\" style=\"background-image: url(javascript:alert(0));\"\xe0

", array('p')); $this->assertNoNormalized($f, 'style', t('HTML filter -- invalid UTF-8.')); $f = filter_xss("\xc0aaa"); $this->assertEqual($f, '', t('HTML filter -- overlong UTF-8 sequences.')); $f = filter_xss("Who's Online"); $this->assertNormalized($f, "who's online", t('HTML filter -- html entity number')); $f = filter_xss("Who's Online"); $this->assertNormalized($f, "who's online", t('HTML filter -- encoded html entity number')); $f = filter_xss("Who' Online"); $this->assertNormalized($f, "who' online", t('HTML filter -- double encoded html entity number')); } /** * Test filter settings, defaults, access restrictions and similar. * * @todo This is for functions like filter_filter and check_markup, whose * functionality is not completely focused on filtering. Some ideas: * restricting formats according to user permissions, proper cache * handling, defaults -- allowed tags/attributes/protocols. * * @todo It is possible to add script, iframe etc. to allowed tags, but this * makes HTML filter completely ineffective. * * @todo Class, id, name and xmlns should be added to disallowed attributes, * or better a whitelist approach should be used for that too. */ function testFilter() { // Check that access restriction really works. // HTML filter is not able to secure some tags, these should never be // allowed. $f = filter_filter('process', 0, 'no_such_format', '', 'f'); $this->assertEqual($f, '', t('Converting URLs -- do not process scripts.')); // Addresses in attributes should not be converted. $f = _filter_url('

', 'f'); $this->assertEqual($f, '

', t('Converting URLs -- do not convert addresses in attributes.')); $f = _filter_url('text', 'f'); $this->assertEqual($f, 'text', t('Converting URLs -- do not break existing links with custom title attribute.')); // Even though a dot at the end of a URL can indicate a fully qualified // domain name, such usage is rare compared to using a link at the end // of a sentence, so remove the dot from the link. // @todo It can also be used at the end of a filename or a query string. $f = _filter_url('www.example.com.', 'f'); $this->assertEqual($f, 'www.example.com.', t('Converting URLs -- do not recognize a dot at the end of a domain name (FQDNs).')); $f = _filter_url('http://www.example.com.', 'f'); $this->assertEqual($f, 'http://www.example.com.', t('Converting URLs -- do not recognize a dot at the end of an URL (FQDNs).')); $f = _filter_url('www.example.com/index.php?a=.', 'f'); $this->assertEqual($f, 'www.example.com/index.php?a=.', t('Converting URLs -- do forget about a dot at the end of a query string.')); } /** * Test the HTML corrector. * * @todo This test could really use some validity checking function. */ function testHtmlCorrector() { // Tag closing. $f = _filter_htmlcorrector('

text'); $this->assertEqual($f, '

text

text

text'); $this->assertEqual($f, '

text

text

• e1
• e2"); $this->assertEqual($f, "
  • e1
  • e2
  ", t('HTML corrector -- unclosed list tags.')); $f = _filter_htmlcorrector('
  content'); $this->assertEqual($f, '

  content

  ', t('HTML corrector -- unclosed tag with attribute.')); // XHTML slash for empty elements. $f = _filter_htmlcorrector('

  ---

  
  '); $this->assertEqual($f, '

  ---

  
  ', t('HTML corrector -- XHTML closing slash.')); } function createFormat($filter) { $edit = array( 'name' => $this->randomName(), 'roles[2]' => TRUE, 'filters[filter/' . $filter . ']' => TRUE, ); $this->drupalPost('admin/settings/filter/add', $edit, t('Save configuration')); return db_query("SELECT * FROM {filter_format} WHERE name = :name", array(':name' => $edit['name']))->fetchObject(); } function deleteFormat($format) { if ($format !== NULL) { $this->drupalPost('admin/settings/formats/delete/' . $format->format, array(), t('Delete')); } } /** * Asserts that a text transformed to lowercase with HTML entities decoded does contains a given string. * * Otherwise fails the test with a given message, similar to all the * SimpleTest assert* functions. * * Note that this does not remove nulls, new lines and other characters that * could be used to obscure a tag or an attribute name. * * @param $haystack * Text to look in. * @param $needle * Lowercase, plain text to look for. * @param $message * Message to display if failed. * @param $group * The group this message belongs to, defaults to 'Other'. * @return * TRUE on pass, FALSE on fail. */ function assertNormalized($haystack, $needle, $message = '', $group = 'Other') { return $this->assertTrue(strpos(strtolower(decode_entities($haystack)), $needle) !== FALSE, $message, $group); } /** * Asserts that text transformed to lowercase with HTML entities decoded does not contain a given string. * * Otherwise fails the test with a given message, similar to all the * SimpleTest assert* functions. * * Note that this does not remove nulls, new lines, and other character that * could be used to obscure a tag or an attribute name. * * @param $haystack * Text to look in. * @param $needle * Lowercase, plain text to look for. * @param $message * Message to display if failed. * @param $group * The group this message belongs to, defaults to 'Other'. * @return * TRUE on pass, FALSE on fail. */ function assertNoNormalized($haystack, $needle, $message = '', $group = 'Other') { return $this->assertTrue(strpos(strtolower(decode_entities($haystack)), $needle) === FALSE, $message, $group); } }