class CommonXssUnitTest
Tests for check_plain(), filter_xss(), format_string(), and check_url().
Hierarchy
- class \DrupalTestCase
- class \DrupalUnitTestCase extends \DrupalTestCase
- class \CommonXssUnitTest extends \DrupalUnitTestCase
- class \DrupalUnitTestCase extends \DrupalTestCase
Expanded class hierarchy of CommonXssUnitTest
File
-
modules/
simpletest/ tests/ common.test, line 489
View source
class CommonXssUnitTest extends DrupalUnitTestCase {
public static function getInfo() {
return array(
'name' => 'String filtering tests',
'description' => 'Confirm that check_plain(), filter_xss(), format_string() and check_url() work correctly, including invalid multi-byte sequences.',
'group' => 'System',
);
}
/**
* Check that invalid multi-byte sequences are rejected.
*/
function testInvalidMultiByte() {
// Ignore PHP 8.0+ null deprecations.
$text = check_plain(NULL);
$this->assertEqual($text, '', 'check_plain() casts null to string');
$text = check_plain(FALSE);
$this->assertEqual($text, '', 'check_plain() casts boolean to string');
$text = filter_xss(NULL);
$this->assertEqual($text, '', 'filter_xss() casts null to string');
$text = filter_xss(FALSE);
$this->assertEqual($text, '', 'filter_xss() casts boolean to string');
// Ignore PHP 5.3+ invalid multibyte sequence warning.
$text = @check_plain("Foo\xc0barbaz");
$this->assertEqual($text, '', 'check_plain() rejects invalid sequence "Foo\\xC0barbaz"');
// Ignore PHP 5.3+ invalid multibyte sequence warning.
$text = @check_plain("\xc2\"");
$this->assertEqual($text, '', 'check_plain() rejects invalid sequence "\\xc2\\""');
$text = check_plain("Fooÿñ");
$this->assertEqual($text, "Fooÿñ", 'check_plain() accepts valid sequence "Fooÿñ"');
$text = filter_xss("Foo\xc0barbaz");
$this->assertEqual($text, '', 'filter_xss() rejects invalid sequence "Foo\\xC0barbaz"');
$text = filter_xss("Fooÿñ");
$this->assertEqual($text, "Fooÿñ", 'filter_xss() accepts valid sequence Fooÿñ');
}
/**
* Check that special characters are escaped.
*/
function testEscaping() {
$text = check_plain("<script>");
$this->assertEqual($text, '<script>', 'check_plain() escapes <script>');
$text = check_plain('<>&"\'');
$this->assertEqual($text, '<>&"'', 'check_plain() escapes reserved HTML characters.');
}
/**
* Test t() and format_string() replacement functionality.
*/
function testFormatStringAndT() {
foreach (array(
'format_string',
't',
) as $function) {
$text = $function('Simple text');
$this->assertEqual($text, 'Simple text', $function . ' leaves simple text alone.');
$text = $function('Escaped text: @value', array(
'@value' => '<script>',
));
$this->assertEqual($text, 'Escaped text: <script>', $function . ' replaces and escapes string.');
$text = $function('Placeholder text: %value', array(
'%value' => '<script>',
));
$this->assertEqual($text, 'Placeholder text: <em class="placeholder"><script></em>', $function . ' replaces, escapes and themes string.');
$text = $function('Verbatim text: !value', array(
'!value' => '<script>',
));
$this->assertEqual($text, 'Verbatim text: <script>', $function . ' replaces verbatim string as-is.');
}
}
/**
* Check that harmful protocols are stripped.
*/
function testBadProtocolStripping() {
// Ensure that check_url() strips out harmful protocols, and encodes for
// HTML.
$url = 'javascript:http://www.example.com/?x=1&y=2';
$expected_html = 'http://www.example.com/?x=1&y=2';
$this->assertIdentical(check_url($url), $expected_html, 'check_url() filters a URL and encodes it for HTML.');
// Ensure that drupal_strip_dangerous_protocols() can be used to return a
// plain-text string stripped of harmful protocols.
$data = array(
'javascript:http://www.example.com/?x=1&y=2' => 'http://www.example.com/?x=1&y=2',
'foo://disallowed.com' => '//disallowed.com',
'http://example.com' => 'http://example.com',
'https://example.com' => 'https://example.com',
'www.example.com' => 'www.example.com',
'mailto:person2@example.com' => 'mailto:person2@example.com',
'person2@example.com' => 'person2@example.com',
'ftp://example.com' => 'ftp://example.com',
'sftp://secure.host' => 'sftp://secure.host',
'ssh://odd.geek' => 'ssh://odd.geek',
'news://example.net' => 'news://example.net',
'telnet://example' => 'telnet://example',
'irc://example.host' => 'irc://example.host',
'webcal://calendar' => 'webcal://calendar',
'rtsp://127.0.0.1' => 'rtsp://127.0.0.1',
'tel:111111111' => 'tel:111111111',
);
foreach ($data as $url => $expected_plain) {
$this->assertIdentical(drupal_strip_dangerous_protocols($url), $expected_plain, 'drupal_strip_dangerous_protocols() filters a URL and returns plain text.');
}
}
}
Members
Title Sort descending | Modifiers | Object type | Summary | Overriden Title | Overrides |
---|---|---|---|---|---|
CommonXssUnitTest::getInfo | public static | function | |||
CommonXssUnitTest::testBadProtocolStripping | function | Check that harmful protocols are stripped. | |||
CommonXssUnitTest::testEscaping | function | Check that special characters are escaped. | |||
CommonXssUnitTest::testFormatStringAndT | function | Test t() and format_string() replacement functionality. | |||
CommonXssUnitTest::testInvalidMultiByte | function | Check that invalid multi-byte sequences are rejected. | |||
DrupalTestCase::$assertions | protected | property | Assertions thrown in that test case. | ||
DrupalTestCase::$databasePrefix | protected | property | The database prefix of this test run. | ||
DrupalTestCase::$originalFileDirectory | protected | property | The original file directory, before it was changed for testing purposes. | ||
DrupalTestCase::$originalLanguage | protected | property | The original language. | ||
DrupalTestCase::$originalLanguageDefault | protected | property | The original default language. | ||
DrupalTestCase::$originalTheme | protected | property | The original theme. | ||
DrupalTestCase::$originalThemeKey | protected | property | The original theme key. | ||
DrupalTestCase::$originalThemePath | protected | property | The original theme path. | ||
DrupalTestCase::$results | public | property | Current results of this test case. | ||
DrupalTestCase::$setup | protected | property | Flag to indicate whether the test has been set up. | ||
DrupalTestCase::$setupDatabasePrefix | protected | property | |||
DrupalTestCase::$setupEnvironment | protected | property | |||
DrupalTestCase::$skipClasses | protected | property | This class is skipped when looking for the source of an assertion. | ||
DrupalTestCase::$testId | protected | property | The test run ID. | ||
DrupalTestCase::$timeLimit | protected | property | Time limit for the test. | ||
DrupalTestCase::$useSetupInstallationCache | public | property | Whether to cache the installation part of the setUp() method. | ||
DrupalTestCase::$useSetupModulesCache | public | property | Whether to cache the modules installation part of the setUp() method. | ||
DrupalTestCase::$verboseDirectoryUrl | protected | property | URL to the verbose output file directory. | ||
DrupalTestCase::assert | protected | function | Internal helper: stores the assert. | ||
DrupalTestCase::assertEqual | protected | function | Check to see if two values are equal. | ||
DrupalTestCase::assertFalse | protected | function | Check to see if a value is false (an empty string, 0, NULL, or FALSE). | ||
DrupalTestCase::assertIdentical | protected | function | Check to see if two values are identical. | ||
DrupalTestCase::assertNotEqual | protected | function | Check to see if two values are not equal. | ||
DrupalTestCase::assertNotIdentical | protected | function | Check to see if two values are not identical. | ||
DrupalTestCase::assertNotNull | protected | function | Check to see if a value is not NULL. | ||
DrupalTestCase::assertNull | protected | function | Check to see if a value is NULL. | ||
DrupalTestCase::assertTrue | protected | function | Check to see if a value is not false (not an empty string, 0, NULL, or FALSE). | ||
DrupalTestCase::deleteAssert | public static | function | Delete an assertion record by message ID. | ||
DrupalTestCase::error | protected | function | Fire an error assertion. | 1 | |
DrupalTestCase::errorHandler | public | function | Handle errors during test runs. | 1 | |
DrupalTestCase::exceptionHandler | protected | function | Handle exceptions. | ||
DrupalTestCase::fail | protected | function | Fire an assertion that is always negative. | ||
DrupalTestCase::generatePermutations | public static | function | Converts a list of possible parameters into a stack of permutations. | ||
DrupalTestCase::getAssertionCall | protected | function | Cycles through backtrace until the first non-assertion method is found. | ||
DrupalTestCase::getDatabaseConnection | public static | function | Returns the database connection to the site running Simpletest. | ||
DrupalTestCase::insertAssert | public static | function | Store an assertion from outside the testing context. | ||
DrupalTestCase::pass | protected | function | Fire an assertion that is always positive. | ||
DrupalTestCase::randomName | public static | function | Generates a random string containing letters and numbers. | ||
DrupalTestCase::randomString | public static | function | Generates a random string of ASCII characters of codes 32 to 126. | ||
DrupalTestCase::run | public | function | Run all tests in this class. | ||
DrupalTestCase::verbose | protected | function | Logs a verbose message in a text file. | ||
DrupalUnitTestCase::setUp | protected | function | Sets up unit test environment. | 10 | |
DrupalUnitTestCase::tearDown | protected | function | 1 | ||
DrupalUnitTestCase::__construct | function | Constructor for DrupalUnitTestCase. | Overrides DrupalTestCase::__construct |
Buggy or inaccurate documentation? Please file an issue. Need support? Need help programming? Connect with the Drupal community.