is more of a concern.', ), array( '', 'div {background-image:\\0}', ), ); } /** * Test new function wp_kses_hair_parse(). * * @dataProvider data_hair_parse */ function test_hair_parse( $input, $output ) { return $this->assertSame( $output, wp_kses_hair_parse( $input ) ); } function data_hair_parse() { return array( array( 'title="hello" href="#" id="my_id" ', array( 'title="hello" ', 'href="#" ', 'id="my_id" ' ), ), array( '[shortcode attr="value"] href="http://www.google.com/"title="moo"disabled', array( '[shortcode attr="value"] ', 'href="http://www.google.com/"', 'title="moo"', 'disabled' ), ), array( '', array(), ), array( 'a', array( 'a' ), ), array( 'title="hello"disabled href=# id=\'my_id\'', array( 'title="hello"', 'disabled ', 'href=# ', "id='my_id'" ), ), array( ' ', // Calling function is expected to strip leading whitespace. false, ), array( 'abcd=abcd"abcd"', false, ), array( "array[1]='z'z'z'z", false, ), // Using a digit in attribute name should work. array( 'href="https://example.com/[shortcode attr=\'value\']" data-op3-timer-seconds="0"', array( 'href="https://example.com/[shortcode attr=\'value\']" ', 'data-op3-timer-seconds="0"' ), ), // Using an underscore in attribute name should work. array( 'href="https://example.com/[shortcode attr=\'value\']" data-op_timer-seconds="0"', array( 'href="https://example.com/[shortcode attr=\'value\']" ', 'data-op_timer-seconds="0"' ), ), // Using a period in attribute name should work. array( 'href="https://example.com/[shortcode attr=\'value\']" data-op.timer-seconds="0"', array( 'href="https://example.com/[shortcode attr=\'value\']" ', 'data-op.timer-seconds="0"' ), ), // Using a digit at the beginning of attribute name should return false. array( 'href="https://example.com/[shortcode attr=\'value\']" 3data-op-timer-seconds="0"', false, ), ); } /** * Test new function wp_kses_attr_parse(). * * @dataProvider data_attr_parse */ function test_attr_parse( $input, $output ) { return $this->assertSame( $output, wp_kses_attr_parse( $input ) ); } function data_attr_parse() { return array( array( '', array( '' ), ), array( '', array( '' ), ), array( '', false, ), array( 'a', false, ), array( '', array( '' ), ), array( '', false, ), array( '', array( '' ), ), array( '', array( '' ), ), array( '', false, ), array( "", false, ), array( '', array( '' ), ), ); } /** * Test new function wp_kses_one_attr(). * * @dataProvider data_one_attr */ function test_one_attr( $element, $input, $output ) { return $this->assertSame( $output, wp_kses_one_attr( $input, $element ) ); } function data_one_attr() { return array( array( 'a', ' title="hello" ', ' title="hello" ', ), array( 'a', 'title = "hello"', 'title="hello"', ), array( 'a', "title='hello'", "title='hello'", ), array( 'a', 'title=hello', 'title="hello"', ), array( 'a', 'href="javascript:alert(1)"', 'href="alert(1)"', ), array( 'a', 'style ="style "', 'style="style"', ), array( 'a', 'style="style "', 'style="style"', ), array( 'a', 'style ="style ="', '', ), array( 'img', 'src="mypic.jpg"', 'src="mypic.jpg"', ), array( 'img', 'loading="lazy"', 'loading="lazy"', ), array( 'img', 'onerror=alert(1)', '', ), array( 'img', 'title=>', 'title=">"', ), array( 'img', 'title="&garbage";"', 'title="&garbage";"', ), ); } /** * @ticket 34063 */ function test_bdo() { global $allowedposttags; $input = '

This is a BDO tag. Weird, right?

'; $this->assertSame( $input, wp_kses( $input, $allowedposttags ) ); } /** * @ticket 35079 */ function test_ol_reversed() { global $allowedposttags; $input = '

1. Item 1
2. Item 2
3. Item 3

'; $this->assertSame( $input, wp_kses( $input, $allowedposttags ) ); } /** * @ticket 40680 */ function test_wp_kses_attr_no_attributes_allowed_with_empty_array() { $element = 'foo'; $attribute = 'title="foo" class="bar"'; $this->assertSame( "<{$element}>", wp_kses_attr( $element, $attribute, array( 'foo' => array() ), array() ) ); } /** * @ticket 40680 */ function test_wp_kses_attr_no_attributes_allowed_with_true() { $element = 'foo'; $attribute = 'title="foo" class="bar"'; $this->assertSame( "<{$element}>", wp_kses_attr( $element, $attribute, array( 'foo' => true ), array() ) ); } /** * @ticket 40680 */ function test_wp_kses_attr_single_attribute_is_allowed() { $element = 'foo'; $attribute = 'title="foo" class="bar"'; $this->assertSame( "<{$element} title=\"foo\">", wp_kses_attr( $element, $attribute, array( 'foo' => array( 'title' => true ) ), array() ) ); } /** * @ticket 43312 */ function test_wp_kses_attr_no_attributes_allowed_with_false() { $element = 'foo'; $attribute = 'title="foo" class="bar"'; $this->assertSame( "<{$element}>", wp_kses_attr( $element, $attribute, array( 'foo' => false ), array() ) ); } /** * Testing the safecss_filter_attr() function. * * @ticket 37248 * @ticket 42729 * @ticket 48376 * @dataProvider data_test_safecss_filter_attr * * @param string $css A string of CSS rules. * @param string $expected Expected string of CSS rules. */ public function test_safecss_filter_attr( $css, $expected ) { $this->assertSame( $expected, safecss_filter_attr( $css ) ); } /** * Data Provider for test_safecss_filter_attr(). * * @return array { * @type array { * @string string $css A string of CSS rules. * @string string $expected Expected string of CSS rules. * } * } */ public function data_test_safecss_filter_attr() { return array( // Empty input, empty output. array( 'css' => '', 'expected' => '', ), // An arbitrary attribute name isn't allowed. array( 'css' => 'foo:bar', 'expected' => '', ), // A single attribute name, with a single value. array( 'css' => 'margin-top: 2px', 'expected' => 'margin-top: 2px', ), // Backslash \ isn't supported. array( 'css' => 'margin-top: \2px', 'expected' => '', ), // Curly bracket } isn't supported. array( 'css' => 'margin-bottom: 2px}', 'expected' => '', ), // A single attribute name, with a single text value. array( 'css' => 'text-transform: uppercase', 'expected' => 'text-transform: uppercase', ), // Only lowercase attribute names are supported. array( 'css' => 'Text-transform: capitalize', 'expected' => '', ), // Uppercase attribute values goes through. array( 'css' => 'text-transform: None', 'expected' => 'text-transform: None', ), // A single attribute, with multiple values. array( 'css' => 'font: bold 15px arial, sans-serif', 'expected' => 'font: bold 15px arial, sans-serif', ), // Multiple attributes, with single values. array( 'css' => 'font-weight: bold;font-size: 15px', 'expected' => 'font-weight: bold;font-size: 15px', ), // Multiple attributes, separated by a space. array( 'css' => 'font-weight: bold; font-size: 15px', 'expected' => 'font-weight: bold;font-size: 15px', ), // Multiple attributes, with multiple values. array( 'css' => 'margin: 10px 20px;padding: 5px 10px', 'expected' => 'margin: 10px 20px;padding: 5px 10px', ), // Parenthesis ( is supported for some attributes. array( 'css' => 'background: green url("foo.jpg") no-repeat fixed center', 'expected' => 'background: green url("foo.jpg") no-repeat fixed center', ), // Additional background attributes introduced in 5.3. array( 'css' => 'background-size: cover;background-size: 200px 100px;background-attachment: local, scroll;background-blend-mode: hard-light', 'expected' => 'background-size: cover;background-size: 200px 100px;background-attachment: local, scroll;background-blend-mode: hard-light', ), // `border-radius` attribute introduced in 5.3. array( 'css' => 'border-radius: 10% 30% 50% 70%;border-radius: 30px', 'expected' => 'border-radius: 10% 30% 50% 70%;border-radius: 30px', ), // `flex` and related attributes introduced in 5.3. array( 'css' => 'flex: 0 1 auto;flex-basis: 75%;flex-direction: row-reverse;flex-flow: row-reverse nowrap;flex-grow: 2;flex-shrink: 1', 'expected' => 'flex: 0 1 auto;flex-basis: 75%;flex-direction: row-reverse;flex-flow: row-reverse nowrap;flex-grow: 2;flex-shrink: 1', ), // `grid` and related attributes introduced in 5.3. array( 'css' => 'grid-template-columns: 1fr 60px;grid-auto-columns: min-content;grid-column-start: span 2;grid-column-end: -1;grid-column-gap: 10%;grid-gap: 10px 20px', 'expected' => 'grid-template-columns: 1fr 60px;grid-auto-columns: min-content;grid-column-start: span 2;grid-column-end: -1;grid-column-gap: 10%;grid-gap: 10px 20px', ), array( 'css' => 'grid-template-rows: 40px 4em 40px;grid-auto-rows: min-content;grid-row-start: -1;grid-row-end: 3;grid-row-gap: 1em', 'expected' => 'grid-template-rows: 40px 4em 40px;grid-auto-rows: min-content;grid-row-start: -1;grid-row-end: 3;grid-row-gap: 1em', ), // `grid` does not yet support functions or `\`. array( 'css' => 'grid-template-columns: repeat(2, 50px 1fr);grid-template: 1em / 20% 20px 1fr', 'expected' => '', ), // `flex` and `grid` alignments introduced in 5.3. array( 'css' => 'align-content: space-between;align-items: start;align-self: center;justify-items: center;justify-content: space-between;justify-self: end', 'expected' => 'align-content: space-between;align-items: start;align-self: center;justify-items: center;justify-content: space-between;justify-self: end', ), // `columns` and related attributes introduced in 5.3. array( 'css' => 'columns: 6rem auto;column-count: 4;column-fill: balance;column-gap: 9px;column-rule: thick inset blue;column-span: none;column-width: 120px', 'expected' => 'columns: 6rem auto;column-count: 4;column-fill: balance;column-gap: 9px;column-rule: thick inset blue;column-span: none;column-width: 120px', ), // Gradients introduced in 5.3. array( 'css' => 'background: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%)', 'expected' => 'background: linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%)', ), array( 'css' => 'background: linear-gradient(135deg,rgba(6,147,227,1) ) (0%,rgb(155,81,224) 100%)', 'expected' => '', ), array( 'css' => 'background-image: linear-gradient(red,yellow);', 'expected' => 'background-image: linear-gradient(red,yellow)', ), array( 'css' => 'color: linear-gradient(red,yellow);', 'expected' => '', ), array( 'css' => 'background-image: linear-gradient(red,yellow); background: prop( red,yellow); width: 100px;', 'expected' => 'background-image: linear-gradient(red,yellow);width: 100px', ), array( 'css' => 'background: unknown-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%)', 'expected' => '', ), array( 'css' => 'background: repeating-linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%)', 'expected' => 'background: repeating-linear-gradient(135deg,rgba(6,147,227,1) 0%,rgb(155,81,224) 100%)', ), array( 'css' => 'width: 100px; height: 100px; background: linear-gradient(135deg,rgba(0,208,132,1) 0%,rgba(6,147,227,1) 100%);', 'expected' => 'width: 100px;height: 100px;background: linear-gradient(135deg,rgba(0,208,132,1) 0%,rgba(6,147,227,1) 100%)', ), array( 'css' => 'background: radial-gradient(#ff0, red, yellow, green, rgba(6,147,227,1), rgb(155,81,224) 90%);', 'expected' => 'background: radial-gradient(#ff0, red, yellow, green, rgba(6,147,227,1), rgb(155,81,224) 90%)', ), array( 'css' => 'background: radial-gradient(#ff0, red, yellow, green, rgba(6,147,227,1), rgb(155,81,224) 90%);', 'expected' => 'background: radial-gradient(#ff0, red, yellow, green, rgba(6,147,227,1), rgb(155,81,224) 90%)', ), array( 'css' => 'background: conic-gradient(at 0% 30%, red 10%, yellow 30%, #1e90ff 50%)', 'expected' => 'background: conic-gradient(at 0% 30%, red 10%, yellow 30%, #1e90ff 50%)', ), // Expressions are not allowed. array( 'css' => 'height: expression( body.scrollTop + 50 + "px" )', 'expected' => '', ), // RGB color values are not allowed. array( 'css' => 'color: rgb( 100, 100, 100 )', 'expected' => '', ), // RGBA color values are not allowed. array( 'css' => 'color: rgb( 100, 100, 100, .4 )', 'expected' => '', ), ); } /** * Data attributes are globally accepted. * * @ticket 33121 */ function test_wp_kses_attr_data_attribute_is_allowed() { $test = '

Pens and pencils

'; $expected = '

Pens and pencils

'; $this->assertSame( $expected, wp_kses_post( $test ) ); } /** * Ensure wildcard attributes block unprefixed wildcard uses. * * @ticket 33121 */ function test_wildcard_requires_hyphen_after_prefix() { $allowed_html = array( 'div' => array( 'data-*' => true, 'on-*' => true, ), ); $string = '

Malformed attributes

'; $expected = '

Malformed attributes

'; $actual = wp_kses( $string, $allowed_html ); $this->assertSame( $expected, $actual ); } /** * Ensure wildcard allows two hyphen. * * @ticket 33121 */ function test_wildcard_allows_two_hyphens() { $allowed_html = array( 'div' => array( 'data-*' => true, ), ); $string = '

Well formed attribute

'; $expected = '

Well formed attribute

'; $actual = wp_kses( $string, $allowed_html ); $this->assertSame( $expected, $actual ); } /** * Ensure wildcard attributes only support valid prefixes. * * @dataProvider data_wildcard_attribute_prefixes * * @ticket 33121 */ function test_wildcard_attribute_prefixes( $wildcard_attribute, $expected ) { $allowed_html = array( 'div' => array( $wildcard_attribute => true, ), ); $name = str_replace( '*', strtolower( __FUNCTION__ ), $wildcard_attribute ); $value = __FUNCTION__; $whole = "{$name}=\"{$value}\""; $actual = wp_kses_attr_check( $name, $value, $whole, 'n', 'div', $allowed_html ); $this->assertSame( $expected, $actual ); } /** * @return array Array of arguments for wildcard testing * [0] The prefix being tested. * [1] The outcome of `wp_kses_attr_check` for the prefix. */ function data_wildcard_attribute_prefixes() { return array( // Ends correctly. array( 'data-*', true ), // Does not end with trialing `-`. array( 'data*', false ), // Multiple wildcards. array( 'd*ta-*', false ), array( 'data**', false ), ); } /** * Test URL sanitization in the style tag. * * @dataProvider data_kses_style_attr_with_url * * @ticket 45067 * * @param $input string The style attribute saved in the editor. * @param $expected string The sanitized style attribute. */ function test_kses_style_attr_with_url( $input, $expected ) { $actual = safecss_filter_attr( $input ); $this->assertSame( $expected, $actual ); } /** * Data provider testing style attribute sanitization. * * @return array Nested array of input, expected pairs. */ function data_kses_style_attr_with_url() { return array( /* * Valid use cases. */ // Double quotes. array( 'background-image: url( "http://example.com/valid.gif" );', 'background-image: url( "http://example.com/valid.gif" )', ), // Single quotes. array( "background-image: url( 'http://example.com/valid.gif' );", "background-image: url( 'http://example.com/valid.gif' )", ), // No quotes. array( 'background-image: url( http://example.com/valid.gif );', 'background-image: url( http://example.com/valid.gif )', ), // Single quotes, extra spaces. array( "background-image: url( ' http://example.com/valid.gif ' );", "background-image: url( ' http://example.com/valid.gif ' )", ), // Line breaks, single quotes. array( "background-image: url(\n'http://example.com/valid.gif' );", "background-image: url('http://example.com/valid.gif' )", ), // Tabs not spaces, single quotes. array( "background-image: url(\t'http://example.com/valid.gif'\t\t);", "background-image: url('http://example.com/valid.gif')", ), // Single quotes, absolute path. array( "background: url('/valid.gif');", "background: url('/valid.gif')", ), // Single quotes, relative path. array( "background: url('../wp-content/uploads/2018/10/valid.gif');", "background: url('../wp-content/uploads/2018/10/valid.gif')", ), // Error check: valid property not containing a URL. array( 'background: red', 'background: red', ), /* * Invalid use cases. */ // Attribute doesn't support URL properties. array( 'color: url( "http://example.com/invalid.gif" );', '', ), // Mismatched quotes. array( 'background-image: url( "http://example.com/valid.gif\' );', '', ), // Bad protocol, double quotes. array( 'background-image: url( "bad://example.com/invalid.gif" );', '', ), // Bad protocol, single quotes. array( "background-image: url( 'bad://example.com/invalid.gif' );", '', ), // Bad protocol, single quotes. array( "background-image: url( 'bad://example.com/invalid.gif' );", '', ), // Bad protocol, single quotes, strange spacing. array( "background-image: url( ' \tbad://example.com/invalid.gif ' );", '', ), // Bad protocol, no quotes. array( 'background-image: url( bad://example.com/invalid.gif );', '', ), // No URL inside url(). array( 'background-image: url();', '', ), // Malformed, no closing `)`. array( 'background-image: url( "http://example.com" ;', '', ), // Malformed, no closing `"`. array( 'background-image: url( "http://example.com );', '', ), ); } /** * Testing the safecss_filter_attr() function with the safecss_filter_attr_allow_css filter. * * @ticket 37134 * * @dataProvider data_test_safecss_filter_attr_filtered * * @param string $css A string of CSS rules. * @param string $expected Expected string of CSS rules. */ public function test_safecss_filter_attr_filtered( $css, $expected ) { add_filter( 'safecss_filter_attr_allow_css', '__return_true' ); $this->assertSame( $expected, safecss_filter_attr( $css ) ); remove_filter( 'safecss_filter_attr_allow_css', '__return_true' ); } /** * Data Provider for test_safecss_filter_attr_filtered(). * * @return array { * @type array { * @string string $css A string of CSS rules. * @string string $expected Expected string of CSS rules. * } * } */ public function data_test_safecss_filter_attr_filtered() { return array( // A single attribute name, with a single value. array( 'css' => 'margin-top: 2px', 'expected' => 'margin-top: 2px', ), // Backslash \ can be allowed with the 'safecss_filter_attr_allow_css' filter. array( 'css' => 'margin-top: \2px', 'expected' => 'margin-top: \2px', ), // Curly bracket } can be allowed with the 'safecss_filter_attr_allow_css' filter. array( 'css' => 'margin-bottom: 2px}', 'expected' => 'margin-bottom: 2px}', ), // Parenthesis ) can be allowed with the 'safecss_filter_attr_allow_css' filter. array( 'css' => 'margin-bottom: 2px)', 'expected' => 'margin-bottom: 2px)', ), // Ampersand & can be allowed with the 'safecss_filter_attr_allow_css' filter. array( 'css' => 'margin-bottom: 2px&', 'expected' => 'margin-bottom: 2px&', ), // Expressions can be allowed with the 'safecss_filter_attr_allow_css' filter. array( 'css' => 'height: expression( body.scrollTop + 50 + "px" )', 'expected' => 'height: expression( body.scrollTop + 50 + "px" )', ), // RGB color values can be allowed with the 'safecss_filter_attr_allow_css' filter. array( 'css' => 'color: rgb( 100, 100, 100 )', 'expected' => 'color: rgb( 100, 100, 100 )', ), // RGBA color values can be allowed with the 'safecss_filter_attr_allow_css' filter. array( 'css' => 'color: rgb( 100, 100, 100, .4 )', 'expected' => 'color: rgb( 100, 100, 100, .4 )', ), ); } /** * Test filtering a standard img tag. * * @ticket 50731 */ function test_wp_kses_img_tag_standard_attributes() { $html = array( '', ); $html = implode( ' ', $html ); $this->assertSame( $html, wp_kses_post( $html ) ); } }