opdavies/drupalcampbristol
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Move into nested docroot

Browse source
This commit is contained in:
Rob Davies 2017-02-13 15:31:17 +00:00
parent 83a0d3a149
commit c8b70abde9
13405 changed files with 0 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

34
web/core/modules/editor/tests/editor_private_test/config/install/editor.editor.private_images.yml Normal file
View file

@ -0,0 +1,34 @@
format: private_images
status: true
langcode: en
editor: ckeditor
settings:
toolbar:
rows:
-
-
name: Media
items:
- DrupalImage
-
name: Tools
items:
- Source
plugins:
language:
language_list: un
stylescombo:
styles: ''
image_upload:
status: true
scheme: private
directory: ''
max_size: ''
max_dimensions:
width: null
height: null
dependencies:
config:
- filter.format.private_images
module:
- ckeditor

23
web/core/modules/editor/tests/editor_private_test/config/install/filter.format.private_images.yml Normal file
View file

@ -0,0 +1,23 @@
format: private_images
name: 'Private images'
status: true
langcode: en
filters:
editor_file_reference:
id: editor_file_reference
provider: editor
status: true
weight: 0
settings: { }
filter_html:
id: filter_html
provider: filter
status: false
weight: -10
settings:
allowed_html: '<img src alt data-entity-type data-entity-uuid>'
filter_html_help: true
filter_html_nofollow: false
dependencies:
module:
- editor

9
web/core/modules/editor/tests/editor_private_test/editor_private_test.info.yml Normal file
View file

@ -0,0 +1,9 @@
name: 'Text Editor Private test'
type: module
description: 'Support module for the Text Editor Private module tests.'
core: 8.x
package: Testing
version: VERSION
dependencies:
- filter
- ckeditor

17
web/core/modules/editor/tests/modules/config/schema/editor_test.schema.yml Normal file
View file

@ -0,0 +1,17 @@
# Schema for the configuration files of the Editor test module.
editor.settings.unicorn:
type: mapping
label: 'Unicorn settings'
mapping:
ponies_too:
type: boolean
label: 'Ponies too'
editor.settings.trex:
type: mapping
label: 'T-Rex settings'
mapping:
stumpy_arms:
type: boolean
label: 'Stumpy arms'

6
web/core/modules/editor/tests/modules/editor_test.info.yml Normal file
View file

@ -0,0 +1,6 @@
name: 'Text Editor test'
type: module
description: 'Support module for the Text Editor module tests.'
core: 8.x
package: Testing
version: VERSION

8
web/core/modules/editor/tests/modules/editor_test.libraries.yml Normal file
View file

@ -0,0 +1,8 @@
unicorn:
version: VERSION
js:
unicorn.js: {}
trex:
version: VERSION
js:
trex.js: {}

46
web/core/modules/editor/tests/modules/editor_test.module Normal file
View file

@ -0,0 +1,46 @@
<?php
/**
* @file
* Helper module for the Text Editor tests.
*/
use Drupal\filter\FilterFormatInterface;
/**
* Implements hook_editor_js_settings_alter().
*/
function editor_test_editor_js_settings_alter(&$settings) {
// Allow tests to enable or disable this alter hook.
if (!\Drupal::state()->get('editor_test_js_settings_alter_enabled', FALSE)) {
return;
}
if (isset($settings['editor']['formats']['full_html'])) {
$settings['editor']['formats']['full_html']['editorSettings']['ponyModeEnabled'] = FALSE;
}
}
/**
* Implements hook_editor_xss_filter_alter().
*/
function editor_test_editor_xss_filter_alter(&$editor_xss_filter_class, FilterFormatInterface $format, FilterFormatInterface $original_format = NULL) {
// Allow tests to enable or disable this alter hook.
if (!\Drupal::state()->get('editor_test_editor_xss_filter_alter_enabled', FALSE)) {
return;
}
$filters = $format->filters()->getAll();
if (isset($filters['filter_html']) && $filters['filter_html']->status) {
$editor_xss_filter_class = '\Drupal\editor_test\EditorXssFilter\Insecure';
}
}
/**
* Implements hook_editor_info_alter().
*/
function editor_test_editor_info_alter(&$items) {
if (!\Drupal::state()->get('editor_test_give_me_a_trex_thanks', FALSE)) {
unset($items['trex']);
}
}

21
web/core/modules/editor/tests/modules/src/EditorXssFilter/Insecure.php Normal file
View file

@ -0,0 +1,21 @@
<?php
namespace Drupal\editor_test\EditorXssFilter;
use Drupal\filter\FilterFormatInterface;
use Drupal\editor\EditorXssFilterInterface;
/**
* Defines an insecure text editor XSS filter (for testing purposes).
*/
class Insecure implements EditorXssFilterInterface {
/**
* {@inheritdoc}
*/
public static function filterXss($html, FilterFormatInterface $format, FilterFormatInterface $original_format = NULL) {
// Don't apply any XSS filtering, just return the string we received.
return $html;
}
}

65
web/core/modules/editor/tests/modules/src/Plugin/Editor/TRexEditor.php Normal file
View file

@ -0,0 +1,65 @@
<?php
namespace Drupal\editor_test\Plugin\Editor;
use Drupal\Core\Form\FormStateInterface;
use Drupal\editor\Entity\Editor;
use Drupal\editor\Plugin\EditorBase;
/**
* Defines a Tyrannosaurus-Rex powered text editor for testing purposes.
*
* @Editor(
* id = "trex",
* label = @Translation("TRex Editor"),
* supports_content_filtering = TRUE,
* supports_inline_editing = TRUE,
* is_xss_safe = FALSE,
* supported_element_types = {
* "textarea",
* }
* )
*/
class TRexEditor extends EditorBase {
/**
* {@inheritdoc}
*/
public function getDefaultSettings() {
return array('stumpy_arms' => TRUE);
}
/**
* {@inheritdoc}
*/
public function settingsForm(array $form, FormStateInterface $form_state, Editor $editor) {
$form['stumpy_arms'] = array(
'#title' => t('Stumpy arms'),
'#type' => 'checkbox',
'#default_value' => TRUE,
);
return $form;
}
/**
* {@inheritdoc}
*/
public function getJSSettings(Editor $editor) {
$js_settings = array();
$settings = $editor->getSettings();
if ($settings['stumpy_arms']) {
$js_settings['doMyArmsLookStumpy'] = TRUE;
}
return $js_settings;
}
/**
* {@inheritdoc}
*/
public function getLibraries(Editor $editor) {
return array(
'editor_test/trex',
);
}
}

66
web/core/modules/editor/tests/modules/src/Plugin/Editor/UnicornEditor.php Normal file
View file

@ -0,0 +1,66 @@
<?php
namespace Drupal\editor_test\Plugin\Editor;
use Drupal\Core\Form\FormStateInterface;
use Drupal\editor\Entity\Editor;
use Drupal\editor\Plugin\EditorBase;
/**
* Defines a Unicorn-powered text editor for Drupal (for testing purposes).
*
* @Editor(
* id = "unicorn",
* label = @Translation("Unicorn Editor"),
* supports_content_filtering = TRUE,
* supports_inline_editing = TRUE,
* is_xss_safe = FALSE,
* supported_element_types = {
* "textarea",
* "textfield",
* }
* )
*/
class UnicornEditor extends EditorBase {
/**
* {@inheritdoc}
*/
function getDefaultSettings() {
return array('ponies_too' => TRUE);
}
/**
* {@inheritdoc}
*/
function settingsForm(array $form, FormStateInterface $form_state, Editor $editor) {
$form['ponies_too'] = array(
'#title' => t('Pony mode'),
'#type' => 'checkbox',
'#default_value' => TRUE,
);
return $form;
}
/**
* {@inheritdoc}
*/
function getJSSettings(Editor $editor) {
$js_settings = array();
$settings = $editor->getSettings();
if ($settings['ponies_too']) {
$js_settings['ponyModeEnabled'] = TRUE;
}
return $js_settings;
}
/**
* {@inheritdoc}
*/
public function getLibraries(Editor $editor) {
return array(
'editor_test/unicorn',
);
}
}

123
web/core/modules/editor/tests/src/Kernel/EditorFileReferenceFilterTest.php Normal file
View file

@ -0,0 +1,123 @@
<?php
namespace Drupal\Tests\editor\Kernel;
use Drupal\Core\Cache\Cache;
use Drupal\file\Entity\File;
use Drupal\filter\FilterPluginCollection;
use Drupal\KernelTests\KernelTestBase;
/**
* Tests Editor module's file reference filter.
*
* @group editor
*/
class EditorFileReferenceFilterTest extends KernelTestBase {
/**
* Modules to enable.
*
* @var array
*/
public static $modules = array('system', 'filter', 'editor', 'field', 'file', 'user');
/**
* @var \Drupal\filter\Plugin\FilterInterface[]
*/
protected $filters;
/**
* {@inheritdoc}
*/
protected function setUp() {
parent::setUp();
$this->installConfig(array('system'));
$this->installEntitySchema('file');
$this->installSchema('file', array('file_usage'));
$manager = $this->container->get('plugin.manager.filter');
$bag = new FilterPluginCollection($manager, array());
$this->filters = $bag->getAll();
}
/**
* Tests the editor file reference filter.
*/
function testEditorFileReferenceFilter() {
$filter = $this->filters['editor_file_reference'];
$test = function($input) use ($filter) {
return $filter->process($input, 'und');
};
file_put_contents('public://llama.jpg', $this->randomMachineName());
$image = File::create(['uri' => 'public://llama.jpg']);
$image->save();
$id = $image->id();
$uuid = $image->uuid();
$cache_tag = ['file:' . $id];
file_put_contents('public://alpaca.jpg', $this->randomMachineName());
$image_2 = File::create(['uri' => 'public://alpaca.jpg']);
$image_2->save();
$id_2 = $image_2->id();
$uuid_2 = $image_2->uuid();
$cache_tag_2 = ['file:' . $id_2];
$this->pass('No data-entity-type and no data-entity-uuid attribute.');
$input = '<img src="llama.jpg" />';
$output = $test($input);
$this->assertIdentical($input, $output->getProcessedText());
$this->pass('A non-file data-entity-type attribute value.');
$input = '<img src="llama.jpg" data-entity-type="invalid-entity-type-value" data-entity-uuid="' . $uuid . '" />';
$output = $test($input);
$this->assertIdentical($input, $output->getProcessedText());
$this->pass('One data-entity-uuid attribute.');
$input = '<img src="llama.jpg" data-entity-type="file" data-entity-uuid="' . $uuid . '" />';
$expected_output = '<img src="/' . $this->siteDirectory . '/files/llama.jpg" data-entity-type="file" data-entity-uuid="' . $uuid . '" />';
$output = $test($input);
$this->assertIdentical($expected_output, $output->getProcessedText());
$this->assertEqual($cache_tag, $output->getCacheTags());
$this->pass('One data-entity-uuid attribute with odd capitalization.');
$input = '<img src="llama.jpg" data-entity-type="file" DATA-entity-UUID = "' . $uuid . '" />';
$expected_output = '<img src="/' . $this->siteDirectory . '/files/llama.jpg" data-entity-type="file" data-entity-uuid="' . $uuid . '" />';
$output = $test($input);
$this->assertIdentical($expected_output, $output->getProcessedText());
$this->assertEqual($cache_tag, $output->getCacheTags());
$this->pass('One data-entity-uuid attribute on a non-image tag.');
$input = '<video src="llama.jpg" data-entity-type="file" data-entity-uuid="' . $uuid . '" />';
$expected_output = '<video src="/' . $this->siteDirectory . '/files/llama.jpg" data-entity-type="file" data-entity-uuid="' . $uuid . '"></video>';
$output = $test($input);
$this->assertIdentical($expected_output, $output->getProcessedText());
$this->assertEqual($cache_tag, $output->getCacheTags());
$this->pass('One data-entity-uuid attribute with an invalid value.');
$input = '<img src="llama.jpg" data-entity-type="file" data-entity-uuid="invalid-' . $uuid . '" />';
$output = $test($input);
$this->assertIdentical($input, $output->getProcessedText());
$this->assertEqual(array(), $output->getCacheTags());
$this->pass('Two different data-entity-uuid attributes.');
$input = '<img src="llama.jpg" data-entity-type="file" data-entity-uuid="' . $uuid . '" />';
$input .= '<img src="alpaca.jpg" data-entity-type="file" data-entity-uuid="' . $uuid_2 . '" />';
$expected_output = '<img src="/' . $this->siteDirectory . '/files/llama.jpg" data-entity-type="file" data-entity-uuid="' . $uuid . '" />';
$expected_output .= '<img src="/' . $this->siteDirectory . '/files/alpaca.jpg" data-entity-type="file" data-entity-uuid="' . $uuid_2 . '" />';
$output = $test($input);
$this->assertIdentical($expected_output, $output->getProcessedText());
$this->assertEqual(Cache::mergeTags($cache_tag, $cache_tag_2), $output->getCacheTags());
$this->pass('Two identical data-entity-uuid attributes.');
$input = '<img src="llama.jpg" data-entity-type="file" data-entity-uuid="' . $uuid . '" />';
$input .= '<img src="llama.jpg" data-entity-type="file" data-entity-uuid="' . $uuid . '" />';
$expected_output = '<img src="/' . $this->siteDirectory . '/files/llama.jpg" data-entity-type="file" data-entity-uuid="' . $uuid . '" />';
$expected_output .= '<img src="/' . $this->siteDirectory . '/files/llama.jpg" data-entity-type="file" data-entity-uuid="' . $uuid . '" />';
$output = $test($input);
$this->assertIdentical($expected_output, $output->getProcessedText());
$this->assertEqual($cache_tag, $output->getCacheTags());
}
}

209
web/core/modules/editor/tests/src/Kernel/EditorFileUsageTest.php Normal file
View file

@ -0,0 +1,209 @@
<?php
namespace Drupal\Tests\editor\Kernel;
use Drupal\editor\Entity\Editor;
use Drupal\KernelTests\Core\Entity\EntityKernelTestBase;
use Drupal\node\Entity\Node;
use Drupal\node\Entity\NodeType;
use Drupal\file\Entity\File;
use Drupal\field\Entity\FieldStorageConfig;
use Drupal\Core\Field\FieldStorageDefinitionInterface;
use Drupal\filter\Entity\FilterFormat;
/**
* Tests tracking of file usage by the Text Editor module.
*
* @group editor
*/
class EditorFileUsageTest extends EntityKernelTestBase {
/**
* Modules to enable.
*
* @var array
*/
public static $modules = array('editor', 'editor_test', 'node', 'file');
protected function setUp() {
parent::setUp();
$this->installEntitySchema('file');
$this->installSchema('node', array('node_access'));
$this->installSchema('file', array('file_usage'));
$this->installConfig(['node']);
// Add text formats.
$filtered_html_format = FilterFormat::create(array(
'format' => 'filtered_html',
'name' => 'Filtered HTML',
'weight' => 0,
'filters' => array(),
));
$filtered_html_format->save();
// Set cardinality for body field.
FieldStorageConfig::loadByName('node', 'body')
->setCardinality(FieldStorageDefinitionInterface::CARDINALITY_UNLIMITED)
->save();
// Set up text editor.
$editor = Editor::create([
'format' => 'filtered_html',
'editor' => 'unicorn',
]);
$editor->save();
// Create a node type for testing.
$type = NodeType::create(['type' => 'page', 'name' => 'page']);
$type->save();
node_add_body_field($type);
}
/**
* Tests the configurable text editor manager.
*/
public function testEditorEntityHooks() {
$image_paths = array(
0 => 'core/misc/druplicon.png',
1 => 'core/misc/tree.png',
2 => 'core/misc/help.png',
);
$image_entities = array();
foreach ($image_paths as $key => $image_path) {
$image = File::create();
$image->setFileUri($image_path);
$image->setFilename(drupal_basename($image->getFileUri()));
$image->save();
$file_usage = $this->container->get('file.usage');
$this->assertIdentical(array(), $file_usage->listUsage($image), 'The image ' . $image_paths[$key] . ' has zero usages.');
$image_entities[] = $image;
}
$body = array();
foreach ($image_entities as $key => $image_entity) {
// Don't be rude, say hello.
$body_value = '<p>Hello, world!</p>';
// Test handling of a valid image entry.
$body_value .= '<img src="awesome-llama-' . $key . '.jpg" data-entity-type="file" data-entity-uuid="' . $image_entity->uuid() . '" />';
// Test handling of an invalid data-entity-uuid attribute.
$body_value .= '<img src="awesome-llama-' . $key . '.jpg" data-entity-type="file" data-entity-uuid="invalid-entity-uuid-value" />';
// Test handling of an invalid data-entity-type attribute.
$body_value .= '<img src="awesome-llama-' . $key . '.jpg" data-entity-type="invalid-entity-type-value" data-entity-uuid="' . $image_entity->uuid() . '" />';
// Test handling of a non-existing UUID.
$body_value .= '<img src="awesome-llama-' . $key . '.jpg" data-entity-type="file" data-entity-uuid="30aac704-ba2c-40fc-b609-9ed121aa90f4" />';
$body[] = array(
'value' => $body_value,
'format' => 'filtered_html',
);
}
// Test editor_entity_insert(): increment.
$this->createUser();
$node = $node = Node::create([
'type' => 'page',
'title' => 'test',
'body' => $body,
'uid' => 1,
]);
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '1'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 1 usage.');
}
// Test editor_entity_update(): increment, twice, by creating new revisions.
$node->setNewRevision(TRUE);
$node->save();
$second_revision_id = $node->getRevisionId();
$node->setNewRevision(TRUE);
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '3'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 3 usages.');
}
// Test hook_entity_update(): decrement, by modifying the last revision:
// remove the data-entity-type attribute from the body field.
$original_values = array();
for ($i = 0; $i < count($image_entities); $i++) {
$original_value = $node->body[$i]->value;
$new_value = str_replace('data-entity-type', 'data-entity-type-modified', $original_value);
$node->body[$i]->value = $new_value;
$original_values[$i] = $original_value;
}
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '2'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 2 usages.');
}
// Test editor_entity_update(): increment again by creating a new revision:
// read the data- attributes to the body field.
$node->setNewRevision(TRUE);
foreach ($original_values as $key => $original_value) {
$node->body[$key]->value = $original_value;
}
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '3'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 3 usages.');
}
// Test hook_entity_update(): decrement, by modifying the last revision:
// remove the data-entity-uuid attribute from the body field.
foreach ($original_values as $key => $original_value) {
$original_value = $node->body[$key]->value;
$new_value = str_replace('data-entity-type', 'data-entity-type-modified', $original_value);
$node->body[$key]->value = $new_value;
}
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '2'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 2 usages.');
}
// Test hook_entity_update(): increment, by modifying the last revision:
// read the data- attributes to the body field.
foreach ($original_values as $key => $original_value) {
$node->body[$key]->value = $original_value;
}
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '3'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 3 usages.');
}
// Test editor_entity_revision_delete(): decrement, by deleting a revision.
entity_revision_delete('node', $second_revision_id);
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '2'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 2 usages.');
}
// Populate both the body and summary. Because this will be the same
// revision of the same node, it will record only one usage.
foreach ($original_values as $key => $original_value) {
$node->body[$key]->value = $original_value;
$node->body[$key]->summary = $original_value;
}
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '2'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 2 usages.');
}
// Empty out the body value, but keep the summary. The number of usages
// should not change.
foreach ($original_values as $key => $original_value) {
$node->body[$key]->value = '';
$node->body[$key]->summary = $original_value;
}
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '2'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 2 usages.');
}
// Test editor_entity_delete().
$node->delete();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array(), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has zero usages again.');
}
}
}

56
web/core/modules/editor/tests/src/Kernel/EditorFilterIntegrationTest.php Normal file
View file

@ -0,0 +1,56 @@
<?php
namespace Drupal\Tests\editor\Kernel;
use Drupal\Component\Utility\Unicode;
use Drupal\editor\Entity\Editor;
use Drupal\filter\Entity\FilterFormat;
use Drupal\KernelTests\KernelTestBase;
/**
* Tests integration with filter module.
*
* @group editor
*/
class EditorFilterIntegrationTest extends KernelTestBase {
/**
* {@inheritdoc}
*/
public static $modules = ['filter', 'editor', 'editor_test'];
/**
* Tests text format removal or disabling.
*/
public function testTextFormatIntegration() {
// Create an arbitrary text format.
$format = FilterFormat::create([
'format' => Unicode::strtolower($this->randomMachineName()),
'name' => $this->randomString(),
]);
$format->save();
// Create a paired editor.
Editor::create(['format' => $format->id(), 'editor' => 'unicorn'])->save();
// Disable the text format.
$format->disable()->save();
// The paired editor should be disabled too.
$this->assertFalse(Editor::load($format->id())->status());
// Re-enable the text format.
$format->enable()->save();
// The paired editor should be enabled too.
$this->assertTrue(Editor::load($format->id())->status());
// Completely remove the text format. Usually this cannot occur via UI, but
// can be triggered from API.
$format->delete();
// The paired editor should be removed.
$this->assertNull(Editor::load($format->id()));
}
}

122
web/core/modules/editor/tests/src/Kernel/EditorImageDialogTest.php Normal file
View file

@ -0,0 +1,122 @@
<?php
namespace Drupal\Tests\editor\Kernel;
use Drupal\Core\Form\FormState;
use Drupal\editor\Entity\Editor;
use Drupal\editor\Form\EditorImageDialog;
use Drupal\filter\Entity\FilterFormat;
use Drupal\KernelTests\Core\Entity\EntityKernelTestBase;
use Drupal\node\Entity\NodeType;
/**
* Tests EditorImageDialog validation and conversion functionality.
*
* @group editor
*/
class EditorImageDialogTest extends EntityKernelTestBase {
/**
* Text editor config entity for testing.
*
* @var \Drupal\editor\EditorInterface
*/
protected $editor;
/**
* Modules to enable.
*
* @var array
*/
public static $modules = ['node', 'file', 'editor', 'editor_test', 'user', 'system'];
/**
* Sets up the test.
*/
protected function setUp() {
parent::setUp();
$this->installEntitySchema('file');
$this->installSchema('system', ['key_value_expire']);
$this->installSchema('node', array('node_access'));
$this->installSchema('file', array('file_usage'));
$this->installConfig(['node']);
// Add text formats.
$format = FilterFormat::create([
'format' => 'filtered_html',
'name' => 'Filtered HTML',
'weight' => 0,
'filters' => [
'filter_align' => ['status' => TRUE],
'filter_caption' => ['status' => TRUE],
],
]);
$format->save();
// Set up text editor.
$editor = Editor::create([
'format' => 'filtered_html',
'editor' => 'unicorn',
'image_upload' => [
'max_size' => 100,
'scheme' => 'public',
'directory' => '',
'status' => TRUE,
],
]);
$editor->save();
$this->editor = $editor;
// Create a node type for testing.
$type = NodeType::create(['type' => 'page', 'name' => 'page']);
$type->save();
node_add_body_field($type);
$this->installEntitySchema('user');
\Drupal::service('router.builder')->rebuild();
}
/**
* Tests that editor image dialog works as expected.
*/
public function testEditorImageDialog() {
$input = [
'editor_object' => [
'src' => '/sites/default/files/inline-images/somefile.png',
'alt' => 'fda',
'width' => '',
'height' => '',
'data-entity-type' => 'file',
'data-entity-uuid' => 'some-uuid',
'data-align' => 'none',
'hasCaption' => 'false',
],
'dialogOptions' => [
'title' => 'Edit Image',
'dialogClass' => 'editor-image-dialog',
'autoResize' => 'true',
],
'_drupal_ajax' => '1',
'ajax_page_state' => [
'theme' => 'bartik',
'theme_token' => 'some-token',
'libraries' => '',
],
];
$form_state = (new FormState())
->setRequestMethod('POST')
->setUserInput($input)
->addBuildInfo('args', [$this->editor]);
$form_builder = $this->container->get('form_builder');
$form_object = new EditorImageDialog(\Drupal::entityManager()->getStorage('file'));
$form_id = $form_builder->getFormId($form_object, $form_state);
$form = $form_builder->retrieveForm($form_id, $form_state);
$form_builder->prepareForm($form_id, $form, $form_state);
$form_builder->processForm($form_id, $form, $form_state);
// Assert these two values are present and we don't get the 'not-this'
// default back.
$this->assertEqual(FALSE, $form_state->getValue(['attributes', 'hasCaption'], 'not-this'));
}
}

111
web/core/modules/editor/tests/src/Kernel/EditorManagerTest.php Normal file
View file

@ -0,0 +1,111 @@
<?php
namespace Drupal\Tests\editor\Kernel;
use Drupal\editor\Entity\Editor;
use Drupal\filter\Entity\FilterFormat;
use Drupal\KernelTests\KernelTestBase;
/**
* Tests detection of text editors and correct generation of attachments.
*
* @group editor
*/
class EditorManagerTest extends KernelTestBase {
/**
* Modules to enable.
*
* @var array
*/
public static $modules = array('system', 'user', 'filter', 'editor');
/**
* The manager for text editor plugins.
*
* @var \Drupal\Component\Plugin\PluginManagerInterface
*/
protected $editorManager;
protected function setUp() {
parent::setUp();
// Install the Filter module.
// Add text formats.
$filtered_html_format = FilterFormat::create(array(
'format' => 'filtered_html',
'name' => 'Filtered HTML',
'weight' => 0,
'filters' => array(),
));
$filtered_html_format->save();
$full_html_format = FilterFormat::create(array(
'format' => 'full_html',
'name' => 'Full HTML',
'weight' => 1,
'filters' => array(),
));
$full_html_format->save();
}
/**
* Tests the configurable text editor manager.
*/
public function testManager() {
$this->editorManager = $this->container->get('plugin.manager.editor');
// Case 1: no text editor available:
// - listOptions() should return an empty list of options
// - getAttachments() should return an empty #attachments array (and not
// a JS settings structure that is empty)
$this->assertIdentical(array(), $this->editorManager->listOptions(), 'When no text editor is enabled, the manager works correctly.');
$this->assertIdentical(array(), $this->editorManager->getAttachments(array()), 'No attachments when no text editor is enabled and retrieving attachments for zero text formats.');
$this->assertIdentical(array(), $this->editorManager->getAttachments(array('filtered_html', 'full_html')), 'No attachments when no text editor is enabled and retrieving attachments for multiple text formats.');
// Enable the Text Editor Test module, which has the Unicorn Editor and
// clear the editor manager's cache so it is picked up.
$this->enableModules(array('editor_test'));
$this->editorManager = $this->container->get('plugin.manager.editor');
$this->editorManager->clearCachedDefinitions();
// Case 2: a text editor available.
$this->assertIdentical('Unicorn Editor', (string) $this->editorManager->listOptions()['unicorn'], 'When some text editor is enabled, the manager works correctly.');
// Case 3: a text editor available & associated (but associated only with
// the 'Full HTML' text format).
$unicorn_plugin = $this->editorManager->createInstance('unicorn');
$editor = Editor::create([
'format' => 'full_html',
'editor' => 'unicorn',
]);
$editor->save();
$this->assertIdentical(array(), $this->editorManager->getAttachments(array()), 'No attachments when one text editor is enabled and retrieving attachments for zero text formats.');
$expected = array(
'library' => array(
0 => 'editor_test/unicorn',
),
'drupalSettings' => [
'editor' => [
'formats' => [
'full_html' => [
'format' => 'full_html',
'editor' => 'unicorn',
'editorSettings' => $unicorn_plugin->getJSSettings($editor),
'editorSupportsContentFiltering' => TRUE,
'isXssSafe' => FALSE,
],
],
],
],
);
$this->assertIdentical($expected, $this->editorManager->getAttachments(array('filtered_html', 'full_html')), 'Correct attachments when one text editor is enabled and retrieving attachments for multiple text formats.');
// Case 4: a text editor available associated, but now with its JS settings
// being altered via hook_editor_js_settings_alter().
\Drupal::state()->set('editor_test_js_settings_alter_enabled', TRUE);
$expected['drupalSettings']['editor']['formats']['full_html']['editorSettings']['ponyModeEnabled'] = FALSE;
$this->assertIdentical($expected, $this->editorManager->getAttachments(array('filtered_html', 'full_html')), 'hook_editor_js_settings_alter() works correctly.');
}
}

240
web/core/modules/editor/tests/src/Kernel/QuickEditIntegrationTest.php Normal file
View file

@ -0,0 +1,240 @@
<?php
namespace Drupal\Tests\editor\Kernel;
use Drupal\Component\Serialization\Json;
use Drupal\Core\EventSubscriber\AjaxResponseSubscriber;
use Drupal\Core\Language\LanguageInterface;
use Drupal\editor\Entity\Editor;
use Drupal\entity_test\Entity\EntityTest;
use Drupal\quickedit\MetadataGenerator;
use Drupal\Tests\quickedit\Kernel\QuickEditTestBase;
use Drupal\quickedit_test\MockEditEntityFieldAccessCheck;
use Drupal\editor\EditorController;
use Symfony\Component\HttpFoundation\Request;
use Symfony\Component\HttpKernel\Event\FilterResponseEvent;
use Symfony\Component\HttpKernel\HttpKernelInterface;
use Drupal\filter\Entity\FilterFormat;
/**
* Tests Edit module integration (Editor module's inline editing support).
*
* @group editor
*/
class QuickEditIntegrationTest extends QuickEditTestBase {
/**
* {@inheritdoc}
*/
public static $modules = array('editor', 'editor_test');
/**
* The manager for editor plug-ins.
*
* @var \Drupal\Component\Plugin\PluginManagerInterface
*/
protected $editorManager;
/**
* The metadata generator object to be tested.
*
* @var \Drupal\quickedit\MetadataGeneratorInterface.php
*/
protected $metadataGenerator;
/**
* The editor selector object to be used by the metadata generator object.
*
* @var \Drupal\quickedit\EditorSelectorInterface
*/
protected $editorSelector;
/**
* The access checker object to be used by the metadata generator object.
*
* @var \Drupal\quickedit\Access\EditEntityFieldAccessCheckInterface
*/
protected $accessChecker;
/**
* The name of the field ued for tests.
*
* @var string
*/
protected $fieldName;
protected function setUp() {
parent::setUp();
// Install the Filter module.
// Create a field.
$this->fieldName = 'field_textarea';
$this->createFieldWithStorage(
$this->fieldName, 'text', 1, 'Long text field',
// Instance settings.
array(),
// Widget type & settings.
'text_textarea',
array('size' => 42),
// 'default' formatter type & settings.
'text_default',
array()
);
// Create text format.
$full_html_format = FilterFormat::create(array(
'format' => 'full_html',
'name' => 'Full HTML',
'weight' => 1,
'filters' => array(),
));
$full_html_format->save();
// Associate text editor with text format.
$editor = Editor::create([
'format' => $full_html_format->id(),
'editor' => 'unicorn',
]);
$editor->save();
// Also create a text format without an associated text editor.
FilterFormat::create(array(
'format' => 'no_editor',
'name' => 'No Text Editor',
'weight' => 2,
'filters' => array(),
))->save();
}
/**
* Returns the in-place editor that quickedit selects.
*
* @param int $entity_id
* An entity ID.
* @param string $field_name
* A field name.
* @param string $view_mode
* A view mode.
*
* @return string
* Returns the selected in-place editor.
*/
protected function getSelectedEditor($entity_id, $field_name, $view_mode = 'default') {
$storage = $this->container->get('entity_type.manager')->getStorage('entity_test');
$storage->resetCache([$entity_id]);
$entity = $storage->load($entity_id);
$items = $entity->get($field_name);
$options = entity_get_display('entity_test', 'entity_test', $view_mode)->getComponent($field_name);
return $this->editorSelector->getEditor($options['type'], $items);
}
/**
* Tests editor selection when the Editor module is present.
*
* Tests a textual field, with text filtering, with cardinality 1 and >1,
* always with a ProcessedTextEditor plug-in present, but with varying text
* format compatibility.
*/
public function testEditorSelection() {
$this->editorManager = $this->container->get('plugin.manager.quickedit.editor');
$this->editorSelector = $this->container->get('quickedit.editor.selector');
// Create an entity with values for this text field.
$entity = EntityTest::create();
$entity->{$this->fieldName}->value = 'Hello, world!';
$entity->{$this->fieldName}->format = 'filtered_html';
$entity->save();
// Editor selection w/ cardinality 1, text format w/o associated text editor.
$this->assertEqual('form', $this->getSelectedEditor($entity->id(), $this->fieldName), "With cardinality 1, and the filtered_html text format, the 'form' editor is selected.");
// Editor selection w/ cardinality 1, text format w/ associated text editor.
$entity->{$this->fieldName}->format = 'full_html';
$entity->save();
$this->assertEqual('editor', $this->getSelectedEditor($entity->id(), $this->fieldName), "With cardinality 1, and the full_html text format, the 'editor' editor is selected.");
// Editor selection with text processing, cardinality >1
$this->fields->field_textarea_field_storage->setCardinality(2);
$this->fields->field_textarea_field_storage->save();
$this->assertEqual('form', $this->getSelectedEditor($entity->id(), $this->fieldName), "With cardinality >1, and both items using the full_html text format, the 'form' editor is selected.");
}
/**
* Tests (custom) metadata when the formatted text editor is used.
*/
public function testMetadata() {
$this->editorManager = $this->container->get('plugin.manager.quickedit.editor');
$this->accessChecker = new MockEditEntityFieldAccessCheck();
$this->editorSelector = $this->container->get('quickedit.editor.selector');
$this->metadataGenerator = new MetadataGenerator($this->accessChecker, $this->editorSelector, $this->editorManager);
// Create an entity with values for the field.
$entity = EntityTest::create();
$entity->{$this->fieldName}->value = 'Test';
$entity->{$this->fieldName}->format = 'full_html';
$entity->save();
$entity = EntityTest::load($entity->id());
// Verify metadata.
$items = $entity->get($this->fieldName);
$metadata = $this->metadataGenerator->generateFieldMetadata($items, 'default');
$expected = array(
'access' => TRUE,
'label' => 'Long text field',
'editor' => 'editor',
'custom' => array(
'format' => 'full_html',
'formatHasTransformations' => FALSE,
),
);
$this->assertEqual($expected, $metadata, 'The correct metadata (including custom metadata) is generated.');
}
/**
* Tests in-place editor attachments when the Editor module is present.
*/
public function testAttachments() {
$this->editorSelector = $this->container->get('quickedit.editor.selector');
$editors = array('editor');
$attachments = $this->editorSelector->getEditorAttachments($editors);
$this->assertIdentical($attachments, array('library' => array('editor/quickedit.inPlaceEditor.formattedText')), "Expected attachments for Editor module's in-place editor found.");
}
/**
* Tests GetUntransformedTextCommand AJAX command.
*/
public function testGetUntransformedTextCommand() {
// Create an entity with values for the field.
$entity = EntityTest::create();
$entity->{$this->fieldName}->value = 'Test';
$entity->{$this->fieldName}->format = 'full_html';
$entity->save();
$entity = EntityTest::load($entity->id());
// Verify AJAX response.
$controller = new EditorController();
$request = new Request();
$response = $controller->getUntransformedText($entity, $this->fieldName, LanguageInterface::LANGCODE_DEFAULT, 'default');
$expected = array(
array(
'command' => 'editorGetUntransformedText',
'data' => 'Test',
)
);
$ajax_response_attachments_processor = \Drupal::service('ajax_response.attachments_processor');
$subscriber = new AjaxResponseSubscriber($ajax_response_attachments_processor);
$event = new FilterResponseEvent(
\Drupal::service('http_kernel'),
$request,
HttpKernelInterface::MASTER_REQUEST,
$response
);
$subscriber->onResponse($event);
$this->assertEqual(Json::encode($expected), $response->getContent(), 'The GetUntransformedTextCommand AJAX command works correctly.');
}
}

133
web/core/modules/editor/tests/src/Unit/EditorConfigEntityUnitTest.php Normal file
View file

@ -0,0 +1,133 @@
<?php
namespace Drupal\Tests\editor\Unit;
use Drupal\Core\DependencyInjection\ContainerBuilder;
use Drupal\editor\Entity\Editor;
use Drupal\Tests\UnitTestCase;
/**
* @coversDefaultClass \Drupal\editor\Entity\Editor
* @group editor
*/
class EditorConfigEntityUnitTest extends UnitTestCase {
/**
* The entity type used for testing.
*
* @var \Drupal\Core\Entity\EntityTypeInterface|\PHPUnit_Framework_MockObject_MockObject
*/
protected $entityType;
/**
* The entity manager used for testing.
*
* @var \Drupal\Core\Entity\EntityManagerInterface|\PHPUnit_Framework_MockObject_MockObject
*/
protected $entityManager;
/**
* The ID of the type of the entity under test.
*
* @var string
*/
protected $entityTypeId;
/**
* The UUID generator used for testing.
*
* @var \Drupal\Component\Uuid\UuidInterface|\PHPUnit_Framework_MockObject_MockObject
*/
protected $uuid;
/**
* The editor plugin manager used for testing.
*
* @var \Drupal\editor\Plugin\EditorManager|\PHPUnit_Framework_MockObject_MockObject
*/
protected $editorPluginManager;
/**
* Editor plugin ID.
*
* @var string
*/
protected $editorId;
/**
* {@inheritdoc}
*/
protected function setUp() {
$this->editorId = $this->randomMachineName();
$this->entityTypeId = $this->randomMachineName();
$this->entityType = $this->getMock('\Drupal\Core\Entity\EntityTypeInterface');
$this->entityType->expects($this->any())
->method('getProvider')
->will($this->returnValue('editor'));
$this->entityManager = $this->getMock('\Drupal\Core\Entity\EntityManagerInterface');
$this->entityManager->expects($this->any())
->method('getDefinition')
->with($this->entityTypeId)
->will($this->returnValue($this->entityType));
$this->uuid = $this->getMock('\Drupal\Component\Uuid\UuidInterface');
$this->editorPluginManager = $this->getMockBuilder('Drupal\editor\Plugin\EditorManager')
->disableOriginalConstructor()
->getMock();
$container = new ContainerBuilder();
$container->set('entity.manager', $this->entityManager);
$container->set('uuid', $this->uuid);
$container->set('plugin.manager.editor', $this->editorPluginManager);
\Drupal::setContainer($container);
}
/**
* @covers ::calculateDependencies
*/
public function testCalculateDependencies() {
$format_id = 'filter.format.test';
$values = array('editor' => $this->editorId, 'format' => $format_id);
$plugin = $this->getMockBuilder('Drupal\editor\Plugin\EditorPluginInterface')
->disableOriginalConstructor()
->getMock();
$plugin->expects($this->once())
->method('getPluginDefinition')
->will($this->returnValue(array('provider' => 'test_module')));
$plugin->expects($this->once())
->method('getDefaultSettings')
->will($this->returnValue(array()));
$this->editorPluginManager->expects($this->any())
->method('createInstance')
->with($this->editorId)
->will($this->returnValue($plugin));
$entity = new Editor($values, $this->entityTypeId);
$filter_format = $this->getMock('Drupal\Core\Config\Entity\ConfigEntityInterface');
$filter_format->expects($this->once())
->method('getConfigDependencyName')
->will($this->returnValue('filter.format.test'));
$storage = $this->getMock('Drupal\Core\Entity\EntityStorageInterface');
$storage->expects($this->once())
->method('load')
->with($format_id)
->will($this->returnValue($filter_format));
$this->entityManager->expects($this->once())
->method('getStorage')
->with('filter_format')
->will($this->returnValue($storage));
$dependencies = $entity->calculateDependencies()->getDependencies();
$this->assertContains('test_module', $dependencies['module']);
$this->assertContains('filter.format.test', $dependencies['config']);
}
}

599
web/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php Normal file
View file

@ -0,0 +1,599 @@
<?php
namespace Drupal\Tests\editor\Unit\EditorXssFilter;
use Drupal\editor\EditorXssFilter\Standard;
use Drupal\Tests\UnitTestCase;
use Drupal\filter\Plugin\FilterInterface;
/**
* @coversDefaultClass \Drupal\editor\EditorXssFilter\Standard
* @group editor
*/
class StandardTest extends UnitTestCase {
/**
* The mocked text format configuration entity.
*
* @var \Drupal\filter\Entity\FilterFormat|\PHPUnit_Framework_MockObject_MockObject
*/
protected $format;
protected function setUp() {
// Mock text format configuration entity object.
$this->format = $this->getMockBuilder('\Drupal\filter\Entity\FilterFormat')
->disableOriginalConstructor()
->getMock();
$this->format->expects($this->any())
->method('getFilterTypes')
->will($this->returnValue(array(FilterInterface::TYPE_HTML_RESTRICTOR)));
$restrictions = array(
'allowed' => array(
'p' => TRUE,
'a' => TRUE,
'*' => array(
'style' => FALSE,
'on*' => FALSE,
),
),
);
$this->format->expects($this->any())
->method('getHtmlRestrictions')
->will($this->returnValue($restrictions));
}
/**
* Provides test data for testFilterXss().
*
* @see \Drupal\Tests\editor\Unit\editor\EditorXssFilter\StandardTest::testFilterXss()
*/
public function providerTestFilterXss() {
$data = array();
$data[] = array('<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown>', '<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown>');
$data[] = array('<p style="color:red">Hello, world!</p><unknown>Pink Fairy Armadillo</unknown>', '<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown>');
$data[] = array('<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown><script>alert("evil");</script>', '<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown>alert("evil");');
$data[] = array('<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown><a href="javascript:alert(1)">test</a>', '<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown><a href="alert(1)">test</a>');
// All cases listed on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
// No Filter Evasion.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#No_Filter_Evasion
$data[] = array('<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>', '');
// Image XSS using the JavaScript directive.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Image_XSS_using_the_JavaScript_directive
$data[] = array('<IMG SRC="javascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">');
// No quotes and no semicolon.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#No_quotes_and_no_semicolon
$data[] = array('<IMG SRC=javascript:alert(\'XSS\')>', '<IMG>');
// Case insensitive XSS attack vector.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Case_insensitive_XSS_attack_vector
$data[] = array('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>', '<IMG>');
// HTML entities.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#HTML_entities
$data[] = array('<IMG SRC=javascript:alert("XSS")>', '<IMG>');
// Grave accent obfuscation.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Grave_accent_obfuscation
$data[] = array('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>', '<IMG>');
// Malformed A tags.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Malformed_A_tags
$data[] = array('<a onmouseover="alert(document.cookie)">xxs link</a>', '<a>xxs link</a>');
$data[] = array('<a onmouseover=alert(document.cookie)>xxs link</a>', '<a>xxs link</a>');
// Malformed IMG tags.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Malformed_IMG_tags
$data[] = array('<IMG """><SCRIPT>alert("XSS")</SCRIPT>">', '<IMG>alert("XSS")"&gt;');
// fromCharCode.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#fromCharCode
$data[] = array('<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>', '<IMG src="alert(String.fromCharCode(88,83,83))">');
// Default SRC tag to get past filters that check SRC domain.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Default_SRC_tag_to_get_past_filters_that_check_SRC_domain
$data[] = array('<IMG SRC=# onmouseover="alert(\'xxs\')">', '<IMG src="#">');
// Default SRC tag by leaving it empty.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Default_SRC_tag_by_leaving_it_empty
$data[] = array('<IMG SRC= onmouseover="alert(\'xxs\')">', '<IMG nmouseover="alert(&#039;xxs&#039;)">');
// Default SRC tag by leaving it out entirely.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Default_SRC_tag_by_leaving_it_out_entirely
$data[] = array('<IMG onmouseover="alert(\'xxs\')">', '<IMG>');
// Decimal HTML character references.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Decimal_HTML_character_references
$data[] = array('<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>', '<IMG src="alert(&#039;XSS&#039;)">');
// Decimal HTML character references without trailing semicolons.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Decimal_HTML_character_references_without_trailing_semicolons
$data[] = array('<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>', '<IMG src="&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041">');
// Hexadecimal HTML character references without trailing semicolons.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Hexadecimal_HTML_character_references_without_trailing_semicolons
$data[] = array('<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>', '<IMG src="&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29">');
// Embedded tab.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_tab
$data[] = array('<IMG SRC="jav ascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">');
// Embedded Encoded tab.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_Encoded_tab
$data[] = array('<IMG SRC="jav&#x09;ascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">');
// Embedded newline to break up XSS.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_newline_to_break_up_XSS
$data[] = array('<IMG SRC="jav&#x0A;ascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">');
// Embedded carriage return to break up XSS.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_carriage_return_to_break_up_XSS
$data[] = array('<IMG SRC="jav&#x0D;ascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">');
// Null breaks up JavaScript directive.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Null_breaks_up_JavaScript_directive
$data[] = array("<IMG SRC=java\0script:alert(\"XSS\")>", '<IMG>');
// Spaces and meta chars before the JavaScript in images for XSS.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Spaces_and_meta_chars_before_the_JavaScript_in_images_for_XSS
// @fixme This dataset currently fails under 5.4 because of
// https://www.drupal.org/node/1210798. Restore after it's fixed.
if (version_compare(PHP_VERSION, '5.4.0', '<')) {
$data[] = array('<IMG SRC=" &#14; javascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">');
}
// Non-alpha-non-digit XSS.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Non-alpha-non-digit_XSS
$data[] = array('<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '');
$data[] = array('<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>', '<BODY>');
$data[] = array('<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '');
// Extraneous open brackets.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Extraneous_open_brackets
$data[] = array('<<SCRIPT>alert("XSS");//<</SCRIPT>', '&lt;alert("XSS");//&lt;');
// No closing script tags.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#No_closing_script_tags
$data[] = array('<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >', '');
// Protocol resolution in script tags.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Protocol_resolution_in_script_tags
$data[] = array('<SCRIPT SRC=//ha.ckers.org/.j>', '');
// Half open HTML/JavaScript XSS vector.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Half_open_HTML.2FJavaScript_XSS_vector
$data[] = array('<IMG SRC="javascript:alert(\'XSS\')"', '<IMG src="alert(&#039;XSS&#039;)">');
// Double open angle brackets.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Double_open_angle_brackets
// @see http://ha.ckers.org/blog/20060611/hotbot-xss-vulnerability/ to
// understand why this is a vulnerability.
$data[] = array('<iframe src=http://ha.ckers.org/scriptlet.html <', '<iframe src="http://ha.ckers.org/scriptlet.html">');
// Escaping JavaScript escapes.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Escaping_JavaScript_escapes
// This one is irrelevant for Drupal; we *never* output any JavaScript code
// that depends on the URL's query string.
// End title tag.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#End_title_tag
$data[] = array('</TITLE><SCRIPT>alert("XSS");</SCRIPT>', '</TITLE>alert("XSS");');
// INPUT image.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#INPUT_image
$data[] = array('<INPUT TYPE="IMAGE" SRC="javascript:alert(\'XSS\');">', '<INPUT type="IMAGE" src="alert(&#039;XSS&#039;);">');
// BODY image.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BODY_image
$data[] = array('<BODY BACKGROUND="javascript:alert(\'XSS\')">', '<BODY background="alert(&#039;XSS&#039;)">');
// IMG Dynsrc.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_Dynsrc
$data[] = array('<IMG DYNSRC="javascript:alert(\'XSS\')">', '<IMG dynsrc="alert(&#039;XSS&#039;)">');
// IMG lowsrc.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_lowsrc
$data[] = array('<IMG LOWSRC="javascript:alert(\'XSS\')">', '<IMG lowsrc="alert(&#039;XSS&#039;)">');
// List-style-image.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#List-style-image
$data[] = array('<STYLE>li {list-style-image: url("javascript:alert(\'XSS\')");}</STYLE><UL><LI>XSS</br>', 'li {list-style-image: url("javascript:alert(\'XSS\')");}<UL><LI>XSS</br>');
// VBscript in an image.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#VBscript_in_an_image
$data[] = array('<IMG SRC=\'vbscript:msgbox("XSS")\'>', '<IMG src=\'msgbox(&quot;XSS&quot;)\'>');
// Livescript (older versions of Netscape only).
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Livescript_.28older_versions_of_Netscape_only.29
$data[] = array('<IMG SRC="livescript:[code]">', '<IMG src="[code]">');
// BODY tag.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BODY_tag
$data[] = array('<BODY ONLOAD=alert(\'XSS\')>', '<BODY>');
// Event handlers.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Event_Handlers
$events = array(
'onAbort',
'onActivate',
'onAfterPrint',
'onAfterUpdate',
'onBeforeActivate',
'onBeforeCopy',
'onBeforeCut',
'onBeforeDeactivate',
'onBeforeEditFocus',
'onBeforePaste',
'onBeforePrint',
'onBeforeUnload',
'onBeforeUpdate',
'onBegin',
'onBlur',
'onBounce',
'onCellChange',
'onChange',
'onClick',
'onContextMenu',
'onControlSelect',
'onCopy',
'onCut',
'onDataAvailable',
'onDataSetChanged',
'onDataSetComplete',
'onDblClick',
'onDeactivate',
'onDrag',
'onDragEnd',
'onDragLeave',
'onDragEnter',
'onDragOver',
'onDragDrop',
'onDragStart',
'onDrop',
'onEnd',
'onError',
'onErrorUpdate',
'onFilterChange',
'onFinish',
'onFocus',
'onFocusIn',
'onFocusOut',
'onHashChange',
'onHelp',
'onInput',
'onKeyDown',
'onKeyPress',
'onKeyUp',
'onLayoutComplete',
'onLoad',
'onLoseCapture',
'onMediaComplete',
'onMediaError',
'onMessage',
'onMousedown',
'onMouseEnter',
'onMouseLeave',
'onMouseMove',
'onMouseOut',
'onMouseOver',
'onMouseUp',
'onMouseWheel',
'onMove',
'onMoveEnd',
'onMoveStart',
'onOffline',
'onOnline',
'onOutOfSync',
'onPaste',
'onPause',
'onPopState',
'onProgress',
'onPropertyChange',
'onReadyStateChange',
'onRedo',
'onRepeat',
'onReset',
'onResize',
'onResizeEnd',
'onResizeStart',
'onResume',
'onReverse',
'onRowsEnter',
'onRowExit',
'onRowDelete',
'onRowInserted',
'onScroll',
'onSeek',
'onSelect',
'onSelectionChange',
'onSelectStart',
'onStart',
'onStop',
'onStorage',
'onSyncRestored',
'onSubmit',
'onTimeError',
'onTrackChange',
'onUndo',
'onUnload',
'onURLFlip',
);
foreach ($events as $event) {
$data[] = array('<p ' . $event . '="javascript:alert(\'XSS\');">Dangerous llama!</p>', '<p>Dangerous llama!</p>');
}
// BGSOUND.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BGSOUND
$data[] = array('<BGSOUND SRC="javascript:alert(\'XSS\');">', '<BGSOUND src="alert(&#039;XSS&#039;);">');
// & JavaScript includes.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#.26_JavaScript_includes
$data[] = array('<BR SIZE="&{alert(\'XSS\')}">', '<BR size="">');
// STYLE sheet.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_sheet
$data[] = array('<LINK REL="stylesheet" HREF="javascript:alert(\'XSS\');">', '');
// Remote style sheet.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet
$data[] = array('<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">', '');
// Remote style sheet part 2.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet_part_2
$data[] = array('<STYLE>@import\'http://ha.ckers.org/xss.css\';</STYLE>', '@import\'http://ha.ckers.org/xss.css\';');
// Remote style sheet part 3.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet_part_3
$data[] = array('<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">', '<META http-equiv="Link">; REL=stylesheet"&gt;');
// Remote style sheet part 4.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet_part_4
$data[] = array('<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>', 'BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}');
// STYLE tags with broken up JavaScript for XSS.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tags_with_broken_up_JavaScript_for_XSS
$data[] = array('<STYLE>@im\port\'\ja\vasc\ript:alert("XSS")\';</STYLE>', '@im\port\'\ja\vasc\ript:alert("XSS")\';');
// STYLE attribute using a comment to break up expression.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_attribute_using_a_comment_to_break_up_expression
$data[] = array('<IMG STYLE="xss:expr/*XSS*/ession(alert(\'XSS\'))">', '<IMG>');
// IMG STYLE with expression.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_STYLE_with_expression
$data[] = array('exp/*<A STYLE=\'no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))\'>', 'exp/*<A>');
// STYLE tag (Older versions of Netscape only).
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tag_.28Older_versions_of_Netscape_only.29
$data[] = array('<STYLE TYPE="text/javascript">alert(\'XSS\');</STYLE>', 'alert(\'XSS\');');
// STYLE tag using background-image.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tag_using_background-image
$data[] = array('<STYLE>.XSS{background-image:url("javascript:alert(\'XSS\')");}</STYLE><A CLASS=XSS></A>', '.XSS{background-image:url("javascript:alert(\'XSS\')");}<A class="XSS"></A>');
// STYLE tag using background.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tag_using_background
$data[] = array('<STYLE type="text/css">BODY{background:url("javascript:alert(\'XSS\')")}</STYLE>', 'BODY{background:url("javascript:alert(\'XSS\')")}');
// Anonymous HTML with STYLE attribute.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Anonymous_HTML_with_STYLE_attribute
$data[] = array('<XSS STYLE="xss:expression(alert(\'XSS\'))">', '<XSS>');
// Local htc file.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Local_htc_file
$data[] = array('<XSS STYLE="behavior: url(xss.htc);">', '<XSS>');
// US-ASCII encoding.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#US-ASCII_encoding
// This one is irrelevant for Drupal; Drupal *always* outputs UTF-8.
// META.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#META
$data[] = array('<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(\'XSS\');">', '<META http-equiv="refresh" content="alert(&#039;XSS&#039;);">');
// META using data.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#META_using_data
$data[] = array('<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">', '<META http-equiv="refresh" content="text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">');
// META with additional URL parameter
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#META
$data[] = array('<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(\'XSS\');">', '<META http-equiv="refresh" content="//;URL=javascript:alert(&#039;XSS&#039;);">');
// IFRAME.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IFRAME
$data[] = array('<IFRAME SRC="javascript:alert(\'XSS\');"></IFRAME>', '<IFRAME src="alert(&#039;XSS&#039;);"></IFRAME>');
// IFRAME Event based.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IFRAME_Event_based
$data[] = array('<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>', '<IFRAME src="#"></IFRAME>');
// FRAME.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#FRAME
$data[] = array('<FRAMESET><FRAME SRC="javascript:alert(\'XSS\');"></FRAMESET>', '<FRAMESET><FRAME src="alert(&#039;XSS&#039;);"></FRAMESET>');
// TABLE.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#TABLE
$data[] = array('<TABLE BACKGROUND="javascript:alert(\'XSS\')">', '<TABLE background="alert(&#039;XSS&#039;)">');
// TD.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#TD
$data[] = array('<TABLE><TD BACKGROUND="javascript:alert(\'XSS\')">', '<TABLE><TD background="alert(&#039;XSS&#039;)">');
// DIV background-image.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_background-image
$data[] = array('<DIV STYLE="background-image: url(javascript:alert(\'XSS\'))">', '<DIV>');
// DIV background-image with unicoded XSS exploit.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_background-image_with_unicoded_XSS_exploit
$data[] = array('<DIV STYLE="background-image:\0075\0072\006C\0028\'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029\'\0029">', '<DIV>');
// DIV background-image plus extra characters.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_background-image_plus_extra_characters
$data[] = array('<DIV STYLE="background-image: url(&#1;javascript:alert(\'XSS\'))">', '<DIV>');
// DIV expression.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_expression
$data[] = array('<DIV STYLE="width: expression(alert(\'XSS\'));">', '<DIV>');
// Downlevel-Hidden block.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Downlevel-Hidden_block
$data[] = array('<!--[if gte IE 4]>
<SCRIPT>alert(\'XSS\');</SCRIPT>
<![endif]-->', "\n alert('XSS');\n ");
// BASE tag.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BASE_tag
$data[] = array('<BASE HREF="javascript:alert(\'XSS\');//">', '<BASE href="alert(&#039;XSS&#039;);//">');
// OBJECT tag.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#OBJECT_tag
$data[] = array('<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>', '');
// Using an EMBED tag you can embed a Flash movie that contains XSS.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Using_an_EMBED_tag_you_can_embed_a_Flash_movie_that_contains_XSS
$data[] = array('<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>', '');
// You can EMBED SVG which can contain your XSS vector.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#You_can_EMBED_SVG_which_can_contain_your_XSS_vector
$data[] = array('<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>', '');
// XML data island with CDATA obfuscation.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XML_data_island_with_CDATA_obfuscation
$data[] = array('<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert(\'XSS\')"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>', '<XML id="xss"><I><B><IMG>cript:alert(\'XSS\')"&gt;</B></I></XML><SPAN datasrc="#xss" datafld="B" dataformatas="HTML"></SPAN>');
// Locally hosted XML with embedded JavaScript that is generated using an XML data island.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Locally_hosted_XML_with_embedded_JavaScript_that_is_generated_using_an_XML_data_island
// This one is irrelevant for Drupal; Drupal disallows XML uploads by
// default.
// HTML+TIME in XML.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#HTML.2BTIME_in_XML
$data[] = array('<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">', '&lt;?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"&gt;&lt;?import namespace="t" implementation="#default#time2"&gt;<t set attributename="innerHTML">alert("XSS")"&gt;');
// Assuming you can only fit in a few characters and it filters against ".js".
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Assuming_you_can_only_fit_in_a_few_characters_and_it_filters_against_.22.js.22
$data[] = array('<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>', '');
// IMG Embedded commands.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_Embedded_commands
// This one is irrelevant for Drupal; this is actually a CSRF, for which
// Drupal has CSRF protection. See https://www.drupal.org/node/178896.
// Cookie manipulation.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Cookie_manipulation
$data[] = array('<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(\'XSS\')</SCRIPT>">', '<META http-equiv="Set-Cookie">alert(\'XSS\')"&gt;');
// UTF-7 encoding.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#UTF-7_encoding
// This one is irrelevant for Drupal; Drupal *always* outputs UTF-8.
// XSS using HTML quote encapsulation.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XSS_using_HTML_quote_encapsulation
$data[] = array('<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '" SRC="http://ha.ckers.org/xss.js"&gt;');
$data[] = array('<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '" SRC="http://ha.ckers.org/xss.js"&gt;');
$data[] = array('<SCRIPT a=">" \'\' SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '" \'\' SRC="http://ha.ckers.org/xss.js"&gt;');
$data[] = array('<SCRIPT "a=\'>\'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '\'" SRC="http://ha.ckers.org/xss.js"&gt;');
$data[] = array('<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '` SRC="http://ha.ckers.org/xss.js"&gt;');
$data[] = array('<SCRIPT a=">\'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '\'&gt;" SRC="http://ha.ckers.org/xss.js"&gt;');
$data[] = array('<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>', 'document.write("<SCRI>PT SRC="http://ha.ckers.org/xss.js"&gt;');
// URL string evasion.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#URL_string_evasion
// This one is irrelevant for Drupal; Drupal doesn't forbid linking to some
// sites, it only forbids linking to any protocols other than those that are
// whitelisted.
// Test XSS filtering on data-attributes.
// @see \Drupal\editor\EditorXssFilter::filterXssDataAttributes()
// The following two test cases verify that XSS attack vectors are filtered.
$data[] = array('<img src="butterfly.jpg" data-caption="&lt;script&gt;alert();&lt;/script&gt;" />', '<img src="butterfly.jpg" data-caption="alert();" />');
$data[] = array('<img src="butterfly.jpg" data-caption="&lt;EMBED SRC=&quot;http://ha.ckers.org/xss.swf&quot; AllowScriptAccess=&quot;always&quot;&gt;&lt;/EMBED&gt;" />', '<img src="butterfly.jpg" data-caption="" />');
// When including HTML-tags as visible content, they are double-escaped.
// This test case ensures that we leave that content unchanged.
$data[] = array('<img src="butterfly.jpg" data-caption="&amp;lt;script&amp;gt;alert();&amp;lt;/script&amp;gt;" />', '<img src="butterfly.jpg" data-caption="&amp;lt;script&amp;gt;alert();&amp;lt;/script&amp;gt;" />');
return $data;
}
/**
* Tests the method for filtering XSS.
*
* @param string $input
* The input.
* @param string $expected_output
* The expected output.
*
* @dataProvider providerTestFilterXss
*/
public function testFilterXss($input, $expected_output) {
$output = Standard::filterXss($input, $this->format);
$this->assertSame($expected_output, $output);
}
/**
* Tests removing disallowed tags and XSS prevention.
*
* \Drupal\Component\Utility\Xss::filter() has the ability to run in blacklist
* mode, in which it still applies the exact same filtering, with one
* exception: it no longer works with a list of allowed tags, but with a list
* of disallowed tags.
*
* @param string $value
* The value to filter.
* @param string $expected
* The string that is expected to be missing.
* @param string $message
* The assertion message to display upon failure.
* @param array $disallowed_tags
* (optional) The disallowed HTML tags to be passed to \Drupal\Component\Utility\Xss::filter().
*
* @dataProvider providerTestBlackListMode
*/
public function testBlacklistMode($value, $expected, $message, array $disallowed_tags) {
$value = Standard::filter($value, $disallowed_tags);
$this->assertSame($expected, $value, $message);
}
/**
* Data provider for testBlacklistMode().
*
* @see testBlacklistMode()
*
* @return array
* An array of arrays containing the following elements:
* - The value to filter.
* - The value to expect after filtering.
* - The assertion message.
* - (optional) The disallowed HTML tags to be passed to \Drupal\Component\Utility\Xss::filter().
*/
public function providerTestBlackListMode() {
return array(
array(
'<unknown style="visibility:hidden">Pink Fairy Armadillo</unknown><video src="gerenuk.mp4"><script>alert(0)</script>',
'<unknown>Pink Fairy Armadillo</unknown><video src="gerenuk.mp4">alert(0)',
'Disallow only the script tag',
array('script')
),
array(
'<unknown style="visibility:hidden">Pink Fairy Armadillo</unknown><video src="gerenuk.mp4"><script>alert(0)</script>',
'<unknown>Pink Fairy Armadillo</unknown>alert(0)',
'Disallow both the script and video tags',
array('script', 'video')
),
// No real use case for this, but it is an edge case we must ensure works.
array(
'<unknown style="visibility:hidden">Pink Fairy Armadillo</unknown><video src="gerenuk.mp4"><script>alert(0)</script>',
'<unknown>Pink Fairy Armadillo</unknown><video src="gerenuk.mp4"><script>alert(0)</script>',
'Disallow no tags',
array()
),
);
}
}