Shortcodes: Improve the reliablity of shortcodes inside HTML tags.

Props miqrogroove. See #15694. git-svn-id: https://develop.svn.wordpress.org/trunk@33359 602fd350-edb4-49c9-b593-d223f7449a82
2026-05-29 15:44:27 +00:00 · 2015-07-22 05:14:50 +00:00
parent 7439dd7354
commit 7b41adf712
6 changed files with 722 additions and 45 deletions
--- a/tests/phpunit/tests/kses.php
+++ b/tests/phpunit/tests/kses.php
@@ -464,4 +464,182 @@ EOF;
 			),
 		);
 	}
+
+	/**
+	 * Test new function wp_kses_hair_parse().
+	 *
+	 * @dataProvider data_hair_parse
+	 */
+	function test_hair_parse( $input, $output ) {
+		return $this->assertEquals( $output, wp_kses_hair_parse( $input ) );
+	}
+
+	function data_hair_parse() {
+		return array(
+			array(
+				'title="hello" href="#" id="my_id" ',
+				array( 'title="hello" ', 'href="#" ', 'id="my_id" ' ),
+			),
+			array(
+				'[shortcode attr="value"] href="http://www.google.com/"title="moo"disabled',
+				array( '[shortcode attr="value"] ', 'href="http://www.google.com/"', 'title="moo"', 'disabled' ),
+			),
+			array(
+				'',
+				array(),
+			),
+			array(
+				'a',
+				array( 'a' ),
+			),
+			array(
+				'title="hello"disabled href=# id=\'my_id\'',
+				array( 'title="hello"', 'disabled ', 'href=# ', "id='my_id'" ),
+			),
+			array(
+				'     ', // Calling function is expected to strip leading whitespace.
+				false,
+			),
+			array(
+				'abcd=abcd"abcd"',
+				false,
+			),
+			array(
+				"array[1]='z'z'z'z",
+				false,
+			),
+		);
+	}
+
+	/**
+	 * Test new function wp_kses_attr_parse().
+	 *
+	 * @dataProvider data_attr_parse
+	 */
+	function test_attr_parse( $input, $output ) {
+		return $this->assertEquals( $output, wp_kses_attr_parse( $input ) );
+	}
+
+	function data_attr_parse() {
+		return array(
+			array(
+				'<a title="hello" href="#" id="my_id" >',
+				array( '<a ', 'title="hello" ', 'href="#" ', 'id="my_id" ', '>' ),
+			),
+			array(
+				'<a [shortcode attr="value"] href="http://www.google.com/"title="moo"disabled>',
+				array( '<a ', '[shortcode attr="value"] ', 'href="http://www.google.com/"', 'title="moo"', 'disabled', '>' ),
+			),
+			array(
+				'',
+				false,
+			),
+			array(
+				'a',
+				false,
+			),
+			array(
+				'<a>',
+				array( '<a', '>' ),
+			),
+			array(
+				'<a%%&&**>',
+				false,
+			),
+			array(
+				'<a title="hello"disabled href=# id=\'my_id\'>',
+				array( '<a ', 'title="hello"', 'disabled ', 'href=# ', "id='my_id'", ">" ),
+			),
+			array(
+				'<a     >',
+				array( '<a     ', '>' ),
+			),
+			array(
+				'<a abcd=abcd"abcd">',
+				false,
+			),
+			array(
+				"<a array[1]='z'z'z'z>",
+				false,
+			),
+			array(
+				'<img title="hello" src="#" id="my_id" />',
+				array( '<img ', 'title="hello" ', 'src="#" ', 'id="my_id"', ' />' ),
+			),
+		);
+	}
+
+	/**
+	 * Test new function wp_kses_one_attr().
+	 *
+	 * @dataProvider data_one_attr
+	 */
+	function test_one_attr( $element, $input, $output ) {
+		return $this->assertEquals( $output, wp_kses_one_attr( $input, $element ) );
+	}
+
+	function data_one_attr() {
+		return array(
+			array(
+				'a',
+				' title="hello" ',
+				' title="hello" ',
+			),
+			array(
+				'a',
+				'title  =  "hello"',
+				'title="hello"',
+			),
+			array(
+				'a',
+				"title='hello'",
+				"title='hello'",
+			),
+			array(
+				'a',
+				'title=hello',
+				'title="hello"',
+			),
+			array(
+				'a',
+				'href="javascript:alert(1)"',
+				'href="alert(1)"',
+			),
+			array(
+				'a',
+				'style ="style "',
+				'style="style"',
+			),
+			array(
+				'a',
+				'style="style "',
+				'style="style"',
+			),
+			array(
+				'a',
+				'style ="style ="',
+				'',
+			),
+			array(
+				'img',
+				'src="mypic.jpg"',
+				'src="mypic.jpg"',
+			),
+			array(
+				'img',
+				'onerror=alert(1)',
+				'',
+			),
+			array(
+				'img',
+				'title=>',
+				'title="&gt;"',
+			),
+			array(
+				'img',
+				'title="&garbage";"',
+				'title="&amp;garbage&quot;;"',
+			),
+		);
+	}
 }
--- a/tests/phpunit/tests/shortcode.php
+++ b/tests/phpunit/tests/shortcode.php
@@ -403,6 +403,82 @@ EOF;
 		}
 	}

+	/**
+	 * Check for bugginess using normal input with latest patches.
+	 *
+	 * @dataProvider data_escaping
+	 */
+	function test_escaping( $input, $output ) {
+		return $this->assertEquals( $output, do_shortcode( $input ) );
+	}
+
+	function data_escaping() {
+		return array(
+			array(
+				'<!--[if lt IE 7]>',
+				'<!--[if lt IE 7]>',
+			),
+			array(
+				'[gallery title="<div>hello</div>"]',
+				'',
+			),
+			array(
+				'[caption caption="test" width="2"]<div>hello</div>[/caption]',
+				'<div style="width: 12px" class="wp-caption alignnone"><div>hello</div><p class="wp-caption-text">test</p></div>',
+			),
+			array(
+				'<div [gallery]>',
+				'<div >',
+			),
+			array(
+				'<div [[gallery]]>',
+				'<div [gallery]>',
+			),
+			array(
+				'[gallery]<div>Hello</div>[/gallery]',
+				'',
+			),
+		);
+	}
+
+	/**
+	 * Check for bugginess using normal input with latest patches.
+	 *
+	 * @dataProvider data_escaping2
+	 */
+	function test_escaping2( $input, $output ) {
+		return $this->assertEquals( $output, strip_shortcodes( $input ) );
+	}
+
+	function data_escaping2() {
+		return array(
+			array(
+				'<!--[if lt IE 7]>',
+				'<!--[if lt IE 7]>',
+			),
+			array(
+				'[gallery title="<div>hello</div>"]',
+				'',
+			),
+			array(
+				'[caption caption="test" width="2"]<div>hello</div>[/caption]',
+				'',
+			),
+			array(
+				'<div [gallery]>', // Shortcodes will never be stripped inside elements.
+				'<div [gallery]>',
+			),
+			array(
+				'<div [[gallery]]>', // Shortcodes will never be stripped inside elements.
+				'<div [[gallery]]>',
+			),
+			array(
+				'[gallery]<div>Hello</div>[/gallery]',
+				'',
+			),
+		);
+	}
+
 	/**
 	 * @ticket 26343
 	 */