mirror/php-htmlpurifier
1
0
Fork 0
mirror of https://github.com/ezyang/htmlpurifier.git synced 2025-07-31 19:30:21 +02:00
Code Issues Releases Wiki Activity

[3.1.1] Implement SafeObject.

Browse Source 
git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1780 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
Edward Z. Yang
2008-06-10 00:13:44 +00:00
parent 32025a12e1
commit 13eb016e06
13 changed files with 346 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

42
tests/HTMLPurifier/HTMLModule/SafeObjectTest.php Normal file
View File

@@ -0,0 +1,42 @@
<?php
class HTMLPurifier_HTMLModule_SafeObjectTest extends HTMLPurifier_HTMLModuleHarness
{
function setUp() {
parent::setUp();
$this->config->set('HTML', 'DefinitionID', 'HTMLPurifier_HTMLModule_SafeObjectTest');
$def = $this->config->getHTMLDefinition(true);
$def->manager->addModule('SafeObject');
}
function testMinimal() {
$this->assertResult(
'<object></object>',
'<object type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>'
);
}
function testYouTube() {
// embed is purposely removed
$this->assertResult(
'<object width="425" height="344"><param name="movie" value="http://www.youtube.com/v/RVtEQxH7PWA&hl=en"></param><embed src="http://www.youtube.com/v/RVtEQxH7PWA&hl=en" type="application/x-shockwave-flash" width="425" height="344"></embed></object>',
'<object width="425" height="344" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" /></object>'
);
}
function testMalicious() {
$this->assertResult(
'<object width="9999999" height="9999999"><param name="allowScriptAccess" value="always" /><param name="movie" value="http://example.com/attack.swf" /></object>',
'<object width="1200" height="1200" type="application/x-shockwave-flash"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://example.com/attack.swf" /></object>'
);
}
function testFull() {
$this->assertResult(
'<b><object width="425" height="344" type="application/x-shockwave-flash" data="Foobar"><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="http://www.youtube.com/v/RVtEQxH7PWA&amp;hl=en" /><param name="wmode" value="window" /></object></b>'
);
}
}

86
tests/HTMLPurifier/Injector/SafeObjectTest.php Normal file
View File

@@ -0,0 +1,86 @@
<?php
/**
* This test is kinda weird, because it doesn't test the full safe object
* functionality, just a small section of it. Or maybe it's actually the right
* way.
*/
class HTMLPurifier_Injector_SafeObjectTest extends HTMLPurifier_InjectorHarness
{
function setup() {
parent::setup();
$this->config->set('AutoFormat', 'Custom', array(new HTMLPurifier_Injector_SafeObject()));
$this->config->set('HTML', 'Trusted', true);
}
function testPreserve() {
$this->assertResult(
'<b>asdf</b>'
);
}
function testRemoveStrayParam() {
$this->assertResult(
'<param />',
''
);
}
function testEditObjectParam() {
$this->assertResult(
'<object></object>',
'<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>'
);
}
function testIgnoreStrayParam() {
$this->assertResult(
'<object><param /></object>',
'<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>'
);
}
function testIgnoreDuplicates() {
$this->assertResult(
'<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>'
);
}
function testIgnoreBogusData() {
$this->assertResult(
'<object><param name="allowScriptAccess" value="always" /><param name="allowNetworking" value="always" /></object>',
'<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>'
);
}
function testIgnoreInvalidData() {
$this->assertResult(
'<object><param name="foo" value="bar" /></object>',
'<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object>'
);
}
function testKeepValidData() {
$this->assertResult(
'<object><param name="movie" value="bar" /></object>',
'<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><param name="movie" value="bar" /></object>'
);
}
function testNested() {
$this->assertResult(
'<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><object></object></object>',
'<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></object></object>'
);
}
function testNotActuallyNested() {
$this->assertResult(
'<object><p><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /></p></object>',
'<object><param name="allowScriptAccess" value="never" /><param name="allowNetworking" value="internal" /><p></p></object>'
);
}
}

1
tests/index.php
View File

@@ -26,6 +26,7 @@ define('HTMLPURIFIER_SCHEMA_STRICT', true); // validate schemas
chdir(dirname(__FILE__));
$php = 'php'; // for safety
ini_set('memory_limit', '64M');
require 'common.php';