function FilterKernelTest::testHtmlFilter
Tests filter settings, defaults, access restrictions and similar.
@todo This is for functions like filter_filter and check_markup, whose functionality is not completely focused on filtering. Some ideas: restricting formats according to user permissions, proper cache handling, defaults -- allowed tags/attributes/protocols.
@todo It is possible to add script, iframe etc. to allowed tags, but this makes HTML filter completely ineffective.
@todo Class, id, name and xmlns should be added to the list of forbidden attributes, or, better yet, use an allowed attribute list.
File
-
core/
modules/ filter/ tests/ src/ Kernel/ FilterKernelTest.php, line 553
Class
- FilterKernelTest
- Tests Filter module filters individually.
Namespace
Drupal\Tests\filter\KernelCode
public function testHtmlFilter() : void {
// Get FilterHtml object.
$filter = $this->filters['filter_html'];
$filter->setConfiguration([
'settings' => [
'allowed_html' => '<a> <p> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <br>',
'filter_html_help' => 1,
'filter_html_nofollow' => 0,
],
]);
// HTML filter is not able to secure some tags, these should never be
// allowed.
$f = (string) $filter->process('<script />', Language::LANGCODE_NOT_SPECIFIED);
$this->assertSame('', $f, 'HTML filter should remove script tags.');
$f = (string) $filter->process('<iframe />', Language::LANGCODE_NOT_SPECIFIED);
$this->assertSame('', $f, 'HTML filter should remove iframe tags.');
$f = (string) $filter->process('<object />', Language::LANGCODE_NOT_SPECIFIED);
$this->assertSame('', $f, 'HTML filter should remove object tags.');
$f = (string) $filter->process('<style />', Language::LANGCODE_NOT_SPECIFIED);
$this->assertSame('', $f, 'HTML filter should remove style tags.');
// Some tags make CSRF attacks easier, let the user take the risk herself.
$f = (string) $filter->process('<img />', Language::LANGCODE_NOT_SPECIFIED);
$this->assertSame('', $f, 'HTML filter should remove img tags by default.');
$f = (string) $filter->process('<input />', Language::LANGCODE_NOT_SPECIFIED);
$this->assertSame('', $f, 'HTML filter should remove input tags by default.');
// Filtering content of some attributes is infeasible, these shouldn't be
// allowed too.
$f = (string) $filter->process('<p style="display: none;" />', Language::LANGCODE_NOT_SPECIFIED);
$this->assertNoNormalized($f, 'style', 'HTML filter should remove style attributes.');
$this->assertSame('<p></p>', $f);
$f = (string) $filter->process('<p onerror="alert(0);"></p>', Language::LANGCODE_NOT_SPECIFIED);
$this->assertNoNormalized($f, 'onerror', 'HTML filter should remove on* attributes.');
$this->assertSame('<p></p>', $f);
$f = (string) $filter->process('<code onerror> </code>', Language::LANGCODE_NOT_SPECIFIED);
$this->assertNoNormalized($f, 'onerror', 'HTML filter should remove empty on* attributes.');
$this->assertSame('<code> </code>', $f);
$f = (string) $filter->process('<br>', Language::LANGCODE_NOT_SPECIFIED);
$this->assertNormalized($f, '<br>', 'HTML filter should allow line breaks.');
$f = (string) $filter->process('<br />', Language::LANGCODE_NOT_SPECIFIED);
$this->assertNormalized($f, '<br>', 'HTML filter should allow self-closing line breaks.');
// All attributes of allowed tags are stripped by default.
$f = (string) $filter->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
$this->assertNormalized($f, '<a>link</a>', 'HTML filter should remove attributes that are not explicitly allowed.');
// Now allow the "llama" attribute on <a>.
$filter->setConfiguration([
'settings' => [
'allowed_html' => '<a href llama> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <br>',
'filter_html_help' => 1,
'filter_html_nofollow' => 0,
],
]);
$f = (string) $filter->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
$this->assertNormalized($f, '<a llama="awesome">link</a>', 'HTML filter keeps explicitly allowed attributes, and removes attributes that are not explicitly allowed.');
// Restrict the allowed "llama" attribute on <a> to only allow the value
// "majestical", or "epic".
$filter->setConfiguration([
'settings' => [
'allowed_html' => '<a href llama="majestical epic"> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <br>',
'filter_html_help' => 1,
'filter_html_nofollow' => 0,
],
]);
$f = (string) $filter->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
$this->assertSame('<a>link</a>', $f, 'HTML filter removes allowed attributes that do not have an explicitly allowed value.');
$f = (string) $filter->process('<a kitten="cute" llama="majestical">link</a>', Language::LANGCODE_NOT_SPECIFIED);
$this->assertSame('<a llama="majestical">link</a>', $f, 'HTML filter keeps explicitly allowed attributes with an attribute value that is also explicitly allowed.');
$f = (string) $filter->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
$this->assertNormalized($f, '<a>link</a>', 'HTML filter removes allowed attributes that have a not explicitly allowed value.');
$f = (string) $filter->process('<a href="/beautiful-animals" kitten="cute" llama="epic majestical">link</a>', Language::LANGCODE_NOT_SPECIFIED);
$this->assertSame('<a href="/beautiful-animals" llama="epic majestical">link</a>', $f, 'HTML filter keeps explicitly allowed attributes with an attribute value that is also explicitly allowed.');
// Allow iframes and check that the subsequent tags are parsed correctly.
$filter->setConfiguration([
'settings' => [
'allowed_html' => '<iframe> <a href llama>',
'filter_html_help' => 1,
'filter_html_nofollow' => 0,
],
]);
$f = (string) $filter->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
$this->assertNormalized($f, '<a llama="awesome">link</a>');
}Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.