function FilterKernelTest::testHtmlFilter

Same name and namespace in other branches
  1. 9 core/modules/filter/tests/src/Kernel/FilterKernelTest.php \Drupal\Tests\filter\Kernel\FilterKernelTest::testHtmlFilter()
  2. 8.9.x core/modules/filter/tests/src/Kernel/FilterKernelTest.php \Drupal\Tests\filter\Kernel\FilterKernelTest::testHtmlFilter()
  3. 10 core/modules/filter/tests/src/Kernel/FilterKernelTest.php \Drupal\Tests\filter\Kernel\FilterKernelTest::testHtmlFilter()

Tests filter settings, defaults, access restrictions and similar.

@todo This is for functions like filter_filter and check_markup, whose functionality is not completely focused on filtering. Some ideas: restricting formats according to user permissions, proper cache handling, defaults -- allowed tags/attributes/protocols.

@todo It is possible to add script, iframe etc. to allowed tags, but this makes HTML filter completely ineffective.

@todo Class, id, name and xmlns should be added to the list of forbidden attributes, or, better yet, use an allowed attribute list.

File

core/modules/filter/tests/src/Kernel/FilterKernelTest.php, line 551

Class

FilterKernelTest
Tests Filter module filters individually.

Namespace

Drupal\Tests\filter\Kernel

Code

public function testHtmlFilter() : void {
    // Get FilterHtml object.
    $filter = $this->filters['filter_html'];
    $filter->setConfiguration([
        'settings' => [
            'allowed_html' => '<a> <p> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <br>',
            'filter_html_help' => 1,
            'filter_html_nofollow' => 0,
        ],
    ]);
    // HTML filter is not able to secure some tags, these should never be
    // allowed.
    $f = (string) $filter->process('<script />', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertSame('', $f, 'HTML filter should remove script tags.');
    $f = (string) $filter->process('<iframe />', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertSame('', $f, 'HTML filter should remove iframe tags.');
    $f = (string) $filter->process('<object />', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertSame('', $f, 'HTML filter should remove object tags.');
    $f = (string) $filter->process('<style />', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertSame('', $f, 'HTML filter should remove style tags.');
    // Some tags make CSRF attacks easier, let the user take the risk herself.
    $f = (string) $filter->process('<img />', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertSame('', $f, 'HTML filter should remove img tags by default.');
    $f = (string) $filter->process('<input />', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertSame('', $f, 'HTML filter should remove input tags by default.');
    // Filtering content of some attributes is infeasible, these shouldn't be
    // allowed too.
    $f = (string) $filter->process('<p style="display: none;" />', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertNoNormalized($f, 'style', 'HTML filter should remove style attributes.');
    $this->assertSame('<p></p>', $f);
    $f = (string) $filter->process('<p onerror="alert(0);"></p>', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertNoNormalized($f, 'onerror', 'HTML filter should remove on* attributes.');
    $this->assertSame('<p></p>', $f);
    $f = (string) $filter->process('<code onerror>&nbsp;</code>', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertNoNormalized($f, 'onerror', 'HTML filter should remove empty on* attributes.');
    $this->assertSame('<code>&nbsp;</code>', $f);
    $f = (string) $filter->process('<br>', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertNormalized($f, '<br>', 'HTML filter should allow line breaks.');
    $f = (string) $filter->process('<br />', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertNormalized($f, '<br>', 'HTML filter should allow self-closing line breaks.');
    // All attributes of allowed tags are stripped by default.
    $f = (string) $filter->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertNormalized($f, '<a>link</a>', 'HTML filter should remove attributes that are not explicitly allowed.');
    // Now allow the "llama" attribute on <a>.
    $filter->setConfiguration([
        'settings' => [
            'allowed_html' => '<a href llama> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <br>',
            'filter_html_help' => 1,
            'filter_html_nofollow' => 0,
        ],
    ]);
    $f = (string) $filter->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertNormalized($f, '<a llama="awesome">link</a>', 'HTML filter keeps explicitly allowed attributes, and removes attributes that are not explicitly allowed.');
    // Restrict the allowed "llama" attribute on <a> to only allow the value
    // "majestical", or "epic".
    $filter->setConfiguration([
        'settings' => [
            'allowed_html' => '<a href llama="majestical epic"> <em> <strong> <cite> <blockquote> <code> <ul> <ol> <li> <dl> <dt> <dd> <br>',
            'filter_html_help' => 1,
            'filter_html_nofollow' => 0,
        ],
    ]);
    $f = (string) $filter->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertSame('<a>link</a>', $f, 'HTML filter removes allowed attributes that do not have an explicitly allowed value.');
    $f = (string) $filter->process('<a kitten="cute" llama="majestical">link</a>', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertSame('<a llama="majestical">link</a>', $f, 'HTML filter keeps explicitly allowed attributes with an attribute value that is also explicitly allowed.');
    $f = (string) $filter->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertNormalized($f, '<a>link</a>', 'HTML filter removes allowed attributes that have a not explicitly allowed value.');
    $f = (string) $filter->process('<a href="/beautiful-animals" kitten="cute" llama="epic majestical">link</a>', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertSame('<a href="/beautiful-animals" llama="epic majestical">link</a>', $f, 'HTML filter keeps explicitly allowed attributes with an attribute value that is also explicitly allowed.');
    // Allow iframes and check that the subsequent tags are parsed correctly.
    $filter->setConfiguration([
        'settings' => [
            'allowed_html' => '<iframe> <a href llama>',
            'filter_html_help' => 1,
            'filter_html_nofollow' => 0,
        ],
    ]);
    $f = (string) $filter->process('<a kitten="cute" llama="awesome">link</a>', Language::LANGCODE_NOT_SPECIFIED);
    $this->assertNormalized($f, '<a llama="awesome">link</a>');
}

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.