assertSame( $expected, $actual ); } /** * Data provider for `test_esc_xml_basics()`. * * @return array { * @type string $source The source string to be escaped. * @type string $expected The expected escaped value of `$source`. * } */ public function _test_esc_xml_basics_dataprovider() { return array( // Simple string. array( 'The quick brown fox.', 'The quick brown fox.', ), // URL with &. array( 'http://localhost/trunk/wp-login.php?action=logout&_wpnonce=cd57d75985', 'http://localhost/trunk/wp-login.php?action=logout&_wpnonce=cd57d75985', ), // SQL query w/ single quotes. array( "SELECT meta_key, meta_value FROM wp_trunk_sitemeta WHERE meta_key IN ('site_name', 'siteurl', 'active_sitewide_plugins', '_site_transient_timeout_theme_roots', '_site_transient_theme_roots', 'site_admins', 'can_compress_scripts', 'global_terms_enabled') AND site_id = 1", 'SELECT meta_key, meta_value FROM wp_trunk_sitemeta WHERE meta_key IN ('site_name', 'siteurl', 'active_sitewide_plugins', '_site_transient_timeout_theme_roots', '_site_transient_theme_roots', 'site_admins', 'can_compress_scripts', 'global_terms_enabled') AND site_id = 1', ), ); } public function test_escapes_ampersands() { $source = 'penn & teller & at&t'; $expected = 'penn & teller & at&t'; $actual = esc_xml( $source ); $this->assertSame( $expected, $actual ); } public function test_escapes_greater_and_less_than() { $source = 'this > that < that '; $expected = 'this > that < that <randomhtml />'; $actual = esc_xml( $source ); $this->assertSame( $expected, $actual ); } public function test_escapes_html_named_entities() { $source = 'this & is a … followed by › and more and a &nonexistent; entity'; $expected = 'this & is a … followed by › and more and a &nonexistent; entity'; $actual = esc_xml( $source ); $this->assertSame( $expected, $actual ); } public function test_ignores_existing_entities() { $source = '& £ " &'; // note that _wp_specialchars() strips leading 0's from numeric character references. $expected = '& £ " &'; $actual = esc_xml( $source ); $this->assertSame( $expected, $actual ); } /** * Test that CDATA Sections are not escaped. * * @dataProvider _test_ignores_cdata_sections_dataprovider * * @param string $source The source string to be escaped. * @param string $expected The expected escaped value of `$source`. */ public function test_ignores_cdata_sections( $source, $expected ) { $actual = esc_xml( $source ); $this->assertSame( $expected, $actual ); } /** * Data provider for `test_ignores_cdata_sections()`. * * @return array { * @type string $source The source string to be escaped. * @type string $expected The expected escaped value of `$source`. * } */ public function _test_ignores_cdata_sections_dataprovider() { return array( // basic CDATA Section containing chars that would otherwise be escaped if not in a CDATA Section // not to mention the CDATA Section markup itself :-) // $source contains embedded newlines to test that the regex that ignores CDATA Sections // correctly handles that case. array( "This is\na]]>\nbroadcast system", "This is\na]]>\nbroadcast system", ), // string with chars that should be escaped as well as a CDATA Section that should be not be. array( 'This is … a ]]> broadcast ', 'This is … a ]]> broadcast <system />', ), // Same as above, but with the CDATA Section at the start of the string. array( ']]> This is … a broadcast ', ']]> This is … a broadcast <system />', ), // Same as above, but with the CDATA Section at the end of the string. array( 'This is … a broadcast ]]>', 'This is … a broadcast <system />]]>', ), // Multiple CDATA Sections. array( 'This is … a ]]> &broadcast; ]]>', 'This is … a ]]> &broadcast; ]]>', ), // Ensure that ']]>' that does not mark the end of a CDATA Section is escaped. array( ']]>', ']]>', ), ); } }