From 5c5b3a149a928b4c6761a0b9161d383a83677ec7 Mon Sep 17 00:00:00 2001 From: Angie Byron Date: Sat, 29 Aug 2009 03:55:44 +0000 Subject: [PATCH] #560740 by sun and David_Rothstein: 'Escape all HTML' filter did not escape any HTML. Now that's a problem. (with tests) --- modules/filter/filter.module | 7 ++++++ modules/filter/filter.test | 44 +++++++++++++++++++++++++----------- 2 files changed, 38 insertions(+), 13 deletions(-) diff --git a/modules/filter/filter.module b/modules/filter/filter.module index af0bb31f795..cfdaa5a77d9 100644 --- a/modules/filter/filter.module +++ b/modules/filter/filter.module @@ -992,6 +992,13 @@ function _filter_autop($text) { return $output; } +/** + * Escapes all HTML tags, so they will be visible instead of being effective. + */ +function _filter_html_escape($text) { + return trim(check_plain($text)); +} + /** * @} End of "Standard filters". */ diff --git a/modules/filter/filter.test b/modules/filter/filter.test index d807ad4677b..5acfd610fba 100644 --- a/modules/filter/filter.test +++ b/modules/filter/filter.test @@ -510,22 +510,16 @@ class FilterUnitTestCase extends DrupalWebTestCase { /** * Test the HTML escaping filter. - * - * Here we test only whether check_plain() does what it should. */ function testNoHtmlFilter() { - // Test that characters that have special meaning in XML are changed into - // entities. - $f = check_plain('<>&"'); - $this->assertEqual($f, '<>&"', t('No HTML filter basic test.')); + $this->_testEscapedHTML('_filter_html_escape'); + } - // A single quote can also be used for evil things in some contexts. - $f = check_plain('\''); - $this->assertEqual($f, ''', t('No HTML filter -- single quote.')); - - // Test that the filter is not fooled by different evasion techniques. - $f = check_plain("\xc2\""); - $this->assertEqual($f, '', t('No HTML filter -- invalid UTF-8.')); + /** + * Test that the check_plain() function escapes HTML correctly. + */ + function testCheckPlain() { + $this->_testEscapedHTML('check_plain'); } /** @@ -744,6 +738,30 @@ class FilterUnitTestCase extends DrupalWebTestCase { function assertNoNormalized($haystack, $needle, $message = '', $group = 'Other') { return $this->assertTrue(strpos(strtolower(decode_entities($haystack)), $needle) === FALSE, $message, $group); } + + /** + * Helper method to test functions that are intended to escape HTML. + * + * @param $function + * The name of the function to test. + */ + function _testEscapedHTML($function) { + // Define string replacements for the assertion messages. + $replacements = array('@function' => $function); + + // Test that characters that have special meaning in XML are changed into + // entities. + $f = $function('<>&"'); + $this->assertEqual($f, '<>&"', t('The @function() function correctly filters basic HTML entities.', $replacements)); + + // A single quote can also be used for evil things in some contexts. + $f = $function('\''); + $this->assertEqual($f, ''', t('The @function() function correctly filters single quotes.', $replacements)); + + // Test that the filter is not fooled by different evasion techniques. + $f = $function("\xc2\""); + $this->assertEqual($f, '', t('The @function() function correctly filters invalid UTF-8.', $replacements)); + } } /**