mirror of
https://github.com/ezyang/htmlpurifier.git
synced 2025-01-17 05:58:15 +01:00
[3.1.0] Implement tag@attr for Allowed and Forbidden
- Fix (or null) bug in configdoc git-svn-id: http://htmlpurifier.org/svnroot/htmlpurifier/trunk@1695 48356398-32a2-884e-a903-53898d9a118a
This commit is contained in:
parent
1f8619cda5
commit
84aa2ca390
8
NEWS
8
NEWS
@ -23,6 +23,10 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
||||
+ HTMLPurifier_HTMLModule->addBlankElement()
|
||||
+ HTMLPurifier_LanguageFactory::instance()
|
||||
# Printer_ConfigForm's get*() functions were static-ified
|
||||
# %HTML.ForbiddenAttributes requires attribute declarations to be in the
|
||||
form of tag@attr, NOT tag.attr (which will throw an error and won't do
|
||||
anything). This is for forwards compatibility with XML; you'd do best
|
||||
to migrate an %HTML.AllowedAttributes directives to this syntax too.
|
||||
! Allow index to be false for config from form creation
|
||||
! Added HTMLPurifier::VERSION constant
|
||||
- InterchangeBuilder now alphabetizes its lists
|
||||
@ -33,10 +37,14 @@ NEWS ( CHANGELOG and HISTORY ) HTMLPurifier
|
||||
- HTMLPurifier::instance() created for consistency, is equivalent to getInstance()
|
||||
- Fixed and revamped broken ConfigForm smoketest
|
||||
- Bug with bool/null fields in Printer_ConfigForm fixed
|
||||
- Improved error messages for allowed and forbidden HTML elements and attributes
|
||||
- Missing (or null) in configdoc documentation restored
|
||||
. Out-of-date documentation revised
|
||||
. UTF-8 encoding check optimization as suggested by Diego
|
||||
. HTMLPurifier_Error removed in favor of exceptions
|
||||
. More copy() function removed; should use clone instead
|
||||
. More extensive unit tests for HTMLDefinition
|
||||
. assertPurification moved to central harness
|
||||
|
||||
3.1.0rc1, released 2008-04-22
|
||||
# Autoload support added. Internal require_once's removed in favor of an
|
||||
|
2
TODO
2
TODO
@ -52,6 +52,8 @@ FUTURE VERSIONS
|
||||
Also, enable disabling of directionality
|
||||
|
||||
5.0 release [To XML and Beyond]
|
||||
- AllowedAttributes and ForbiddenAttributes step on the toes of XML by
|
||||
using periods; this needs to be changed.
|
||||
- Extended HTML capabilities based on namespacing and tag transforms (COMPLEX)
|
||||
- Hooks for adding custom processors to custom namespaced tags and
|
||||
attributes, offer default implementation
|
||||
|
@ -131,12 +131,12 @@
|
||||
</directive>
|
||||
<directive id="HTML.ForbiddenElements">
|
||||
<file name="HTMLPurifier/HTMLDefinition.php">
|
||||
<line>303</line>
|
||||
<line>326</line>
|
||||
</file>
|
||||
</directive>
|
||||
<directive id="HTML.ForbiddenAttributes">
|
||||
<file name="HTMLPurifier/HTMLDefinition.php">
|
||||
<line>304</line>
|
||||
<line>327</line>
|
||||
</file>
|
||||
</directive>
|
||||
<directive id="HTML.Trusted">
|
||||
|
@ -71,8 +71,10 @@ class HTMLPurifier_ConfigSchema_Builder_Xml extends XMLWriter
|
||||
|
||||
$this->startElement('constraints');
|
||||
if ($directive->version) $this->writeElement('version', $directive->version);
|
||||
$this->writeElement('type', $directive->type);
|
||||
$this->startElement('type');
|
||||
if ($directive->typeAllowsNull) $this->writeAttribute('allow-null', 'yes');
|
||||
$this->text($directive->type);
|
||||
$this->endElement(); // type
|
||||
if ($directive->allowed) {
|
||||
$this->startElement('allowed');
|
||||
foreach ($directive->allowed as $value => $x) $this->writeElement('value', $value);
|
||||
|
@ -4,7 +4,17 @@ VERSION: 3.1.0
|
||||
DEFAULT: array()
|
||||
--DESCRIPTION--
|
||||
<p>
|
||||
This directive complements %HTML.ForbiddenElements and is the inverse of
|
||||
%HTML.AllowedAttributes. Please see the former for a discussion of why you
|
||||
While this directive is similar to %HTML.AllowedAttributes, for
|
||||
forwards-compatibility with XML, this attribute has a different syntax. Instead of
|
||||
<code>tag.attr</code>, use <code>tag@attr</code>. To disallow <code>href</code>
|
||||
attributes in <code>a</code> tags, set this directive to
|
||||
<code>a@href</code>. You can also disallow an attribute globally with
|
||||
<code>attr</code> or <code>*@attr</code> (either syntax is fine; the latter
|
||||
is provided for consistency with %HTML.AllowedAttributes).
|
||||
</p>
|
||||
<p>
|
||||
<strong>Warning:</strong> This directive complements %HTML.ForbiddenElements,
|
||||
accordingly, check
|
||||
out that directive for a discussion of why you
|
||||
should think twice before using this directive.
|
||||
</p>
|
||||
|
@ -233,10 +233,10 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
|
||||
$support = "(for information on implementing this, see the ".
|
||||
"support forums) ";
|
||||
|
||||
// setup allowed elements
|
||||
// setup allowed elements -----------------------------------------
|
||||
|
||||
$allowed_elements = $config->get('HTML', 'AllowedElements');
|
||||
$allowed_attributes = $config->get('HTML', 'AllowedAttributes');
|
||||
$allowed_attributes = $config->get('HTML', 'AllowedAttributes'); // retrieve early
|
||||
|
||||
if (!is_array($allowed_elements) && !is_array($allowed_attributes)) {
|
||||
$allowed = $config->get('HTML', 'Allowed');
|
||||
@ -252,54 +252,79 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
|
||||
}
|
||||
// emit errors
|
||||
foreach ($allowed_elements as $element => $d) {
|
||||
// :TODO: Is this htmlspecialchars() call really necessary?
|
||||
$element = htmlspecialchars($element);
|
||||
$element = htmlspecialchars($element); // PHP doesn't escape errors, be careful!
|
||||
trigger_error("Element '$element' is not supported $support", E_USER_WARNING);
|
||||
}
|
||||
}
|
||||
|
||||
// setup allowed attributes ---------------------------------------
|
||||
|
||||
$allowed_attributes_mutable = $allowed_attributes; // by copy!
|
||||
if (is_array($allowed_attributes)) {
|
||||
foreach ($this->info_global_attr as $attr_key => $info) {
|
||||
if (!isset($allowed_attributes["*.$attr_key"])) {
|
||||
unset($this->info_global_attr[$attr_key]);
|
||||
} elseif (isset($allowed_attributes_mutable["*.$attr_key"])) {
|
||||
unset($allowed_attributes_mutable["*.$attr_key"]);
|
||||
|
||||
// This actually doesn't do anything, since we went away from
|
||||
// global attributes. It's possible that userland code uses
|
||||
// it, but HTMLModuleManager doesn't!
|
||||
foreach ($this->info_global_attr as $attr => $x) {
|
||||
$keys = array($attr, "*@$attr", "*.$attr");
|
||||
$delete = true;
|
||||
foreach ($keys as $key) {
|
||||
if ($delete && isset($allowed_attributes[$key])) {
|
||||
$delete = false;
|
||||
}
|
||||
if (isset($allowed_attributes_mutable[$key])) {
|
||||
unset($allowed_attributes_mutable[$key]);
|
||||
}
|
||||
}
|
||||
if ($delete) unset($this->info_global_attr[$attr]);
|
||||
}
|
||||
|
||||
foreach ($this->info as $tag => $info) {
|
||||
foreach ($info->attr as $attr => $attr_info) {
|
||||
if (!isset($allowed_attributes["$tag.$attr"]) &&
|
||||
!isset($allowed_attributes["*.$attr"])) {
|
||||
unset($this->info[$tag]->attr[$attr]);
|
||||
} else {
|
||||
if (isset($allowed_attributes_mutable["$tag.$attr"])) {
|
||||
unset($allowed_attributes_mutable["$tag.$attr"]);
|
||||
} elseif (isset($allowed_attributes_mutable["*.$attr"])) {
|
||||
unset($allowed_attributes_mutable["*.$attr"]);
|
||||
foreach ($info->attr as $attr => $x) {
|
||||
$keys = array("$tag@$attr", $attr, "*@$attr", "$tag.$attr", "*.$attr");
|
||||
$delete = true;
|
||||
foreach ($keys as $key) {
|
||||
if ($delete && isset($allowed_attributes[$key])) {
|
||||
$delete = false;
|
||||
}
|
||||
if (isset($allowed_attributes_mutable[$key])) {
|
||||
unset($allowed_attributes_mutable[$key]);
|
||||
}
|
||||
}
|
||||
if ($delete) unset($this->info[$tag]->attr[$attr]);
|
||||
}
|
||||
}
|
||||
// emit errors
|
||||
foreach ($allowed_attributes_mutable as $elattr => $d) {
|
||||
list($element, $attribute) = explode('.', $elattr);
|
||||
// :TODO: Is this htmlspecialchars() call really necessary?
|
||||
$element = htmlspecialchars($element);
|
||||
$attribute = htmlspecialchars($attribute);
|
||||
if ($element == '*') {
|
||||
trigger_error("Global attribute '$attribute' is not ".
|
||||
"supported in any elements $support",
|
||||
E_USER_WARNING);
|
||||
$bits = preg_split('/[.@]/', $elattr, 2);
|
||||
$c = count($bits);
|
||||
switch ($c) {
|
||||
case 2:
|
||||
if ($bits[0] !== '*') {
|
||||
$element = htmlspecialchars($bits[0]);
|
||||
$attribute = htmlspecialchars($bits[1]);
|
||||
if (!isset($this->info[$element])) {
|
||||
trigger_error("Cannot allow attribute '$attribute' if element '$element' is not allowed/supported $support");
|
||||
} else {
|
||||
trigger_error("Attribute '$attribute' in element '$element' not supported $support",
|
||||
E_USER_WARNING);
|
||||
}
|
||||
break;
|
||||
}
|
||||
// otherwise fall through
|
||||
case 1:
|
||||
$attribute = htmlspecialchars($bits[0]);
|
||||
trigger_error("Global attribute '$attribute' is not ".
|
||||
"supported in any elements $support",
|
||||
E_USER_WARNING);
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
}
|
||||
|
||||
// setup forbidden elements
|
||||
// setup forbidden elements ---------------------------------------
|
||||
|
||||
$forbidden_elements = $config->get('HTML', 'ForbiddenElements');
|
||||
$forbidden_attributes = $config->get('HTML', 'ForbiddenAttributes');
|
||||
|
||||
@ -308,10 +333,18 @@ class HTMLPurifier_HTMLDefinition extends HTMLPurifier_Definition
|
||||
unset($this->info[$tag]);
|
||||
continue;
|
||||
}
|
||||
foreach ($info->attr as $name => $def) {
|
||||
if (isset($forbidden_attributes["$tag.$name"])) {
|
||||
unset($this->info[$tag]->attr[$name]);
|
||||
foreach ($info->attr as $attr => $x) {
|
||||
if (
|
||||
isset($forbidden_attributes["$tag@$attr"]) ||
|
||||
isset($forbidden_attributes["*@$attr"]) ||
|
||||
isset($forbidden_attributes[$attr])
|
||||
) {
|
||||
unset($this->info[$tag]->attr[$attr]);
|
||||
continue;
|
||||
} // this segment might get removed eventually
|
||||
elseif (isset($forbidden_attributes["$tag.$attr"])) {
|
||||
// $tag.$attr are not user supplied, so no worries!
|
||||
trigger_error("Error with $tag.$attr: tag.attr syntax not supported for HTML.ForbiddenAttributes; use tag@attr instead", E_USER_WARNING);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -59,7 +59,7 @@ a[href|title]
|
||||
|
||||
$config1 = HTMLPurifier_Config::create(array(
|
||||
'HTML.AllowedElements' => array('b', 'i', 'p', 'a'),
|
||||
'HTML.AllowedAttributes' => array('a.href', '*.id')
|
||||
'HTML.AllowedAttributes' => array('a@href', '*@id')
|
||||
));
|
||||
|
||||
$config2 = HTMLPurifier_Config::create(array(
|
||||
@ -70,6 +70,150 @@ a[href|title]
|
||||
|
||||
}
|
||||
|
||||
function assertPurification_AllowedElements_p() {
|
||||
$this->assertPurification('<p><b>Jelly</b></p>', '<p>Jelly</p>');
|
||||
}
|
||||
|
||||
function test_AllowedElements() {
|
||||
$this->config->set('HTML', 'AllowedElements', 'p');
|
||||
$this->assertPurification_AllowedElements_p();
|
||||
}
|
||||
|
||||
function test_AllowedElements_multiple() {
|
||||
$this->config->set('HTML', 'AllowedElements', 'p,div');
|
||||
$this->assertPurification('<div><p><b>Jelly</b></p></div>', '<div><p>Jelly</p></div>');
|
||||
}
|
||||
|
||||
function test_AllowedElements_invalidElement() {
|
||||
$this->config->set('Cache', 'DefinitionImpl', null); // Necessary to ensure error is thrown
|
||||
$this->config->set('HTML', 'AllowedElements', 'obviously_invalid,p');
|
||||
$this->expectError(new PatternExpectation("/Element 'obviously_invalid' is not supported/"));
|
||||
$this->assertPurification_AllowedElements_p();
|
||||
}
|
||||
|
||||
function test_AllowedElements_invalidElement_xssAttempt() {
|
||||
$this->config->set('Cache', 'DefinitionImpl', null);
|
||||
$this->config->set('HTML', 'AllowedElements', '<script>,p');
|
||||
$this->expectError(new PatternExpectation("/Element '<script>' is not supported/"));
|
||||
$this->assertPurification_AllowedElements_p();
|
||||
}
|
||||
|
||||
function test_AllowedElements_multipleInvalidElements() {
|
||||
$this->config->set('Cache', 'DefinitionImpl', null);
|
||||
$this->config->set('HTML', 'AllowedElements', 'dr-wiggles,dr-pepper,p');
|
||||
$this->expectError(new PatternExpectation("/Element 'dr-wiggles' is not supported/"));
|
||||
$this->expectError(new PatternExpectation("/Element 'dr-pepper' is not supported/"));
|
||||
$this->assertPurification_AllowedElements_p();
|
||||
}
|
||||
|
||||
function assertPurification_AllowedAttributes_global_style() {
|
||||
$this->assertPurification(
|
||||
'<p style="font-weight:bold;" class="foo">Jelly</p><br style="clear:both;" />',
|
||||
'<p style="font-weight:bold;">Jelly</p><br style="clear:both;" />');
|
||||
}
|
||||
|
||||
function test_AllowedAttributes_global_preferredSyntax() {
|
||||
$this->config->set('HTML', 'AllowedAttributes', 'style');
|
||||
$this->assertPurification_AllowedAttributes_global_style();
|
||||
}
|
||||
|
||||
function test_AllowedAttributes_global_verboseSyntax() {
|
||||
$this->config->set('HTML', 'AllowedAttributes', '*@style');
|
||||
$this->assertPurification_AllowedAttributes_global_style();
|
||||
}
|
||||
|
||||
function test_AllowedAttributes_global_discouragedSyntax() {
|
||||
// Emit errors eventually
|
||||
$this->config->set('HTML', 'AllowedAttributes', '*.style');
|
||||
$this->assertPurification_AllowedAttributes_global_style();
|
||||
}
|
||||
|
||||
function assertPurification_AllowedAttributes_local_p_style() {
|
||||
$this->assertPurification(
|
||||
'<p style="font-weight:bold;" class="foo">Jelly</p><br style="clear:both;" />',
|
||||
'<p style="font-weight:bold;">Jelly</p><br />');
|
||||
}
|
||||
|
||||
function test_AllowedAttributes_local_preferredSyntax() {
|
||||
$this->config->set('HTML', 'AllowedAttributes', 'p@style');
|
||||
$this->assertPurification_AllowedAttributes_local_p_style();
|
||||
}
|
||||
|
||||
function test_AllowedAttributes_local_discouragedSyntax() {
|
||||
$this->config->set('HTML', 'AllowedAttributes', 'p.style');
|
||||
$this->assertPurification_AllowedAttributes_local_p_style();
|
||||
}
|
||||
|
||||
function test_AllowedAttributes_multiple() {
|
||||
$this->config->set('HTML', 'AllowedAttributes', 'p@style,br@class,title');
|
||||
$this->assertPurification(
|
||||
'<p style="font-weight:bold;" class="foo" title="foo">Jelly</p><br style="clear:both;" class="foo" title="foo" />',
|
||||
'<p style="font-weight:bold;" title="foo">Jelly</p><br class="foo" title="foo" />'
|
||||
);
|
||||
}
|
||||
|
||||
function test_AllowedAttributes_local_invalidAttribute() {
|
||||
$this->config->set('Cache', 'DefinitionImpl', null);
|
||||
$this->config->set('HTML', 'AllowedAttributes', array('p@style', 'p@<foo>'));
|
||||
$this->expectError(new PatternExpectation("/Attribute '<foo>' in element 'p' not supported/"));
|
||||
$this->assertPurification_AllowedAttributes_local_p_style();
|
||||
}
|
||||
|
||||
function test_AllowedAttributes_global_invalidAttribute() {
|
||||
$this->config->set('Cache', 'DefinitionImpl', null);
|
||||
$this->config->set('HTML', 'AllowedAttributes', array('style', '<foo>'));
|
||||
$this->expectError(new PatternExpectation("/Global attribute '<foo>' is not supported in any elements/"));
|
||||
$this->assertPurification_AllowedAttributes_global_style();
|
||||
}
|
||||
|
||||
function test_AllowedAttributes_local_invalidAttributeDueToMissingElement() {
|
||||
$this->config->set('Cache', 'DefinitionImpl', null);
|
||||
$this->config->set('HTML', 'AllowedAttributes', 'p.style,foo.style');
|
||||
$this->expectError(new PatternExpectation("/Cannot allow attribute 'style' if element 'foo' is not allowed\/supported/"));
|
||||
$this->assertPurification_AllowedAttributes_local_p_style();
|
||||
}
|
||||
|
||||
function test_AllowedAttributes_duplicate() {
|
||||
$this->config->set('HTML', 'AllowedAttributes', 'p.style,p@style');
|
||||
$this->assertPurification_AllowedAttributes_local_p_style();
|
||||
}
|
||||
|
||||
function test_AllowedAttributes_multipleErrors() {
|
||||
$this->config->set('HTML', 'AllowedAttributes', 'p.style,foo.style,<foo>');
|
||||
$this->expectError(new PatternExpectation("/Cannot allow attribute 'style' if element 'foo' is not allowed\/supported/"));
|
||||
$this->expectError(new PatternExpectation("/Global attribute '<foo>' is not supported in any elements/"));
|
||||
$this->assertPurification_AllowedAttributes_local_p_style();
|
||||
}
|
||||
|
||||
function test_ForbiddenElements() {
|
||||
$this->config->set('HTML', 'ForbiddenElements', 'b');
|
||||
$this->assertPurification('<b>b</b><i>i</i>', 'b<i>i</i>');
|
||||
}
|
||||
|
||||
function test_ForbiddenElements_invalidElement() {
|
||||
$this->config->set('HTML', 'ForbiddenElements', 'obviously_incorrect');
|
||||
// no error!
|
||||
$this->assertPurification('<i>i</i>');
|
||||
}
|
||||
|
||||
function assertPurification_ForbiddenAttributes_b_style() {
|
||||
$this->assertPurification(
|
||||
'<b style="float:left;">b</b><i style="float:left;">i</i>',
|
||||
'<b>b</b><i style="float:left;">i</i>');
|
||||
}
|
||||
|
||||
function test_ForbiddenAttributes() {
|
||||
$this->config->set('HTML', 'ForbiddenAttributes', 'b@style');
|
||||
$this->assertPurification_ForbiddenAttributes_b_style();
|
||||
}
|
||||
|
||||
function test_ForbiddenAttributes_incorrectSyntax() {
|
||||
$this->config->set('Cache', 'DefinitionImpl', null);
|
||||
$this->config->set('HTML', 'ForbiddenAttributes', 'b.style');
|
||||
$this->expectError("Error with b.style: tag.attr syntax not supported for HTML.ForbiddenAttributes; use tag@attr instead");
|
||||
$this->assertPurification('<b style="float:left;">Test</b>');
|
||||
}
|
||||
|
||||
function test_addAttribute() {
|
||||
|
||||
$config = HTMLPurifier_Config::create(array(
|
||||
@ -116,5 +260,7 @@ a[href|title]
|
||||
|
||||
}
|
||||
|
||||
|
||||
|
||||
}
|
||||
|
||||
|
@ -10,15 +10,27 @@ class HTMLPurifier_Harness extends UnitTestCase
|
||||
parent::__construct();
|
||||
}
|
||||
|
||||
protected $config, $context;
|
||||
protected $config, $context, $purifier;
|
||||
|
||||
/**
|
||||
* Generates easily accessible default config/context
|
||||
* Generates easily accessible default config/context, as well as
|
||||
* a convenience purifier for integration testing.
|
||||
*/
|
||||
public function setUp() {
|
||||
list($this->config, $this->context) = $this->createCommon();
|
||||
$this->purifier = new HTMLPurifier();
|
||||
}
|
||||
|
||||
/**
|
||||
* Asserts a purification. Good for integration testing.
|
||||
*/
|
||||
function assertPurification($input, $expect = null) {
|
||||
if ($expect === null) $expect = $input;
|
||||
$result = $this->purifier->purify($input, $this->config);
|
||||
$this->assertIdentical($expect, $result);
|
||||
}
|
||||
|
||||
|
||||
/**
|
||||
* Accepts config and context and prepares them into a valid state
|
||||
* @param &$config Reference to config variable
|
||||
|
@ -4,24 +4,12 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
|
||||
{
|
||||
protected $purifier;
|
||||
|
||||
function setUp() {
|
||||
$this->purifier = new HTMLPurifier();
|
||||
}
|
||||
|
||||
function assertPurification($input, $expect = null, $config = array()) {
|
||||
if ($expect === null) $expect = $input;
|
||||
$result = $this->purifier->purify($input, $config);
|
||||
$this->assertIdentical($expect, $result);
|
||||
}
|
||||
|
||||
function testNull() {
|
||||
$this->assertPurification("Null byte\0", "Null byte");
|
||||
}
|
||||
|
||||
function testStrict() {
|
||||
$config = HTMLPurifier_Config::createDefault();
|
||||
$config->set('HTML', 'Strict', true);
|
||||
$this->purifier = new HTMLPurifier( $config ); // verbose syntax
|
||||
$this->config->set('HTML', 'Strict', true);
|
||||
|
||||
$this->assertPurification(
|
||||
'<u>Illegal underline</u>',
|
||||
@ -37,10 +25,8 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
|
||||
|
||||
function testDifferentAllowedElements() {
|
||||
|
||||
$this->purifier = new HTMLPurifier(array(
|
||||
'HTML.AllowedElements' => array('b', 'i', 'p', 'a'),
|
||||
'HTML.AllowedAttributes' => array('a.href', '*.id')
|
||||
));
|
||||
$this->config->set('HTML', 'AllowedElements', array('b', 'i', 'p', 'a'));
|
||||
$this->config->set('HTML', 'AllowedAttributes', array('a.href', '*.id'));
|
||||
|
||||
$this->assertPurification(
|
||||
'<p>Par.</p><p>Para<a href="http://google.com/">gr</a>aph</p>Text<b>Bol<i>d</i></b>'
|
||||
@ -54,10 +40,9 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
|
||||
}
|
||||
|
||||
function testBlacklistElements() {
|
||||
$this->purifier = new HTMLPurifier(array(
|
||||
'HTML.ForbiddenElements' => array('b'),
|
||||
'HTML.ForbiddenAttributes' => array('a.href')
|
||||
));
|
||||
$this->config->set('HTML', 'ForbiddenElements', array('b'));
|
||||
$this->config->set('HTML', 'ForbiddenAttributes', array('a@href'));
|
||||
|
||||
$this->assertPurification(
|
||||
'<p>Par.</p>'
|
||||
);
|
||||
@ -70,9 +55,7 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
|
||||
|
||||
function testDifferentAllowedCSSProperties() {
|
||||
|
||||
$this->purifier = new HTMLPurifier(array(
|
||||
'CSS.AllowedProperties' => array('color', 'background-color')
|
||||
));
|
||||
$this->config->set('CSS', 'AllowedProperties', array('color', 'background-color'));
|
||||
|
||||
$this->assertPurification(
|
||||
'<div style="color:#f00;background-color:#ded;">red</div>'
|
||||
@ -87,7 +70,7 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
|
||||
|
||||
function testDisableURI() {
|
||||
|
||||
$this->purifier = new HTMLPurifier( array('URI.Disable' => true) );
|
||||
$this->config->set('URI', 'Disable', true);
|
||||
|
||||
$this->assertPurification(
|
||||
'<img src="foobar"/>',
|
||||
@ -98,8 +81,6 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
|
||||
|
||||
function test_purifyArray() {
|
||||
|
||||
$this->purifier = new HTMLPurifier();
|
||||
|
||||
$this->assertIdentical(
|
||||
$this->purifier->purifyArray(
|
||||
array('Good', '<b>Sketchy', 'foo' => '<script>bad</script>')
|
||||
@ -111,23 +92,24 @@ class HTMLPurifierTest extends HTMLPurifier_Harness
|
||||
|
||||
}
|
||||
|
||||
function testEnableAttrID() {
|
||||
|
||||
$this->purifier = new HTMLPurifier();
|
||||
function testAttrIDDisabledByDefault() {
|
||||
|
||||
$this->assertPurification(
|
||||
'<span id="moon">foobar</span>',
|
||||
'<span>foobar</span>'
|
||||
);
|
||||
|
||||
$this->purifier = new HTMLPurifier(array('Attr.EnableID' => true));
|
||||
}
|
||||
|
||||
function testEnableAttrID() {
|
||||
$this->config->set('Attr', 'EnableID', true);
|
||||
$this->assertPurification('<span id="moon">foobar</span>');
|
||||
$this->assertPurification('<img id="folly" src="folly.png" alt="Omigosh!" />');
|
||||
|
||||
}
|
||||
|
||||
function testScript() {
|
||||
$this->purifier = new HTMLPurifier(array('HTML.Trusted' => true));
|
||||
$this->config->set('HTML', 'Trusted', true);
|
||||
|
||||
$ideal = '<script type="text/javascript"><!--//--><![CDATA[//><!--
|
||||
alert("<This is compatible with XHTML>");
|
||||
//--><!]]></script>';
|
||||
@ -168,24 +150,21 @@ alert("<This is compatible with XHTML>");
|
||||
}
|
||||
|
||||
function testMakeAbsolute() {
|
||||
$this->config->set('URI', 'Base', 'http://example.com/bar/baz.php');
|
||||
$this->config->set('URI', 'MakeAbsolute', true);
|
||||
$this->assertPurification(
|
||||
'<a href="foo.txt">Foobar</a>',
|
||||
'<a href="http://example.com/bar/foo.txt">Foobar</a>',
|
||||
array(
|
||||
'URI.Base' => 'http://example.com/bar/baz.php',
|
||||
'URI.MakeAbsolute' => true
|
||||
)
|
||||
'<a href="http://example.com/bar/foo.txt">Foobar</a>'
|
||||
);
|
||||
}
|
||||
|
||||
function test_addFilter_deprecated() {
|
||||
$purifier = new HTMLPurifier();
|
||||
$this->expectError('HTMLPurifier->addFilter() is deprecated, use configuration directives in the Filter namespace or Filter.Custom');
|
||||
generate_mock_once('HTMLPurifier_Filter');
|
||||
$purifier->addFilter($mock = new HTMLPurifier_FilterMock());
|
||||
$this->purifier->addFilter($mock = new HTMLPurifier_FilterMock());
|
||||
$mock->expectOnce('preFilter');
|
||||
$mock->expectOnce('postFilter');
|
||||
$purifier->purify('foo');
|
||||
$this->purifier->purify('foo');
|
||||
}
|
||||
|
||||
}
|
||||
|
Loading…
x
Reference in New Issue
Block a user