lib/tests/weblib_format_text_test.php

   1 <?php
   2 // This file is part of Moodle - http://moodle.org/
   3 //
   4 // Moodle is free software: you can redistribute it and/or modify
   5 // it under the terms of the GNU General Public License as published by
   6 // the Free Software Foundation, either version 3 of the License, or
   7 // (at your option) any later version.
   8 //
   9 // Moodle is distributed in the hope that it will be useful,
  10 // but WITHOUT ANY WARRANTY; without even the implied warranty of
  11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
  12 // GNU General Public License for more details.
  13 //
  14 // You should have received a copy of the GNU General Public License
  15 // along with Moodle.  If not, see <http://www.gnu.org/licenses/>.
  16
  17 namespace core;
  18
  19 /**
  20  * Unit tests for format_text defined in weblib.php.
  21  *
  22  * @package   core
  23  * @category  test
  24  * @copyright 2015 The Open University
  25  * @license   http://www.gnu.org/copyleft/gpl.html GNU Public License
  26  */
  27 class weblib_format_text_test extends \advanced_testcase {
  28
  29     public function test_format_text_format_html() {
  30         $this->resetAfterTest();
  31         filter_set_global_state('emoticon', TEXTFILTER_ON);
  32         $this->assertMatchesRegularExpression('~^<p><img class="icon emoticon" alt="smile" title="smile" ' .
  33                 'src="https://www.example.com/moodle/theme/image.php/_s/boost/core/1/s/smiley" /></p>$~',
  34                 format_text('<p>:-)</p>', FORMAT_HTML));
  35     }
  36
  37     public function test_format_text_format_html_no_filters() {
  38         $this->resetAfterTest();
  39         filter_set_global_state('emoticon', TEXTFILTER_ON);
  40         $this->assertEquals('<p>:-)</p>',
  41                 format_text('<p>:-)</p>', FORMAT_HTML, array('filter' => false)));
  42     }
  43
  44     public function test_format_text_format_plain() {
  45         // Note FORMAT_PLAIN does not filter ever, no matter we ask for filtering.
  46         $this->resetAfterTest();
  47         filter_set_global_state('emoticon', TEXTFILTER_ON);
  48         $this->assertEquals(':-)',
  49                 format_text(':-)', FORMAT_PLAIN));
  50     }
  51
  52     public function test_format_text_format_plain_no_filters() {
  53         $this->resetAfterTest();
  54         filter_set_global_state('emoticon', TEXTFILTER_ON);
  55         $this->assertEquals(':-)',
  56                 format_text(':-)', FORMAT_PLAIN, array('filter' => false)));
  57     }
  58
  59     public function test_format_text_format_markdown() {
  60         $this->resetAfterTest();
  61         filter_set_global_state('emoticon', TEXTFILTER_ON);
  62         $this->assertMatchesRegularExpression('~^<p><em><img class="icon emoticon" alt="smile" title="smile" ' .
  63                 'src="https://www.example.com/moodle/theme/image.php/_s/boost/core/1/s/smiley" />' .
  64                 '</em></p>\n$~',
  65                 format_text('*:-)*', FORMAT_MARKDOWN));
  66     }
  67
  68     public function test_format_text_format_markdown_nofilter() {
  69         $this->resetAfterTest();
  70         filter_set_global_state('emoticon', TEXTFILTER_ON);
  71         $this->assertEquals("<p><em>:-)</em></p>\n",
  72                 format_text('*:-)*', FORMAT_MARKDOWN, array('filter' => false)));
  73     }
  74
  75     public function test_format_text_format_moodle() {
  76         $this->resetAfterTest();
  77         filter_set_global_state('emoticon', TEXTFILTER_ON);
  78         $this->assertMatchesRegularExpression('~^<div class="text_to_html"><p>' .
  79                 '<img class="icon emoticon" alt="smile" title="smile" ' .
  80                 'src="https://www.example.com/moodle/theme/image.php/_s/boost/core/1/s/smiley" /></p></div>$~',
  81                 format_text('<p>:-)</p>', FORMAT_MOODLE));
  82     }
  83
  84     public function test_format_text_format_moodle_no_filters() {
  85         $this->resetAfterTest();
  86         filter_set_global_state('emoticon', TEXTFILTER_ON);
  87         $this->assertEquals('<div class="text_to_html"><p>:-)</p></div>',
  88                 format_text('<p>:-)</p>', FORMAT_MOODLE, array('filter' => false)));
  89     }
  90
  91     public function test_format_text_overflowdiv() {
  92         $this->assertEquals('<div class="no-overflow"><p>Hello world</p></div>',
  93                 format_text('<p>Hello world</p>', FORMAT_HTML, array('overflowdiv' => true)));
  94     }
  95
  96     /**
  97      * Test adding blank target attribute to links
  98      *
  99      * @dataProvider format_text_blanktarget_testcases
 100      * @param string $link The link to add target="_blank" to
 101      * @param string $expected The expected filter value
 102      */
 103     public function test_format_text_blanktarget($link, $expected) {
 104         $actual = format_text($link, FORMAT_MOODLE, array('blanktarget' => true, 'filter' => false, 'noclean' => true));
 105         $this->assertEquals($expected, $actual);
 106     }
 107
 108     /**
 109      * Data provider for the test_format_text_blanktarget testcase
 110      *
 111      * @return array of testcases
 112      */
 113     public function format_text_blanktarget_testcases() {
 114         return [
 115             'Simple link' => [
 116                 '<a href="https://www.youtube.com/watch?v=JeimE8Wz6e4">Hey, that\'s pretty good!</a>',
 117                 '<div class="text_to_html"><a href="https://www.youtube.com/watch?v=JeimE8Wz6e4" target="_blank"' .
 118                     ' rel="noreferrer">Hey, that\'s pretty good!</a></div>'
 119             ],
 120             'Link with rel' => [
 121                 '<a href="https://www.youtube.com/watch?v=JeimE8Wz6e4" rel="nofollow">Hey, that\'s pretty good!</a>',
 122                 '<div class="text_to_html"><a href="https://www.youtube.com/watch?v=JeimE8Wz6e4" rel="nofollow noreferrer"' .
 123                     ' target="_blank">Hey, that\'s pretty good!</a></div>'
 124             ],
 125             'Link with rel noreferrer' => [
 126                 '<a href="https://www.youtube.com/watch?v=JeimE8Wz6e4" rel="noreferrer">Hey, that\'s pretty good!</a>',
 127                 '<div class="text_to_html"><a href="https://www.youtube.com/watch?v=JeimE8Wz6e4" rel="noreferrer"' .
 128                  ' target="_blank">Hey, that\'s pretty good!</a></div>'
 129             ],
 130             'Link with target' => [
 131                 '<a href="https://www.youtube.com/watch?v=JeimE8Wz6e4" target="_self">Hey, that\'s pretty good!</a>',
 132                 '<div class="text_to_html"><a href="https://www.youtube.com/watch?v=JeimE8Wz6e4" target="_self">' .
 133                     'Hey, that\'s pretty good!</a></div>'
 134             ],
 135             'Link with target blank' => [
 136                 '<a href="https://www.youtube.com/watch?v=JeimE8Wz6e4" target="_blank">Hey, that\'s pretty good!</a>',
 137                 '<div class="text_to_html"><a href="https://www.youtube.com/watch?v=JeimE8Wz6e4" target="_blank"' .
 138                     ' rel="noreferrer">Hey, that\'s pretty good!</a></div>'
 139             ],
 140             'Link with Frank\'s casket inscription' => [
 141                 '<a href="https://en.wikipedia.org/wiki/Franks_Casket">ᚠᛁᛋᚳ᛫ᚠᛚᚩᛞᚢ᛫ᚪᚻᚩᚠᚩᚾᚠᛖᚱᚷ ᛖᚾᛒᛖᚱᛁᚷ ᚹᚪᚱᚦᚷᚪ᛬ᛋᚱᛁᚳᚷᚱᚩᚱᚾᚦᚫᚱᚻᛖᚩᚾᚷᚱᛖᚢᛏᚷᛁᛋᚹᚩᛗ ᚻ' .
 142                     'ᚱᚩᚾᚫᛋᛒᚪᚾ ᛗᚫᚷᛁᚠᛁᛋᚳ᛫ᚠᛚᚩᛞᚢ᛫ᚪᚻᚩᚠᚩᚾᚠᛖᚱᚷ ᛖᚾᛒᛖᚱᛁᚷ ᚹᚪᚱᚦᚷᚪ᛬ᛋᚱᛁᚳᚷᚱᚩᚱᚾᚦᚫᚱᚻᛖᚩᚾᚷᚱᛖᚢᛏᚷᛁᛋᚹᚩᛗ ᚻᚱᚩᚾᚫᛋᛒᚪᚾ ᛗᚫᚷᛁ</a>',
 143                 '<div class="text_to_html"><a href="https://en.wikipedia.org/wiki/Franks_Casket" target="_blank" ' .
 144                     'rel="noreferrer">ᚠᛁᛋᚳ᛫ᚠᛚᚩᛞᚢ᛫ᚪᚻᚩᚠᚩᚾᚠᛖᚱᚷ ᛖᚾᛒᛖᚱᛁᚷ ᚹᚪᚱᚦᚷᚪ᛬ᛋᚱᛁᚳᚷᚱᚩᚱᚾᚦᚫᚱᚻᛖᚩᚾᚷᚱᛖᚢᛏᚷᛁᛋᚹᚩᛗ ᚻᚱᚩᚾᚫᛋᛒᚪᚾ ᛗᚫᚷᛁᚠᛁᛋᚳ᛫ᚠᛚᚩᛞᚢ᛫ᚪᚻᚩᚠᚩᚾᚠᛖᚱᚷ ᛖᚾ' .
 145                     'ᛒᛖᚱᛁᚷ ᚹᚪᚱᚦᚷᚪ᛬ᛋᚱᛁᚳᚷᚱᚩᚱᚾᚦᚫᚱᚻᛖᚩᚾᚷᚱᛖᚢᛏᚷᛁᛋᚹᚩᛗ ᚻᚱᚩᚾᚫᛋᛒᚪᚾ ᛗᚫᚷᛁ</a></div>'
 146              ],
 147             'No link' => [
 148                 'Some very boring text written with the Latin script',
 149                 '<div class="text_to_html">Some very boring text written with the Latin script</div>'
 150             ],
 151             'No link with Thror\'s map runes' => [
 152                 'ᛋᛏᚫᚾᛞ ᛒᚣ ᚦᛖ ᚷᚱᛖᚣ ᛋᛏᚩᚾᛖ ᚻᚹᛁᛚᛖ ᚦᛖ ᚦᚱᚢᛋᚻ ᚾᚩᚳᛋ ᚫᚾᛞ ᚦᛖ ᛋᛖᛏᛏᛁᚾᚷ ᛋᚢᚾ ᚹᛁᚦ ᚦᛖ ᛚᚫᛋᛏ ᛚᛁᚷᚻᛏ ᚩᚠ ᛞᚢᚱᛁᚾᛋ ᛞᚫᚣ ᚹᛁᛚᛚ ᛋᚻᛁᚾᛖ ᚢᛈᚩᚾ ᚦᛖ ᚳᛖᚣᚻᚩᛚᛖ',
 153                 '<div class="text_to_html">ᛋᛏᚫᚾᛞ ᛒᚣ ᚦᛖ ᚷᚱᛖᚣ ᛋᛏᚩᚾᛖ ᚻᚹᛁᛚᛖ ᚦᛖ ᚦᚱᚢᛋᚻ ᚾᚩᚳᛋ ᚫᚾᛞ ᚦᛖ ᛋᛖᛏᛏᛁᚾᚷ ᛋᚢᚾ ᚹᛁᚦ ᚦᛖ ᛚᚫᛋᛏ ᛚᛁᚷᚻᛏ ᚩᚠ ᛞᚢᚱᛁᚾᛋ ᛞᚫᚣ ᚹ' .
 154                 'ᛁᛚᛚ ᛋᚻᛁᚾᛖ ᚢᛈᚩᚾ ᚦᛖ ᚳᛖᚣᚻᚩᛚᛖ</div>'
 155             ]
 156         ];
 157     }
 158
 159     /**
 160      * Test ability to force cleaning of otherwise non-cleaned content.
 161      *
 162      * @dataProvider format_text_cleaning_testcases
 163      *
 164      * @param string $input Input text
 165      * @param string $nocleaned Expected output of format_text() with noclean=true
 166      * @param string $cleaned Expected output of format_text() with noclean=false
 167      */
 168     public function test_format_text_cleaning($input, $nocleaned, $cleaned) {
 169         global $CFG;
 170         $this->resetAfterTest();
 171
 172         $CFG->forceclean = false;
 173         $actual = format_text($input, FORMAT_HTML, ['filter' => false, 'noclean' => false]);
 174         $this->assertEquals($cleaned, $actual);
 175
 176         $CFG->forceclean = true;
 177         $actual = format_text($input, FORMAT_HTML, ['filter' => false, 'noclean' => false]);
 178         $this->assertEquals($cleaned, $actual);
 179
 180         $CFG->forceclean = false;
 181         $actual = format_text($input, FORMAT_HTML, ['filter' => false, 'noclean' => true]);
 182         $this->assertEquals($nocleaned, $actual);
 183
 184         $CFG->forceclean = true;
 185         $actual = format_text($input, FORMAT_HTML, ['filter' => false, 'noclean' => true]);
 186         $this->assertEquals($cleaned, $actual);
 187     }
 188
 189     /**
 190      * Data provider for the test_format_text_cleaning testcase
 191      *
 192      * @return array of testcases (string)testcasename => [(string)input, (string)nocleaned, (string)cleaned]
 193      */
 194     public function format_text_cleaning_testcases() {
 195         return [
 196             'JavaScript' => [
 197                 'Hello <script type="text/javascript">alert("XSS");</script> world',
 198                 'Hello <script type="text/javascript">alert("XSS");</script> world',
 199                 'Hello  world',
 200             ],
 201             'Inline frames' => [
 202                 'Let us go phishing! <iframe src="https://1.2.3.4/google.com"></iframe>',
 203                 'Let us go phishing! <iframe src="https://1.2.3.4/google.com"></iframe>',
 204                 'Let us go phishing! ',
 205             ],
 206             'Malformed A tags' => [
 207                 '<a onmouseover="alert(document.cookie)">xxs link</a>',
 208                 '<a onmouseover="alert(document.cookie)">xxs link</a>',
 209                 '<a>xxs link</a>',
 210             ],
 211             'Malformed IMG tags' => [
 212                 '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
 213                 '<IMG """><SCRIPT>alert("XSS")</SCRIPT>">',
 214                 '"&gt;',
 215             ],
 216             'On error alert' => [
 217                 '<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>',
 218                 '<IMG SRC=/ onerror="alert(String.fromCharCode(88,83,83))"></img>',
 219                 '<img src="/" alt="" />',
 220             ],
 221             'IMG onerror and javascript alert encode' => [
 222                 '<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000083&#0000083&#0000039&#0000041">',
 223                 '<img src=x onerror="&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000083&#0000083&#0000039&#0000041">',
 224                 '<img src="x" alt="x" />',
 225             ],
 226             'DIV background-image' => [
 227                 '<DIV STYLE="background-image: url(javascript:alert(\'XSS\'))">',
 228                 '<DIV STYLE="background-image: url(javascript:alert(\'XSS\'))">',
 229                 '<div></div>',
 230             ],
 231         ];
 232     }
 233 }