This \\0 should be no big deal.
',
'This \\0 should be no big deal.
',
),
array(
'This should be no big deal.
',
'This should be no big deal.
',
),
array(
'This is more of a concern.',
'This
is more of a concern.',
),
array(
'This
is more of a concern.',
'This
is more of a concern.',
),
array(
'This
is more of a concern.',
'This
is more of a concern.',
),
array(
'This
is more of a concern.',
'This
is more of a concern.',
),
array(
'This
is more of a concern.',
'This
is more of a concern.',
),
array(
'',
'div {background-image:\\0}',
),
);
}
/**
* Test new function wp_kses_hair_parse().
*
* @dataProvider data_hair_parse
*/
public function test_hair_parse( $input, $output ) {
return $this->assertSame( $output, wp_kses_hair_parse( $input ) );
}
public function data_hair_parse() {
return array(
array(
'title="hello" href="#" id="my_id" ',
array( 'title="hello" ', 'href="#" ', 'id="my_id" ' ),
),
array(
'[shortcode attr="value"] href="http://www.google.com/"title="moo"disabled',
array( '[shortcode attr="value"] ', 'href="http://www.google.com/"', 'title="moo"', 'disabled' ),
),
array(
'',
array(),
),
array(
'a',
array( 'a' ),
),
array(
'title="hello"disabled href=# id=\'my_id\'',
array( 'title="hello"', 'disabled ', 'href=# ', "id='my_id'" ),
),
array(
' ', // Calling function is expected to strip leading whitespace.
false,
),
array(
'abcd=abcd"abcd"',
false,
),
array(
"array[1]='z'z'z'z",
false,
),
// Using a digit in attribute name should work.
array(
'href="https://example.com/[shortcode attr=\'value\']" data-op3-timer-seconds="0"',
array( 'href="https://example.com/[shortcode attr=\'value\']" ', 'data-op3-timer-seconds="0"' ),
),
// Using an underscore in attribute name should work.
array(
'href="https://example.com/[shortcode attr=\'value\']" data-op_timer-seconds="0"',
array( 'href="https://example.com/[shortcode attr=\'value\']" ', 'data-op_timer-seconds="0"' ),
),
// Using a period in attribute name should work.
array(
'href="https://example.com/[shortcode attr=\'value\']" data-op.timer-seconds="0"',
array( 'href="https://example.com/[shortcode attr=\'value\']" ', 'data-op.timer-seconds="0"' ),
),
// Using a digit at the beginning of attribute name should return false.
array(
'href="https://example.com/[shortcode attr=\'value\']" 3data-op-timer-seconds="0"',
false,
),
);
}
/**
* Test new function wp_kses_attr_parse().
*
* @dataProvider data_attr_parse
*/
public function test_attr_parse( $input, $output ) {
return $this->assertSame( $output, wp_kses_attr_parse( $input ) );
}
public function data_attr_parse() {
return array(
array(
'',
array( '' ),
),
array(
'',
array( '' ),
),
array(
'',
false,
),
array(
'a',
false,
),
array(
'',
array( '' ),
),
array(
'',
false,
),
array(
'',
array( '' ),
),
array(
'',
array( '' ),
),
array(
'',
false,
),
array(
"",
false,
),
array(
'
',
array( '![]()
' ),
),
);
}
/**
* Test new function wp_kses_one_attr().
*
* @dataProvider data_one_attr
*/
public function test_one_attr( $element, $input, $output ) {
return $this->assertSame( $output, wp_kses_one_attr( $input, $element ) );
}
public function data_one_attr() {
return array(
array(
'a',
' title="hello" ',
' title="hello" ',
),
array(
'a',
'title = "hello"',
'title="hello"',
),
array(
'a',
"title='hello'",
"title='hello'",
),
array(
'a',
'title=hello',
'title="hello"',
),
array(
'a',
'href="javascript:alert(1)"',
'href="alert(1)"',
),
array(
'a',
'style ="style "',
'style="style"',
),
array(
'a',
'style="style "',
'style="style"',
),
array(
'a',
'style ="style ="',
'',
),
array(
'img',
'src="mypic.jpg"',
'src="mypic.jpg"',
),
array(
'img',
'loading="lazy"',
'loading="lazy"',
),
array(
'img',
'onerror=alert(1)',
'',
),
array(
'img',
'title=>',
'title=">"',
),
array(
'img',
'title="&garbage";"',
'title="&garbage";"',
),
);
}
/**
* @ticket 34063
*/
public function test_bdo_tag_allowed() {
global $allowedposttags;
$input = '
This is a BDO tag. Weird, right?
'; $this->assertSame( $input, wp_kses( $input, $allowedposttags ) ); } /** * @ticket 54698 */ public function test_ruby_tag_allowed() { global $allowedposttags; $input = '✶'; $this->assertSame( $input, wp_kses( $input, $allowedposttags ) ); } /** * @ticket 35079 */ public function test_ol_reversed_attribute_allowed() { global $allowedposttags; $input = '- Item 1
- Item 2
- Item 3
Pens and pencils
';
$expected = 'Pens and pencils
';
$this->assertSame( $expected, wp_kses_post( $test ) );
}
/**
* Ensure wildcard attributes block unprefixed wildcard uses.
*
* @ticket 33121
*/
public function test_wildcard_requires_hyphen_after_prefix() {
$allowed_html = array(
'div' => array(
'data-*' => true,
'on-*' => true,
),
);
$string = 'Malformed attributes
';
$expected = 'Malformed attributes
';
$actual = wp_kses( $string, $allowed_html );
$this->assertSame( $expected, $actual );
}
/**
* Ensure wildcard allows two hyphen.
*
* @ticket 33121
*/
public function test_wildcard_allows_two_hyphens() {
$allowed_html = array(
'div' => array(
'data-*' => true,
),
);
$string = 'Well formed attribute
';
$expected = 'Well formed attribute
';
$actual = wp_kses( $string, $allowed_html );
$this->assertSame( $expected, $actual );
}
/**
* Ensure wildcard attributes only support valid prefixes.
*
* @dataProvider data_wildcard_attribute_prefixes
*
* @ticket 33121
*/
public function test_wildcard_attribute_prefixes( $wildcard_attribute, $expected ) {
$allowed_html = array(
'div' => array(
$wildcard_attribute => true,
),
);
$name = str_replace( '*', strtolower( __FUNCTION__ ), $wildcard_attribute );
$value = __FUNCTION__;
$whole = "{$name}=\"{$value}\"";
$actual = wp_kses_attr_check( $name, $value, $whole, 'n', 'div', $allowed_html );
$this->assertSame( $expected, $actual );
}
/**
* @return array Array of arguments for wildcard testing
* [0] The prefix being tested.
* [1] The outcome of `wp_kses_attr_check` for the prefix.
*/
public function data_wildcard_attribute_prefixes() {
return array(
// Ends correctly.
array( 'data-*', true ),
// Does not end with trialing `-`.
array( 'data*', false ),
// Multiple wildcards.
array( 'd*ta-*', false ),
array( 'data**', false ),
);
}
/**
* Test URL sanitization in the style tag.
*
* @dataProvider data_kses_style_attr_with_url
*
* @ticket 45067
* @ticket 46197
* @ticket 46498
*
* @param $input string The style attribute saved in the editor.
* @param $expected string The sanitized style attribute.
*/
public function test_kses_style_attr_with_url( $input, $expected ) {
$actual = safecss_filter_attr( $input );
$this->assertSame( $expected, $actual );
}
/**
* Data provider testing style attribute sanitization.
*
* @return array Nested array of input, expected pairs.
*/
public function data_kses_style_attr_with_url() {
return array(
/*
* Valid use cases.
*/
// Double quotes.
array(
'background-image: url( "http://example.com/valid.gif" );',
'background-image: url( "http://example.com/valid.gif" )',
),
// Single quotes.
array(
"background-image: url( 'http://example.com/valid.gif' );",
"background-image: url( 'http://example.com/valid.gif' )",
),
// No quotes.
array(
'background-image: url( http://example.com/valid.gif );',
'background-image: url( http://example.com/valid.gif )',
),
// Single quotes, extra spaces.
array(
"background-image: url( ' http://example.com/valid.gif ' );",
"background-image: url( ' http://example.com/valid.gif ' )",
),
// Line breaks, single quotes.
array(
"background-image: url(\n'http://example.com/valid.gif' );",
"background-image: url('http://example.com/valid.gif' )",
),
// Tabs not spaces, single quotes.
array(
"background-image: url(\t'http://example.com/valid.gif'\t\t);",
"background-image: url('http://example.com/valid.gif')",
),
// Single quotes, absolute path.
array(
"background: url('/valid.gif');",
"background: url('/valid.gif')",
),
// Single quotes, relative path.
array(
"background: url('../wp-content/uploads/2018/10/valid.gif');",
"background: url('../wp-content/uploads/2018/10/valid.gif')",
),
// Error check: valid property not containing a URL.
array(
'background: red',
'background: red',
),
// CSS calc().
array(
'width: calc(2em + 3px)',
'width: calc(2em + 3px)',
),
// CSS variable.
array(
'padding: var(--wp-var1) var(--wp-var2)',
'padding: var(--wp-var1) var(--wp-var2)',
),
// CSS calc() with var().
array(
'margin-top: calc(var(--wp-var1) * 3 + 2em)',
'margin-top: calc(var(--wp-var1) * 3 + 2em)',
),
/*
* Invalid use cases.
*/
// Attribute doesn't support URL properties.
array(
'color: url( "http://example.com/invalid.gif" );',
'',
),
// Mismatched quotes.
array(
'background-image: url( "http://example.com/valid.gif\' );',
'',
),
// Bad protocol, double quotes.
array(
'background-image: url( "bad://example.com/invalid.gif" );',
'',
),
// Bad protocol, single quotes.
array(
"background-image: url( 'bad://example.com/invalid.gif' );",
'',
),
// Bad protocol, single quotes.
array(
"background-image: url( 'bad://example.com/invalid.gif' );",
'',
),
// Bad protocol, single quotes, strange spacing.
array(
"background-image: url( ' \tbad://example.com/invalid.gif ' );",
'',
),
// Bad protocol, no quotes.
array(
'background-image: url( bad://example.com/invalid.gif );',
'',
),
// No URL inside url().
array(
'background-image: url();',
'',
),
// Malformed, no closing `)`.
array(
'background-image: url( "http://example.com" ;',
'',
),
// Malformed, no closing `"`.
array(
'background-image: url( "http://example.com );',
'',
),
// Malformed calc, no closing `)`.
array(
'width: calc(3em + 10px',
'',
),
// Malformed var, no closing `)`.
array(
'width: var(--wp-var1',
'',
),
);
}
/**
* Testing the safecss_filter_attr() function with the safecss_filter_attr_allow_css filter.
*
* @ticket 37134
*
* @dataProvider data_test_safecss_filter_attr_filtered
*
* @param string $css A string of CSS rules.
* @param string $expected Expected string of CSS rules.
*/
public function test_safecss_filter_attr_filtered( $css, $expected ) {
add_filter( 'safecss_filter_attr_allow_css', '__return_true' );
$this->assertSame( $expected, safecss_filter_attr( $css ) );
remove_filter( 'safecss_filter_attr_allow_css', '__return_true' );
}
/**
* Data Provider for test_safecss_filter_attr_filtered().
*
* @return array {
* @type array {
* @string string $css A string of CSS rules.
* @string string $expected Expected string of CSS rules.
* }
* }
*/
public function data_test_safecss_filter_attr_filtered() {
return array(
// A single attribute name, with a single value.
array(
'css' => 'margin-top: 2px',
'expected' => 'margin-top: 2px',
),
// Backslash \ can be allowed with the 'safecss_filter_attr_allow_css' filter.
array(
'css' => 'margin-top: \2px',
'expected' => 'margin-top: \2px',
),
// Curly bracket } can be allowed with the 'safecss_filter_attr_allow_css' filter.
array(
'css' => 'margin-bottom: 2px}',
'expected' => 'margin-bottom: 2px}',
),
// Parenthesis ) can be allowed with the 'safecss_filter_attr_allow_css' filter.
array(
'css' => 'margin-bottom: 2px)',
'expected' => 'margin-bottom: 2px)',
),
// Ampersand & can be allowed with the 'safecss_filter_attr_allow_css' filter.
array(
'css' => 'margin-bottom: 2px&',
'expected' => 'margin-bottom: 2px&',
),
// Expressions can be allowed with the 'safecss_filter_attr_allow_css' filter.
array(
'css' => 'height: expression( body.scrollTop + 50 + "px" )',
'expected' => 'height: expression( body.scrollTop + 50 + "px" )',
),
// RGB color values can be allowed with the 'safecss_filter_attr_allow_css' filter.
array(
'css' => 'color: rgb( 100, 100, 100 )',
'expected' => 'color: rgb( 100, 100, 100 )',
),
// RGBA color values can be allowed with the 'safecss_filter_attr_allow_css' filter.
array(
'css' => 'color: rgb( 100, 100, 100, .4 )',
'expected' => 'color: rgb( 100, 100, 100, .4 )',
),
);
}
/**
* Test filtering a standard img tag.
*
* @ticket 50731
*/
public function test_wp_kses_img_tag_standard_attributes() {
$html = array(
'foo
', 'foo
', ), 'valid dir attribute value, upper case' => array( 'foo
', 'foo
', ), 'invalid dir attribute value' => array( 'foo
', 'foo
', ), 'dir attribute with empty value' => array( 'foo
', 'foo
', ), 'dir attribute with no value' => array( 'foo
', 'foo
', ), ); return array_map( function ( $datum ) { $datum[] = array( 'p' => array( 'dir' => array( 'values' => array( 'ltr', 'rtl' ), ), ), ); return $datum; }, $data ); } /** * Test that attributes with the required flag are handled correctly. * * @ticket 54261 * * @dataProvider data_wp_kses_required_attribute * * @param string $html A string of HTML to test. * @param string $expected The expected result from KSES. * @param array $allowed_html The allowed HTML to pass to KSES. */ function test_wp_kses_required_attribute( $html, $expected, $allowed_html ) { $this->assertSame( $expected, wp_kses( $html, $allowed_html ) ); } /** * Data provider for test_wp_kses_required_attribute(). */ function data_wp_kses_required_attribute() { $data = array( 'valid dir attribute value' => array( 'foo
', // Test HTML. 'foo
', // Expected result when dir is not required. 'foo
', // Expected result when dir is required. 'foo
', // Expected result when dir is required, but has no value filter. ), 'valid dir attribute value, upper case' => array( 'foo
', 'foo
', 'foo
', 'foo
', ), 'invalid dir attribute value' => array( 'foo
', 'foo
', 'foo
', 'foo
', ), 'dir attribute with empty value' => array( 'foo
', 'foo
', 'foo
', 'foo
', ), 'dir attribute with no value' => array( 'foo
', 'foo
', 'foo
', 'foo
', ), 'dir attribute not set' => array( 'foo
', 'foo
', 'foo
', 'foo
', ), ); $return_data = array(); foreach ( $data as $description => $datum ) { // Test that the required flag defaults to false. $return_data[ "$description - required flag not set" ] = array( $datum[0], $datum[1], array( 'p' => array( 'dir' => array( 'values' => array( 'ltr', 'rtl' ), ), ), ), ); // Test when the attribute is not required, but has allowed values. $return_data[ "$description - required flag set to false" ] = array( $datum[0], $datum[1], array( 'p' => array( 'dir' => array( 'required' => false, 'values' => array( 'ltr', 'rtl' ), ), ), ), ); // Test when the attribute is required, but has allowed values. $return_data[ "$description - required flag set to true" ] = array( $datum[0], $datum[2], array( 'p' => array( 'dir' => array( 'required' => true, 'values' => array( 'ltr', 'rtl' ), ), ), ), ); // Test when the attribute is required, but has no allowed values. $return_data[ "$description - required flag set to true, no allowed values specified" ] = array( $datum[0], $datum[3], array( 'p' => array( 'dir' => array( 'required' => true, ), ), ), ); } return $return_data; } /** * Test that XML named entities are encoded correctly. * * @dataProvider data_wp_kses_xml_named_entities * * @ticket 54060 * @covers ::wp_kses_xml_named_entities * * @param array $input The input to wp_kses_xml_named_entities(). * @param string $expected The expected output. */ public function test_wp_kses_xml_named_entities( $input, $expected ) { $this->assertSame( $expected, wp_kses_xml_named_entities( $input ) ); } /** * Data provider for test_wp_kses_xml_named_entities(). * * @return array Nested array of input, expected pairs. */ public function data_wp_kses_xml_named_entities() { return array( // Empty string value testing. 'empty string' => array( 'input' => '', 'expected' => '', ), // Empty string array value testing. 'empty string array' => array( 'input' => array( '', '' ), 'expected' => '', ), // $allowedxmlentitynames values testing. 'amp' => array( 'input' => array( '', 'amp' ), 'expected' => '&', ), 'lt' => array( 'input' => array( '', 'lt' ), 'expected' => '<', ), 'gt' => array( 'input' => array( '', 'gt' ), 'expected' => '>', ), // $allowedentitynames values testing. 'nbsp' => array( 'input' => array( '', 'nbsp' ), 'expected' => utf8_encode( chr( 160 ) ), ), 'iexcl' => array( 'input' => array( '', 'iexcl' ), 'expected' => '¡', ), 'cent' => array( 'input' => array( '', 'cent' ), 'expected' => '¢', ), // Some other value testing. 'test' => array( 'input' => array( '', 'test' ), 'expected' => '&test;', ), ); } /** * Test that KSES globals are defined. * * @dataProvider data_kses_globals_are_defined * * @ticket 54060 * * @param string $global The name of the global variable. */ public function test_kses_globals_are_defined( $global ) { $this->assertArrayHasKey( $global, $GLOBALS ); } /** * Data provider for test_kses_globals_are_defined(). * * @return array */ public function data_kses_globals_are_defined() { return array( 'allowedposttags' => array( 'global' => 'allowedposttags', ), 'allowedtags' => array( 'global' => 'allowedtags', ), 'allowedentitynames' => array( 'global' => 'allowedentitynames', ), 'allowedxmlentitynames' => array( 'global' => 'allowedxmlentitynames', ), ); } }