->purifier->purifyArray(
  86                 array('Good', '<b>Sketchy', 'foo' => '<script>bad</script>')
  87             ),
  88             array('Good', '<b>Sketchy</b>', 'foo' => '')
  89         );
  90
  91         $this->assertIsA($this->purifier->context, 'array');
  92
  93     }
  94
  95     function testAttrIDDisabledByDefault() {
  96
  97         $this->assertPurification(
  98             '<span id="moon">foobar</span>',
  99             '<span>foobar</span>'
 100         );
 101
 102     }
 103
 104     function testEnableAttrID() {
 105         $this->config->set('Attr', 'EnableID', true);
 106         $this->assertPurification('<span id="moon">foobar</span>');
 107         $this->assertPurification('<img id="folly" src="folly.png" alt="Omigosh!" />');
 108     }
 109
 110     function testScript() {
 111         $this->config->set('HTML', 'Trusted', true);
 112
 113         $ideal = '<script type="text/javascript"><!--//--><![CDATA[//><!--
 114 alert("<This is compatible with XHTML>");
 115 //--><!]]></script>';
 116
 117         $this->assertPurification($ideal);
 118
 119         $this->assertPurification(
 120             '<script type="text/javascript"><![CDATA[
 121 alert("<This is compatible with XHTML>");
 122 ]]></script>',
 123             $ideal
 124         );
 125
 126         $this->assertPurification(
 127             '<script type="text/javascript">alert("<This is compatible with XHTML>");</script>',
 128             $ideal
 129         );
 130
 131         $this->assertPurification(
 132             '<script type="text/javascript"><!--
 133 alert("<This is compatible with XHTML>");
 134 //--></script>',
 135             $ideal
 136         );
 137
 138         $this->assertPurification(
 139             '<script type="text/javascript"><![CDATA[
 140 alert("<This is compatible with XHTML>");
 141 //]]></script>',
 142             $ideal
 143         );
 144     }
 145
 146     function testGetInstance() {
 147         $purifier  = HTMLPurifier::getInstance();
 148         $purifier2 = HTMLPurifier::getInstance();
 149         $this->assertReference($purifier, $purifier2);
 150     }
 151
 152     function testMakeAbsolute() {
 153         $this->config->set('URI', 'Base', 'http://example.com/bar/baz.php');
 154         $this->config->set('URI', 'MakeAbsolute', true);
 155         $this->assertPurification(
 156             '<a href="foo.txt">Foobar</a>',
 157             '<a href="http://example.com/bar/foo.txt">Foobar</a>'
 158         );
 159     }
 160
 161     function test_addFilter_deprecated() {
 162         $this->expectError('HTMLPurifier->addFilter() is deprecated, use configuration directives in the Filter namespace or Filter.Custom');
 163         generate_mock_once('HTMLPurifier_Filter');
 164         $this->purifier->addFilter($mock = new HTMLPurifier_FilterMock());
 165         $mock->expectOnce('preFilter');
 166         $mock->expectOnce('postFilter');
 167         $this->purifier->purify('foo');
 168     }
 169
 170     function test_shiftJis() {
 171         if (!function_exists('iconv')) return;
 172         $this->config->set('Core', 'Encoding', 'Shift_JIS');
 173         $this->config->set('Core', 'EscapeNonASCIICharacters', true);
 174         $this->assertPurification(
 175             "<b style=\"font-family:'&#165;';\">111</b>"
 176         );
 177     }
 178
 179     function test_shiftJisWorstCase() {
 180         if (!function_exists('iconv')) return;
 181         $this->config->set('Core', 'Encoding', 'Shift_JIS');
 182         $this->assertPurification( // Notice how Yen disappears
 183             "<b style=\"font-family:'&#165;';\">111</b>",
 184             "<b style=\"font-family:'';\">111</b>"
 185         );
 186     }
 187
 188     function test_secureMunge() {
 189         $this->config->set('URI', 'Munge', '/redirect.php?url=%s&check=%t');
 190         $this->config->set('URI', 'MungeSecretKey', 'foo');
 191         $this->assertPurification(
 192             '<a href="http://localhost">foo</a><img src="http://localhost" alt="local" />',
 193             '<a href="/redirect.php?url=http%3A%2F%2Flocalhost&amp;check=8e8223ae8fac24561104180ea549c21fbd111be7">foo</a><img src="http://localhost" alt="local" />'
 194         );
 195     }
 196
 197     function test_safeObjectAndEmbed() {
 198         $this->config->set('HTML', 'SafeObject', true);
 199         $this->config->set('HTML', 'SafeEmbed', true);
 200         $this->assertPurification(
 201             '<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en"></param><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object>',
 202             '<object width="425" height="344" data="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" /><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" /></object>'
 203         );
 204     }
 205
 206     function test_safeObjectAndEmbedWithSecureMunge() {
 207         $this->config->set('HTML', 'SafeObject', true);
 208         $this->config->set('HTML', 'SafeEmbed', true);
 209         $this->config->set('URI', 'Munge', '/redirect.php?url=%s&check=%t');
 210         $this->config->set('URI', 'MungeSecretKey', 'foo');
 211         $this->assertPurification(
 212             '<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en"></param><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object>',
 213             '<object width="425" height="344" data="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" /><embed src="http://www.youtube.com/v/Oq3FV_zdyy0&amp;hl=en" type="application/x-shockwave-flash" width="425" height="344" allowscriptaccess="never" allownetworking="internal" /></object>'
 214         );
 215     }
 216
 217     function test_mungeWithExtraParams() {
 218         $this->config->set('URI', 'Munge', '/redirect?s=%s&t=%t&r=%r&n=%n&m=%m&p=%p');
 219         $this->config->set('URI', 'MungeSecretKey', 'foo');
 220         $this->config->set('URI', 'MungeResources', true);
 221         $this->assertPurification(
 222             '<a href="http://example.com">Link</a><img src="http://example.com" style="background-image:url(http://example.com);" alt="example.com" />',
 223             '<a href="/redirect?s=http%3A%2F%2Fexample.com&amp;t=c15354f3953dfec262c55b1403067e0d045a3059&amp;r=&amp;n=a&amp;m=href&amp;p=">Link</a>'.
 224             '<img src="/redirect?s=http%3A%2F%2Fexample.com&amp;t=c15354f3953dfec262c55b1403067e0d045a3059&amp;r=1&amp;n=img&amp;m=src&amp;p=" '.
 225             'style="background-image:url(/redirect?s=http%3A%2F%2Fexample.com&amp;t=c15354f3953dfec262c55b1403067e0d045a3059&amp;r=1&amp;n=img&amp;m=style&amp;p=background-image);" alt="example.com" />'
 226         );
 227     }
 228
 229 }
 230