class CommonXssUnitTest

Tests for check_plain(), filter_xss(), format_string(), and check_url().

Hierarchy

Expanded class hierarchy of CommonXssUnitTest

File

modules/simpletest/tests/common.test, line 489

View source
class CommonXssUnitTest extends DrupalUnitTestCase {
    public static function getInfo() {
        return array(
            'name' => 'String filtering tests',
            'description' => 'Confirm that check_plain(), filter_xss(), format_string() and check_url() work correctly, including invalid multi-byte sequences.',
            'group' => 'System',
        );
    }
    
    /**
     * Check that invalid multi-byte sequences are rejected.
     */
    function testInvalidMultiByte() {
        // Ignore PHP 8.0+ null deprecations.
        $text = check_plain(NULL);
        $this->assertEqual($text, '', 'check_plain() casts null to string');
        $text = check_plain(FALSE);
        $this->assertEqual($text, '', 'check_plain() casts boolean to string');
        $text = filter_xss(NULL);
        $this->assertEqual($text, '', 'filter_xss() casts null to string');
        $text = filter_xss(FALSE);
        $this->assertEqual($text, '', 'filter_xss() casts boolean to string');
        // Ignore PHP 5.3+ invalid multibyte sequence warning.
        $text = @check_plain("Foo\xc0barbaz");
        $this->assertEqual($text, '', 'check_plain() rejects invalid sequence "Foo\\xC0barbaz"');
        // Ignore PHP 5.3+ invalid multibyte sequence warning.
        $text = @check_plain("\xc2\"");
        $this->assertEqual($text, '', 'check_plain() rejects invalid sequence "\\xc2\\""');
        $text = check_plain("Fooÿñ");
        $this->assertEqual($text, "Fooÿñ", 'check_plain() accepts valid sequence "Fooÿñ"');
        $text = filter_xss("Foo\xc0barbaz");
        $this->assertEqual($text, '', 'filter_xss() rejects invalid sequence "Foo\\xC0barbaz"');
        $text = filter_xss("Fooÿñ");
        $this->assertEqual($text, "Fooÿñ", 'filter_xss() accepts valid sequence Fooÿñ');
    }
    
    /**
     * Check that special characters are escaped.
     */
    function testEscaping() {
        $text = check_plain("<script>");
        $this->assertEqual($text, '&lt;script&gt;', 'check_plain() escapes &lt;script&gt;');
        $text = check_plain('<>&"\'');
        $this->assertEqual($text, '&lt;&gt;&amp;&quot;&#039;', 'check_plain() escapes reserved HTML characters.');
    }
    
    /**
     * Test t() and format_string() replacement functionality.
     */
    function testFormatStringAndT() {
        foreach (array(
            'format_string',
            't',
        ) as $function) {
            $text = $function('Simple text');
            $this->assertEqual($text, 'Simple text', $function . ' leaves simple text alone.');
            $text = $function('Escaped text: @value', array(
                '@value' => '<script>',
            ));
            $this->assertEqual($text, 'Escaped text: &lt;script&gt;', $function . ' replaces and escapes string.');
            $text = $function('Placeholder text: %value', array(
                '%value' => '<script>',
            ));
            $this->assertEqual($text, 'Placeholder text: <em class="placeholder">&lt;script&gt;</em>', $function . ' replaces, escapes and themes string.');
            $text = $function('Verbatim text: !value', array(
                '!value' => '<script>',
            ));
            $this->assertEqual($text, 'Verbatim text: <script>', $function . ' replaces verbatim string as-is.');
        }
    }
    
    /**
     * Check that harmful protocols are stripped.
     */
    function testBadProtocolStripping() {
        // Ensure that check_url() strips out harmful protocols, and encodes for
        // HTML.
        $url = 'javascript:http://www.example.com/?x=1&y=2';
        $expected_html = 'http://www.example.com/?x=1&amp;y=2';
        $this->assertIdentical(check_url($url), $expected_html, 'check_url() filters a URL and encodes it for HTML.');
        // Ensure that drupal_strip_dangerous_protocols() can be used to return a
        // plain-text string stripped of harmful protocols.
        $data = array(
            'javascript:http://www.example.com/?x=1&y=2' => 'http://www.example.com/?x=1&y=2',
            'foo://disallowed.com' => '//disallowed.com',
            'http://example.com' => 'http://example.com',
            'https://example.com' => 'https://example.com',
            'www.example.com' => 'www.example.com',
            'mailto:person2@example.com' => 'mailto:person2@example.com',
            'person2@example.com' => 'person2@example.com',
            'ftp://example.com' => 'ftp://example.com',
            'sftp://secure.host' => 'sftp://secure.host',
            'ssh://odd.geek' => 'ssh://odd.geek',
            'news://example.net' => 'news://example.net',
            'telnet://example' => 'telnet://example',
            'irc://example.host' => 'irc://example.host',
            'webcal://calendar' => 'webcal://calendar',
            'rtsp://127.0.0.1' => 'rtsp://127.0.0.1',
            'tel:111111111' => 'tel:111111111',
        );
        foreach ($data as $url => $expected_plain) {
            $this->assertIdentical(drupal_strip_dangerous_protocols($url), $expected_plain, 'drupal_strip_dangerous_protocols() filters a URL and returns plain text.');
        }
    }

}

Members

Title Sort descending Modifiers Object type Summary Overriden Title Overrides
CommonXssUnitTest::getInfo public static function
CommonXssUnitTest::testBadProtocolStripping function Check that harmful protocols are stripped.
CommonXssUnitTest::testEscaping function Check that special characters are escaped.
CommonXssUnitTest::testFormatStringAndT function Test t() and format_string() replacement functionality.
CommonXssUnitTest::testInvalidMultiByte function Check that invalid multi-byte sequences are rejected.
DrupalTestCase::$assertions protected property Assertions thrown in that test case.
DrupalTestCase::$databasePrefix protected property The database prefix of this test run.
DrupalTestCase::$originalFileDirectory protected property The original file directory, before it was changed for testing purposes.
DrupalTestCase::$originalLanguage protected property The original language.
DrupalTestCase::$originalLanguageDefault protected property The original default language.
DrupalTestCase::$originalTheme protected property The original theme.
DrupalTestCase::$originalThemeKey protected property The original theme key.
DrupalTestCase::$originalThemePath protected property The original theme path.
DrupalTestCase::$results public property Current results of this test case.
DrupalTestCase::$setup protected property Flag to indicate whether the test has been set up.
DrupalTestCase::$setupDatabasePrefix protected property
DrupalTestCase::$setupEnvironment protected property
DrupalTestCase::$skipClasses protected property This class is skipped when looking for the source of an assertion.
DrupalTestCase::$testId protected property The test run ID.
DrupalTestCase::$timeLimit protected property Time limit for the test.
DrupalTestCase::$useSetupInstallationCache public property Whether to cache the installation part of the setUp() method.
DrupalTestCase::$useSetupModulesCache public property Whether to cache the modules installation part of the setUp() method.
DrupalTestCase::$verboseDirectoryUrl protected property URL to the verbose output file directory.
DrupalTestCase::assert protected function Internal helper: stores the assert.
DrupalTestCase::assertEqual protected function Check to see if two values are equal.
DrupalTestCase::assertFalse protected function Check to see if a value is false (an empty string, 0, NULL, or FALSE).
DrupalTestCase::assertIdentical protected function Check to see if two values are identical.
DrupalTestCase::assertNotEqual protected function Check to see if two values are not equal.
DrupalTestCase::assertNotIdentical protected function Check to see if two values are not identical.
DrupalTestCase::assertNotNull protected function Check to see if a value is not NULL.
DrupalTestCase::assertNull protected function Check to see if a value is NULL.
DrupalTestCase::assertTrue protected function Check to see if a value is not false (not an empty string, 0, NULL, or FALSE).
DrupalTestCase::deleteAssert public static function Delete an assertion record by message ID.
DrupalTestCase::error protected function Fire an error assertion. 1
DrupalTestCase::errorHandler public function Handle errors during test runs. 1
DrupalTestCase::exceptionHandler protected function Handle exceptions.
DrupalTestCase::fail protected function Fire an assertion that is always negative.
DrupalTestCase::generatePermutations public static function Converts a list of possible parameters into a stack of permutations.
DrupalTestCase::getAssertionCall protected function Cycles through backtrace until the first non-assertion method is found.
DrupalTestCase::getDatabaseConnection public static function Returns the database connection to the site running Simpletest.
DrupalTestCase::insertAssert public static function Store an assertion from outside the testing context.
DrupalTestCase::pass protected function Fire an assertion that is always positive.
DrupalTestCase::randomName public static function Generates a random string containing letters and numbers.
DrupalTestCase::randomString public static function Generates a random string of ASCII characters of codes 32 to 126.
DrupalTestCase::run public function Run all tests in this class.
DrupalTestCase::verbose protected function Logs a verbose message in a text file.
DrupalUnitTestCase::setUp protected function Sets up unit test environment. 10
DrupalUnitTestCase::tearDown protected function 1
DrupalUnitTestCase::__construct function Constructor for DrupalUnitTestCase. Overrides DrupalTestCase::__construct

Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.