| [ Index ] |
PHP Cross Reference of moodle-2.8 |
[Summary view] [Print] [Text view]
1 <?php 2 // This file is part of Moodle - http://moodle.org/ 3 // 4 // Moodle is free software: you can redistribute it and/or modify 5 // it under the terms of the GNU General Public License as published by 6 // the Free Software Foundation, either version 3 of the License, or 7 // (at your option) any later version. 8 // 9 // Moodle is distributed in the hope that it will be useful, 10 // but WITHOUT ANY WARRANTY; without even the implied warranty of 11 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 12 // GNU General Public License for more details. 13 // 14 // You should have received a copy of the GNU General Public License 15 // along with Moodle. If not, see <http://www.gnu.org/licenses/>. 16 17 /** 18 * Unit tests for the HTMLPurifier integration 19 * 20 * @package core 21 * @category phpunit 22 * @copyright 2012 Petr Skoda {@link http://skodak.org} 23 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 24 */ 25 26 defined('MOODLE_INTERNAL') || die(); 27 28 29 /** 30 * HTMLPurifier test case 31 * 32 * @package core 33 * @category phpunit 34 * @copyright 2012 Petr Skoda {@link http://skodak.org} 35 * @license http://www.gnu.org/copyleft/gpl.html GNU GPL v3 or later 36 */ 37 class core_htmlpurifier_testcase extends basic_testcase { 38 39 /** 40 * Verify _blank target is allowed. 41 */ 42 public function test_allow_blank_target() { 43 $text = '<a href="http://moodle.org" target="_blank">Some link</a>'; 44 $result = format_text($text, FORMAT_HTML); 45 $this->assertSame($text, $result); 46 47 $result = format_text('<a href="http://moodle.org" target="some">Some link</a>', FORMAT_HTML); 48 $this->assertSame('<a href="http://moodle.org">Some link</a>', $result); 49 } 50 51 /** 52 * Verify our nolink tag accepted. 53 */ 54 public function test_nolink() { 55 // We can not use format text because nolink changes result. 56 $text = '<nolink><div>no filters</div></nolink>'; 57 $result = purify_html($text, array()); 58 $this->assertSame($text, $result); 59 60 $text = '<nolink>xxx<em>xx</em><div>xxx</div></nolink>'; 61 $result = purify_html($text, array()); 62 $this->assertSame($text, $result); 63 } 64 65 /** 66 * Verify our tex tag accepted. 67 */ 68 public function test_tex() { 69 $text = '<tex>a+b=c</tex>'; 70 $result = purify_html($text, array()); 71 $this->assertSame($text, $result); 72 } 73 74 /** 75 * Verify our algebra tag accepted. 76 */ 77 public function test_algebra() { 78 $text = '<algebra>a+b=c</algebra>'; 79 $result = purify_html($text, array()); 80 $this->assertSame($text, $result); 81 } 82 83 /** 84 * Verify our hacky multilang works. 85 */ 86 public function test_multilang() { 87 $text = '<lang lang="en">hmmm</lang><lang lang="anything">hm</lang>'; 88 $result = purify_html($text, array()); 89 $this->assertSame($text, $result); 90 91 $text = '<span lang="en" class="multilang">hmmm</span><span lang="anything" class="multilang">hm</span>'; 92 $result = purify_html($text, array()); 93 $this->assertSame($text, $result); 94 95 $text = '<span lang="en">hmmm</span>'; 96 $result = purify_html($text, array()); 97 $this->assertNotSame($text, $result); 98 99 // Keep standard lang tags. 100 101 $text = '<span lang="de_DU" class="multilang">asas</span>'; 102 $result = purify_html($text, array()); 103 $this->assertSame($text, $result); 104 105 $text = '<lang lang="de_DU">xxxxxx</lang>'; 106 $result = purify_html($text, array()); 107 $this->assertSame($text, $result); 108 } 109 110 /** 111 * Tests the 'allowid' option for format_text. 112 */ 113 public function test_format_text_allowid() { 114 // Start off by not allowing ids (default). 115 $options = array( 116 'nocache' => true 117 ); 118 $result = format_text('<div id="example">Frog</div>', FORMAT_HTML, $options); 119 $this->assertSame('<div>Frog</div>', $result); 120 121 // Now allow ids. 122 $options['allowid'] = true; 123 $result = format_text('<div id="example">Frog</div>', FORMAT_HTML, $options); 124 $this->assertSame('<div id="example">Frog</div>', $result); 125 } 126 127 public function test_allowobjectembed() { 128 global $CFG; 129 130 $this->assertSame('0', $CFG->allowobjectembed); 131 132 $text = '<object width="425" height="350"> 133 <param name="movie" value="http://www.youtube.com/v/AyPzM5WK8ys" /> 134 <param name="wmode" value="transparent" /> 135 <embed src="http://www.youtube.com/v/AyPzM5WK8ys" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350" /> 136 </object>hmmm'; 137 $result = purify_html($text, array()); 138 $this->assertSame('hmmm', trim($result)); 139 140 $CFG->allowobjectembed = '1'; 141 142 $expected = '<object width="425" height="350" data="http://www.youtube.com/v/AyPzM5WK8ys" type="application/x-shockwave-flash"> 143 <param name="allowScriptAccess" value="never" /> 144 <param name="allowNetworking" value="internal" /> 145 <param name="movie" value="http://www.youtube.com/v/AyPzM5WK8ys" /> 146 <param name="wmode" value="transparent" /> 147 <embed src="http://www.youtube.com/v/AyPzM5WK8ys" type="application/x-shockwave-flash" wmode="transparent" width="425" height="350" allowscriptaccess="never" allownetworking="internal" /> 148 </object>hmmm'; 149 $result = purify_html($text, array()); 150 $this->assertSame(str_replace("\n", '', $expected), str_replace("\n", '', $result)); 151 152 $CFG->allowobjectembed = '0'; 153 154 $result = purify_html($text, array()); 155 $this->assertSame('hmmm', trim($result)); 156 } 157 158 /** 159 * Test if linebreaks kept unchanged. 160 */ 161 public function test_line_breaking() { 162 $text = "\n\raa\rsss\nsss\r"; 163 $this->assertSame($text, purify_html($text)); 164 } 165 166 /** 167 * Test fixing of strict problems. 168 */ 169 public function test_tidy() { 170 $text = "<p>xx"; 171 $this->assertSame('<p>xx</p>', purify_html($text)); 172 173 $text = "<P>xx</P>"; 174 $this->assertSame('<p>xx</p>', purify_html($text)); 175 176 $text = "xx<br>"; 177 $this->assertSame('xx<br />', purify_html($text)); 178 } 179 180 /** 181 * Test nesting - this used to cause problems in earlier versions. 182 */ 183 public function test_nested_lists() { 184 $text = "<ul><li>One<ul><li>Two</li></ul></li><li>Three</li></ul>"; 185 $this->assertSame($text, purify_html($text)); 186 } 187 188 /** 189 * Test that XSS protection works, complete smoke tests are in htmlpurifier itself. 190 */ 191 public function test_cleaning_nastiness() { 192 $text = "x<SCRIPT>alert('XSS')</SCRIPT>x"; 193 $this->assertSame('xx', purify_html($text)); 194 195 $text = '<DIV STYLE="background-image:url(javascript:alert(\'XSS\'))">xx</DIV>'; 196 $this->assertSame('<div>xx</div>', purify_html($text)); 197 198 $text = '<DIV STYLE="width:expression(alert(\'XSS\'));">xx</DIV>'; 199 $this->assertSame('<div>xx</div>', purify_html($text)); 200 201 $text = 'x<IFRAME SRC="javascript:alert(\'XSS\');"></IFRAME>x'; 202 $this->assertSame('xx', purify_html($text)); 203 204 $text = 'x<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>x'; 205 $this->assertSame('xx', purify_html($text)); 206 207 $text = 'x<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>x'; 208 $this->assertSame('xx', purify_html($text)); 209 210 $text = 'x<form></form>x'; 211 $this->assertSame('xx', purify_html($text)); 212 } 213 214 /** 215 * Test internal function used for clean_text() speedup. 216 */ 217 public function test_is_purify_html_necessary() { 218 // First our shortcuts. 219 $text = ""; 220 $this->assertFalse(is_purify_html_necessary($text)); 221 $this->assertSame($text, purify_html($text)); 222 223 $text = "666"; 224 $this->assertFalse(is_purify_html_necessary($text)); 225 $this->assertSame($text, purify_html($text)); 226 227 $text = "abc\ndef \" ' "; 228 $this->assertFalse(is_purify_html_necessary($text)); 229 $this->assertSame($text, purify_html($text)); 230 231 $text = "abc\n<p>def</p>efg<p>hij</p>"; 232 $this->assertFalse(is_purify_html_necessary($text)); 233 $this->assertSame($text, purify_html($text)); 234 235 $text = "<br />abc\n<p>def<em>efg</em><strong>hi<br />j</strong></p>"; 236 $this->assertFalse(is_purify_html_necessary($text)); 237 $this->assertSame($text, purify_html($text)); 238 239 // Now failures. 240 $text = " "; 241 $this->assertTrue(is_purify_html_necessary($text)); 242 243 $text = "Gin & Tonic"; 244 $this->assertTrue(is_purify_html_necessary($text)); 245 246 $text = "Gin > Tonic"; 247 $this->assertTrue(is_purify_html_necessary($text)); 248 249 $text = "Gin < Tonic"; 250 $this->assertTrue(is_purify_html_necessary($text)); 251 252 $text = "<div>abc</div>"; 253 $this->assertTrue(is_purify_html_necessary($text)); 254 255 $text = "<span>abc</span>"; 256 $this->assertTrue(is_purify_html_necessary($text)); 257 258 $text = "<br>abc"; 259 $this->assertTrue(is_purify_html_necessary($text)); 260 261 $text = "<p class='xxx'>abc</p>"; 262 $this->assertTrue(is_purify_html_necessary($text)); 263 264 $text = "<p>abc<em></p></em>"; 265 $this->assertTrue(is_purify_html_necessary($text)); 266 267 $text = "<p>abc"; 268 $this->assertTrue(is_purify_html_necessary($text)); 269 } 270 271 public function test_allowed_schemes() { 272 // First standard schemas. 273 $text = '<a href="http://www.example.com/course/view.php?id=5">link</a>'; 274 $this->assertSame($text, purify_html($text)); 275 276 $text = '<a href="https://www.example.com/course/view.php?id=5">link</a>'; 277 $this->assertSame($text, purify_html($text)); 278 279 $text = '<a href="ftp://[email protected]/some/file.txt">link</a>'; 280 $this->assertSame($text, purify_html($text)); 281 282 $text = '<a href="nntp://example.com/group/123">link</a>'; 283 $this->assertSame($text, purify_html($text)); 284 285 $text = '<a href="news:groupname">link</a>'; 286 $this->assertSame($text, purify_html($text)); 287 288 $text = '<a href="mailto:[email protected]">link</a>'; 289 $this->assertSame($text, purify_html($text)); 290 291 // Extra schemes allowed in moodle. 292 $text = '<a href="irc://irc.example.com/3213?pass">link</a>'; 293 $this->assertSame($text, purify_html($text)); 294 295 $text = '<a href="rtsp://www.example.com/movie.mov">link</a>'; 296 $this->assertSame($text, purify_html($text)); 297 298 $text = '<a href="rtmp://www.example.com/video.f4v">link</a>'; 299 $this->assertSame($text, purify_html($text)); 300 301 $text = '<a href="teamspeak://speak.example.com/?par=val?par2=val2">link</a>'; 302 $this->assertSame($text, purify_html($text)); 303 304 $text = '<a href="gopher://gopher.example.com/resource">link</a>'; 305 $this->assertSame($text, purify_html($text)); 306 307 $text = '<a href="mms://www.example.com/movie.mms">link</a>'; 308 $this->assertSame($text, purify_html($text)); 309 310 // Now some borked or dangerous schemes. 311 $text = '<a href="javascript://www.example.com">link</a>'; 312 $this->assertSame('<a>link</a>', purify_html($text)); 313 314 $text = '<a href="hmmm://www.example.com">link</a>'; 315 $this->assertSame('<a>link</a>', purify_html($text)); 316 } 317 }
title
Description
Body
title
Description
Body
title
Description
Body
title
Body
| Generated: Fri Nov 28 20:29:05 2014 | Cross-referenced by PHPXref 0.7.1 |