opdavies/drupalcampbristol
Archived
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Update core 8.3.0

Browse source
This commit is contained in:
Rob Davies 2017-04-13 15:53:35 +01:00
parent da7a7918f8
commit cd7a898e66
6144 changed files with 132297 additions and 87747 deletions
Download patch file Download diff file Expand all files Collapse all files

12
web/core/modules/editor/tests/modules/src/Plugin/Editor/TRexEditor.php
View file

@ -26,18 +26,18 @@ class TRexEditor extends EditorBase {
* {@inheritdoc}
*/
public function getDefaultSettings() {
return array('stumpy_arms' => TRUE);
return ['stumpy_arms' => TRUE];
}
/**
* {@inheritdoc}
*/
public function settingsForm(array $form, FormStateInterface $form_state, Editor $editor) {
$form['stumpy_arms'] = array(
$form['stumpy_arms'] = [
'#title' => t('Stumpy arms'),
'#type' => 'checkbox',
'#default_value' => TRUE,
);
];
return $form;
}
@ -45,7 +45,7 @@ class TRexEditor extends EditorBase {
* {@inheritdoc}
*/
public function getJSSettings(Editor $editor) {
$js_settings = array();
$js_settings = [];
$settings = $editor->getSettings();
if ($settings['stumpy_arms']) {
$js_settings['doMyArmsLookStumpy'] = TRUE;
@ -57,9 +57,9 @@ class TRexEditor extends EditorBase {
* {@inheritdoc}
*/
public function getLibraries(Editor $editor) {
return array(
return [
'editor_test/trex',
);
];
}
}

18
web/core/modules/editor/tests/modules/src/Plugin/Editor/UnicornEditor.php
View file

@ -26,27 +26,27 @@ class UnicornEditor extends EditorBase {
/**
* {@inheritdoc}
*/
function getDefaultSettings() {
return array('ponies_too' => TRUE);
public function getDefaultSettings() {
return ['ponies_too' => TRUE];
}
/**
* {@inheritdoc}
*/
function settingsForm(array $form, FormStateInterface $form_state, Editor $editor) {
$form['ponies_too'] = array(
public function settingsForm(array $form, FormStateInterface $form_state, Editor $editor) {
$form['ponies_too'] = [
'#title' => t('Pony mode'),
'#type' => 'checkbox',
'#default_value' => TRUE,
);
];
return $form;
}
/**
* {@inheritdoc}
*/
function getJSSettings(Editor $editor) {
$js_settings = array();
public function getJSSettings(Editor $editor) {
$js_settings = [];
$settings = $editor->getSettings();
if ($settings['ponies_too']) {
$js_settings['ponyModeEnabled'] = TRUE;
@ -58,9 +58,9 @@ class UnicornEditor extends EditorBase {
* {@inheritdoc}
*/
public function getLibraries(Editor $editor) {
return array(
return [
'editor_test/unicorn',
);
];
}
}

83
web/core/modules/editor/tests/src/Functional/EditorDialogAccessTest.php Normal file
View file

@ -0,0 +1,83 @@
<?php
namespace Drupal\Tests\editor\Functional;
use Drupal\Core\Url;
use Drupal\editor\Entity\Editor;
use Drupal\Tests\BrowserTestBase;
/**
* Test access to the editor dialog forms.
*
* @group editor
*/
class EditorDialogAccessTest extends BrowserTestBase {
/**
* Modules to install.
*
* @var array
*/
public static $modules = ['editor', 'filter', 'ckeditor'];
/**
* Test access to the editor image dialog.
*/
public function testEditorImageDialogAccess() {
$url = Url::fromRoute('editor.image_dialog', ['editor' => 'plain_text']);
$session = $this->assertSession();
// With no text editor, expect a 404.
$this->drupalGet($url);
$session->statusCodeEquals(404);
// With a text editor but without image upload settings, expect a 200, but
// there should not be an input[type=file].
$editor = Editor::create([
'editor' => 'ckeditor',
'format' => 'plain_text',
'settings' => [
'toolbar' => [
'rows' => [
[
[
'name' => 'Media',
'items' => [
'DrupalImage',
],
],
],
],
],
'plugins' => [],
],
'image_upload' => [
'status' => FALSE,
'scheme' => 'public',
'directory' => 'inline-images',
'max_size' => '',
'max_dimensions' => [
'width' => 0,
'height' => 0,
],
],
]);
$editor->save();
$this->resetAll();
$this->drupalGet($url);
$this->assertTrue($this->cssSelect('input[type=text][name="attributes[src]"]'), 'Image uploads disabled: input[type=text][name="attributes[src]"] is present.');
$this->assertFalse($this->cssSelect('input[type=file]'), 'Image uploads disabled: input[type=file] is absent.');
$session->statusCodeEquals(200);
// With image upload settings, expect a 200, and now there should be an
// input[type=file].
$editor->setImageUploadSettings(['status' => TRUE] + $editor->getImageUploadSettings())
->save();
$this->resetAll();
$this->drupalGet($url);
$this->assertFalse($this->cssSelect('input[type=text][name="attributes[src]"]'), 'Image uploads enabled: input[type=text][name="attributes[src]"] is absent.');
$this->assertTrue($this->cssSelect('input[type=file]'), 'Image uploads enabled: input[type=file] is present.');
$session->statusCodeEquals(200);
}
}

134
web/core/modules/editor/tests/src/Functional/EditorPrivateFileReferenceFilterTest.php Normal file
View file

@ -0,0 +1,134 @@
<?php
namespace Drupal\Tests\editor\Functional;
use Drupal\file\Entity\File;
use Drupal\Tests\BrowserTestBase;
use Drupal\user\Entity\Role;
use Drupal\user\RoleInterface;
/**
* Tests Editor module's file reference filter with private files.
*
* @group editor
*/
class EditorPrivateFileReferenceFilterTest extends BrowserTestBase {
/**
* Modules to enable.
*
* @var array
*/
public static $modules = [
// Needed for the config: this is the only module in core that utilizes the
// functionality in editor.module to be tested, and depends on that.
'ckeditor',
// Depends on filter.module (indirectly).
'node',
// Pulls in the config we're using during testing which create a text format
// - with the filter_html_image_secure filter DISABLED,
// - with the editor set to CKEditor,
// - with drupalimage.image_upload.scheme set to 'private',
// - with drupalimage.image_upload.directory set to ''.
'editor_private_test',
];
/**
* Tests the editor file reference filter with private files.
*/
public function testEditorPrivateFileReferenceFilter() {
$author = $this->drupalCreateUser();
$this->drupalLogin($author);
// Create a content type with a body field.
$this->drupalCreateContentType(['type' => 'page', 'name' => 'Basic page']);
// Create a file in the 'private:// ' stream.
$filename = 'test.png';
$src = '/system/files/' . $filename;
/** @var \Drupal\file\FileInterface $file */
$file = File::create([
'uri' => 'private://' . $filename,
]);
$file->setTemporary();
$file->setOwner($author);
// Create the file itself.
file_put_contents($file->getFileUri(), $this->randomString());
$file->save();
// The image should be visible for its author.
$this->drupalGet($src);
$this->assertSession()->statusCodeEquals(200);
// The not-yet-permanent image should NOT be visible for anonymous.
$this->drupalLogout();
$this->drupalGet($src);
$this->assertSession()->statusCodeEquals(403);
// Resave the file to be permanent.
$file->setPermanent();
$file->save();
// Create some nodes to ensure file usage count does not match the ID's
// of the nodes we are going to check.
for ($i = 0; $i < 5; $i++) {
$this->drupalCreateNode([
'type' => 'page',
'uid' => $author->id(),
]);
}
// Create a node with its body field properly pointing to the just-created
// file.
$published_node = $this->drupalCreateNode([
'type' => 'page',
'body' => [
'value' => '<img alt="alt" data-entity-type="file" data-entity-uuid="' . $file->uuid() . '" src="' . $src . '" />',
'format' => 'private_images',
],
'uid' => $author->id(),
]);
// Create an unpublished node with its body field properly pointing to the
// just-created file.
$unpublished_node = $this->drupalCreateNode([
'type' => 'page',
'status' => NODE_NOT_PUBLISHED,
'body' => [
'value' => '<img alt="alt" data-entity-type="file" data-entity-uuid="' . $file->uuid() . '" src="' . $src . '" />',
'format' => 'private_images',
],
'uid' => $author->id(),
]);
// Do the actual test. The image should be visible for anonymous users,
// because they can view the published node. Even though they can't view
// the unpublished node.
$this->drupalGet($published_node->toUrl());
$this->assertSession()->statusCodeEquals(200);
$this->drupalGet($unpublished_node->toUrl());
$this->assertSession()->statusCodeEquals(403);
$this->drupalGet($src);
$this->assertSession()->statusCodeEquals(200);
// When the published node is also unpublished, the image should also
// become inaccessible to anonymous users.
$published_node->setPublished(FALSE)->save();
$this->drupalGet($published_node->toUrl());
$this->assertSession()->statusCodeEquals(403);
$this->drupalGet($src);
$this->assertSession()->statusCodeEquals(403);
// Disallow anonymous users to view the entity, which then should also
// disallow them to view the image.
$published_node->setPublished(TRUE)->save();
Role::load(RoleInterface::ANONYMOUS_ID)
->revokePermission('access content')
->save();
$this->drupalGet($published_node->toUrl());
$this->assertSession()->statusCodeEquals(403);
$this->drupalGet($src);
$this->assertSession()->statusCodeEquals(403);
}
}

12
web/core/modules/editor/tests/src/Kernel/EditorFileReferenceFilterTest.php
View file

@ -19,7 +19,7 @@ class EditorFileReferenceFilterTest extends KernelTestBase {
*
* @var array
*/
public static $modules = array('system', 'filter', 'editor', 'field', 'file', 'user');
public static $modules = ['system', 'filter', 'editor', 'field', 'file', 'user'];
/**
* @var \Drupal\filter\Plugin\FilterInterface[]
@ -31,19 +31,19 @@ class EditorFileReferenceFilterTest extends KernelTestBase {
*/
protected function setUp() {
parent::setUp();
$this->installConfig(array('system'));
$this->installConfig(['system']);
$this->installEntitySchema('file');
$this->installSchema('file', array('file_usage'));
$this->installSchema('file', ['file_usage']);
$manager = $this->container->get('plugin.manager.filter');
$bag = new FilterPluginCollection($manager, array());
$bag = new FilterPluginCollection($manager, []);
$this->filters = $bag->getAll();
}
/**
* Tests the editor file reference filter.
*/
function testEditorFileReferenceFilter() {
public function testEditorFileReferenceFilter() {
$filter = $this->filters['editor_file_reference'];
$test = function($input) use ($filter) {
@ -99,7 +99,7 @@ class EditorFileReferenceFilterTest extends KernelTestBase {
$input = '<img src="llama.jpg" data-entity-type="file" data-entity-uuid="invalid-' . $uuid . '" />';
$output = $test($input);
$this->assertIdentical($input, $output->getProcessedText());
$this->assertEqual(array(), $output->getCacheTags());
$this->assertEqual([], $output->getCacheTags());
$this->pass('Two different data-entity-uuid attributes.');
$input = '<img src="llama.jpg" data-entity-type="file" data-entity-uuid="' . $uuid . '" />';

50
web/core/modules/editor/tests/src/Kernel/EditorFileUsageTest.php
View file

@ -23,22 +23,22 @@ class EditorFileUsageTest extends EntityKernelTestBase {
*
* @var array
*/
public static $modules = array('editor', 'editor_test', 'node', 'file');
public static $modules = ['editor', 'editor_test', 'node', 'file'];
protected function setUp() {
parent::setUp();
$this->installEntitySchema('file');
$this->installSchema('node', array('node_access'));
$this->installSchema('file', array('file_usage'));
$this->installSchema('node', ['node_access']);
$this->installSchema('file', ['file_usage']);
$this->installConfig(['node']);
// Add text formats.
$filtered_html_format = FilterFormat::create(array(
$filtered_html_format = FilterFormat::create([
'format' => 'filtered_html',
'name' => 'Filtered HTML',
'weight' => 0,
'filters' => array(),
));
'filters' => [],
]);
$filtered_html_format->save();
// Set cardinality for body field.
@ -63,13 +63,13 @@ class EditorFileUsageTest extends EntityKernelTestBase {
* Tests the configurable text editor manager.
*/
public function testEditorEntityHooks() {
$image_paths = array(
$image_paths = [
0 => 'core/misc/druplicon.png',
1 => 'core/misc/tree.png',
2 => 'core/misc/help.png',
);
];
$image_entities = array();
$image_entities = [];
foreach ($image_paths as $key => $image_path) {
$image = File::create();
$image->setFileUri($image_path);
@ -77,12 +77,12 @@ class EditorFileUsageTest extends EntityKernelTestBase {
$image->save();
$file_usage = $this->container->get('file.usage');
$this->assertIdentical(array(), $file_usage->listUsage($image), 'The image ' . $image_paths[$key] . ' has zero usages.');
$this->assertIdentical([], $file_usage->listUsage($image), 'The image ' . $image_paths[$key] . ' has zero usages.');
$image_entities[] = $image;
}
$body = array();
$body = [];
foreach ($image_entities as $key => $image_entity) {
// Don't be rude, say hello.
$body_value = '<p>Hello, world!</p>';
@ -95,10 +95,10 @@ class EditorFileUsageTest extends EntityKernelTestBase {
// Test handling of a non-existing UUID.
$body_value .= '<img src="awesome-llama-' . $key . '.jpg" data-entity-type="file" data-entity-uuid="30aac704-ba2c-40fc-b609-9ed121aa90f4" />';
$body[] = array(
$body[] = [
'value' => $body_value,
'format' => 'filtered_html',
);
];
}
// Test editor_entity_insert(): increment.
@ -111,7 +111,7 @@ class EditorFileUsageTest extends EntityKernelTestBase {
]);
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '1'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 1 usage.');
$this->assertIdentical(['editor' => ['node' => [1 => '1']]], $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 1 usage.');
}
// Test editor_entity_update(): increment, twice, by creating new revisions.
@ -121,12 +121,12 @@ class EditorFileUsageTest extends EntityKernelTestBase {
$node->setNewRevision(TRUE);
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '3'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 3 usages.');
$this->assertIdentical(['editor' => ['node' => [1 => '3']]], $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 3 usages.');
}
// Test hook_entity_update(): decrement, by modifying the last revision:
// remove the data-entity-type attribute from the body field.
$original_values = array();
$original_values = [];
for ($i = 0; $i < count($image_entities); $i++) {
$original_value = $node->body[$i]->value;
$new_value = str_replace('data-entity-type', 'data-entity-type-modified', $original_value);
@ -135,7 +135,7 @@ class EditorFileUsageTest extends EntityKernelTestBase {
}
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '2'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 2 usages.');
$this->assertIdentical(['editor' => ['node' => [1 => '2']]], $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 2 usages.');
}
// Test editor_entity_update(): increment again by creating a new revision:
@ -146,7 +146,7 @@ class EditorFileUsageTest extends EntityKernelTestBase {
}
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '3'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 3 usages.');
$this->assertIdentical(['editor' => ['node' => [1 => '3']]], $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 3 usages.');
}
// Test hook_entity_update(): decrement, by modifying the last revision:
@ -158,7 +158,7 @@ class EditorFileUsageTest extends EntityKernelTestBase {
}
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '2'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 2 usages.');
$this->assertIdentical(['editor' => ['node' => [1 => '2']]], $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 2 usages.');
}
// Test hook_entity_update(): increment, by modifying the last revision:
@ -168,13 +168,13 @@ class EditorFileUsageTest extends EntityKernelTestBase {
}
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '3'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 3 usages.');
$this->assertIdentical(['editor' => ['node' => [1 => '3']]], $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 3 usages.');
}
// Test editor_entity_revision_delete(): decrement, by deleting a revision.
entity_revision_delete('node', $second_revision_id);
$this->container->get('entity_type.manager')->getStorage('node')->deleteRevision($second_revision_id);
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '2'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 2 usages.');
$this->assertIdentical(['editor' => ['node' => [1 => '2']]], $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 2 usages.');
}
// Populate both the body and summary. Because this will be the same
@ -185,7 +185,7 @@ class EditorFileUsageTest extends EntityKernelTestBase {
}
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '2'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 2 usages.');
$this->assertIdentical(['editor' => ['node' => [1 => '2']]], $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 2 usages.');
}
// Empty out the body value, but keep the summary. The number of usages
@ -196,13 +196,13 @@ class EditorFileUsageTest extends EntityKernelTestBase {
}
$node->save();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array('editor' => array('node' => array(1 => '2'))), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 2 usages.');
$this->assertIdentical(['editor' => ['node' => [1 => '2']]], $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has 2 usages.');
}
// Test editor_entity_delete().
$node->delete();
foreach ($image_entities as $key => $image_entity) {
$this->assertIdentical(array(), $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has zero usages again.');
$this->assertIdentical([], $file_usage->listUsage($image_entity), 'The image ' . $image_paths[$key] . ' has zero usages again.');
}
}

4
web/core/modules/editor/tests/src/Kernel/EditorImageDialogTest.php
View file

@ -37,8 +37,8 @@ class EditorImageDialogTest extends EntityKernelTestBase {
parent::setUp();
$this->installEntitySchema('file');
$this->installSchema('system', ['key_value_expire']);
$this->installSchema('node', array('node_access'));
$this->installSchema('file', array('file_usage'));
$this->installSchema('node', ['node_access']);
$this->installSchema('file', ['file_usage']);
$this->installConfig(['node']);
// Add text formats.

36
web/core/modules/editor/tests/src/Kernel/EditorManagerTest.php
View file

@ -18,7 +18,7 @@ class EditorManagerTest extends KernelTestBase {
*
* @var array
*/
public static $modules = array('system', 'user', 'filter', 'editor');
public static $modules = ['system', 'user', 'filter', 'editor'];
/**
* The manager for text editor plugins.
@ -33,19 +33,19 @@ class EditorManagerTest extends KernelTestBase {
// Install the Filter module.
// Add text formats.
$filtered_html_format = FilterFormat::create(array(
$filtered_html_format = FilterFormat::create([
'format' => 'filtered_html',
'name' => 'Filtered HTML',
'weight' => 0,
'filters' => array(),
));
'filters' => [],
]);
$filtered_html_format->save();
$full_html_format = FilterFormat::create(array(
$full_html_format = FilterFormat::create([
'format' => 'full_html',
'name' => 'Full HTML',
'weight' => 1,
'filters' => array(),
));
'filters' => [],
]);
$full_html_format->save();
}
@ -59,13 +59,13 @@ class EditorManagerTest extends KernelTestBase {
// - listOptions() should return an empty list of options
// - getAttachments() should return an empty #attachments array (and not
// a JS settings structure that is empty)
$this->assertIdentical(array(), $this->editorManager->listOptions(), 'When no text editor is enabled, the manager works correctly.');
$this->assertIdentical(array(), $this->editorManager->getAttachments(array()), 'No attachments when no text editor is enabled and retrieving attachments for zero text formats.');
$this->assertIdentical(array(), $this->editorManager->getAttachments(array('filtered_html', 'full_html')), 'No attachments when no text editor is enabled and retrieving attachments for multiple text formats.');
$this->assertIdentical([], $this->editorManager->listOptions(), 'When no text editor is enabled, the manager works correctly.');
$this->assertIdentical([], $this->editorManager->getAttachments([]), 'No attachments when no text editor is enabled and retrieving attachments for zero text formats.');
$this->assertIdentical([], $this->editorManager->getAttachments(['filtered_html', 'full_html']), 'No attachments when no text editor is enabled and retrieving attachments for multiple text formats.');
// Enable the Text Editor Test module, which has the Unicorn Editor and
// clear the editor manager's cache so it is picked up.
$this->enableModules(array('editor_test'));
$this->enableModules(['editor_test']);
$this->editorManager = $this->container->get('plugin.manager.editor');
$this->editorManager->clearCachedDefinitions();
@ -80,11 +80,11 @@ class EditorManagerTest extends KernelTestBase {
'editor' => 'unicorn',
]);
$editor->save();
$this->assertIdentical(array(), $this->editorManager->getAttachments(array()), 'No attachments when one text editor is enabled and retrieving attachments for zero text formats.');
$expected = array(
'library' => array(
$this->assertIdentical([], $this->editorManager->getAttachments([]), 'No attachments when one text editor is enabled and retrieving attachments for zero text formats.');
$expected = [
'library' => [
0 => 'editor_test/unicorn',
),
],
'drupalSettings' => [
'editor' => [
'formats' => [
@ -98,14 +98,14 @@ class EditorManagerTest extends KernelTestBase {
],
],
],
);
$this->assertIdentical($expected, $this->editorManager->getAttachments(array('filtered_html', 'full_html')), 'Correct attachments when one text editor is enabled and retrieving attachments for multiple text formats.');
];
$this->assertIdentical($expected, $this->editorManager->getAttachments(['filtered_html', 'full_html']), 'Correct attachments when one text editor is enabled and retrieving attachments for multiple text formats.');
// Case 4: a text editor available associated, but now with its JS settings
// being altered via hook_editor_js_settings_alter().
\Drupal::state()->set('editor_test_js_settings_alter_enabled', TRUE);
$expected['drupalSettings']['editor']['formats']['full_html']['editorSettings']['ponyModeEnabled'] = FALSE;
$this->assertIdentical($expected, $this->editorManager->getAttachments(array('filtered_html', 'full_html')), 'hook_editor_js_settings_alter() works correctly.');
$this->assertIdentical($expected, $this->editorManager->getAttachments(['filtered_html', 'full_html']), 'hook_editor_js_settings_alter() works correctly.');
}
}

40
web/core/modules/editor/tests/src/Kernel/QuickEditIntegrationTest.php
View file

@ -26,7 +26,7 @@ class QuickEditIntegrationTest extends QuickEditTestBase {
/**
* {@inheritdoc}
*/
public static $modules = array('editor', 'editor_test');
public static $modules = ['editor', 'editor_test'];
/**
* The manager for editor plug-ins.
@ -73,22 +73,22 @@ class QuickEditIntegrationTest extends QuickEditTestBase {
$this->createFieldWithStorage(
$this->fieldName, 'text', 1, 'Long text field',
// Instance settings.
array(),
[],
// Widget type & settings.
'text_textarea',
array('size' => 42),
['size' => 42],
// 'default' formatter type & settings.
'text_default',
array()
[]
);
// Create text format.
$full_html_format = FilterFormat::create(array(
$full_html_format = FilterFormat::create([
'format' => 'full_html',
'name' => 'Full HTML',
'weight' => 1,
'filters' => array(),
));
'filters' => [],
]);
$full_html_format->save();
// Associate text editor with text format.
@ -99,12 +99,12 @@ class QuickEditIntegrationTest extends QuickEditTestBase {
$editor->save();
// Also create a text format without an associated text editor.
FilterFormat::create(array(
FilterFormat::create([
'format' => 'no_editor',
'name' => 'No Text Editor',
'weight' => 2,
'filters' => array(),
))->save();
'filters' => [],
])->save();
}
/**
@ -179,15 +179,15 @@ class QuickEditIntegrationTest extends QuickEditTestBase {
// Verify metadata.
$items = $entity->get($this->fieldName);
$metadata = $this->metadataGenerator->generateFieldMetadata($items, 'default');
$expected = array(
$expected = [
'access' => TRUE,
'label' => 'Long text field',
'editor' => 'editor',
'custom' => array(
'custom' => [
'format' => 'full_html',
'formatHasTransformations' => FALSE,
),
);
],
];
$this->assertEqual($expected, $metadata, 'The correct metadata (including custom metadata) is generated.');
}
@ -197,9 +197,9 @@ class QuickEditIntegrationTest extends QuickEditTestBase {
public function testAttachments() {
$this->editorSelector = $this->container->get('quickedit.editor.selector');
$editors = array('editor');
$editors = ['editor'];
$attachments = $this->editorSelector->getEditorAttachments($editors);
$this->assertIdentical($attachments, array('library' => array('editor/quickedit.inPlaceEditor.formattedText')), "Expected attachments for Editor module's in-place editor found.");
$this->assertIdentical($attachments, ['library' => ['editor/quickedit.inPlaceEditor.formattedText']], "Expected attachments for Editor module's in-place editor found.");
}
/**
@ -217,12 +217,12 @@ class QuickEditIntegrationTest extends QuickEditTestBase {
$controller = new EditorController();
$request = new Request();
$response = $controller->getUntransformedText($entity, $this->fieldName, LanguageInterface::LANGCODE_DEFAULT, 'default');
$expected = array(
array(
$expected = [
[
'command' => 'editorGetUntransformedText',
'data' => 'Test',
)
);
]
];
$ajax_response_attachments_processor = \Drupal::service('ajax_response.attachments_processor');
$subscriber = new AjaxResponseSubscriber($ajax_response_attachments_processor);

75
web/core/modules/editor/tests/src/Unit/EditorBaseTest.php Normal file
View file

@ -0,0 +1,75 @@
<?php
namespace Drupal\Tests\editor\Unit;
use Drupal\Core\Form\FormState;
use Drupal\Core\Form\FormStateInterface;
use Drupal\editor\Entity\Editor;
use Drupal\editor\Plugin\EditorBase;
use Drupal\Tests\UnitTestCase;
/**
* @coversDefaultClass \Drupal\editor\Plugin\EditorBase
* @group editor
*/
class EditorBaseTest extends UnitTestCase {
/**
* @covers ::buildConfigurationForm
* @covers ::validateConfigurationForm
* @covers ::submitConfigurationForm
*/
public function testBc() {
$form_state = new FormState();
$form_state->set('editor', $this->prophesize(Editor::class)->reveal());
$editor_plugin = new BcEditor([], 'editor_plugin', []);
// settingsForm() is deprecated in favor of buildConfigurationForm().
$this->assertSame(
$editor_plugin->settingsForm([], clone $form_state, $this->prophesize(Editor::class)->reveal()),
$editor_plugin->buildConfigurationForm([], clone $form_state)
);
// settingsFormValidate() is deprecated in favor of
// validateConfigurationForm().
$form = [];
$form_state_a = clone $form_state;
$form_state_b = clone $form_state;
$editor_plugin->settingsFormValidate($form, $form_state_a, $this->prophesize(Editor::class)->reveal());
$editor_plugin->validateConfigurationForm($form, $form_state_b);
$this->assertEquals($form_state_a, $form_state_b);
// settingsFormSubmit() is deprecated in favor of submitConfigurationForm().
$form = [];
$form_state_a = clone $form_state;
$form_state_b = clone $form_state;
$editor_plugin->settingsFormSubmit($form, $form_state_a, $this->prophesize(Editor::class)->reveal());
$editor_plugin->submitConfigurationForm($form, $form_state_b);
$this->assertEquals($form_state_a, $form_state_b);
}
}
class BcEditor extends EditorBase {
public function settingsForm(array $form, FormStateInterface $form_state, Editor $editor) {
return ['foo' => 'bar'];
}
public function settingsFormValidate(array $form, FormStateInterface $form_state) {
$form_state->setValue('foo', 'bar');
}
public function settingsFormSubmit(array $form, FormStateInterface $form_state) {
$form_state->setValue('bar', 'baz');
}
public function getJSSettings(Editor $editor) {
return [];
}
public function getLibraries(Editor $editor) {
return [];
}
}

18
web/core/modules/editor/tests/src/Unit/EditorConfigEntityUnitTest.php
View file

@ -90,17 +90,17 @@ class EditorConfigEntityUnitTest extends UnitTestCase {
*/
public function testCalculateDependencies() {
$format_id = 'filter.format.test';
$values = array('editor' => $this->editorId, 'format' => $format_id);
$values = ['editor' => $this->editorId, 'format' => $format_id];
$plugin = $this->getMockBuilder('Drupal\editor\Plugin\EditorPluginInterface')
->disableOriginalConstructor()
->getMock();
$plugin->expects($this->once())
->method('getPluginDefinition')
->will($this->returnValue(array('provider' => 'test_module')));
->will($this->returnValue(['provider' => 'test_module']));
$plugin->expects($this->once())
->method('getDefaultSettings')
->will($this->returnValue(array()));
->will($this->returnValue([]));
$this->editorPluginManager->expects($this->any())
->method('createInstance')
@ -116,14 +116,14 @@ class EditorConfigEntityUnitTest extends UnitTestCase {
$storage = $this->getMock('Drupal\Core\Entity\EntityStorageInterface');
$storage->expects($this->once())
->method('load')
->with($format_id)
->will($this->returnValue($filter_format));
->method('load')
->with($format_id)
->will($this->returnValue($filter_format));
$this->entityManager->expects($this->once())
->method('getStorage')
->with('filter_format')
->will($this->returnValue($storage));
->method('getStorage')
->with('filter_format')
->will($this->returnValue($storage));
$dependencies = $entity->calculateDependencies()->getDependencies();
$this->assertContains('test_module', $dependencies['module']);

226
web/core/modules/editor/tests/src/Unit/EditorXssFilter/StandardTest.php
View file

@ -27,17 +27,17 @@ class StandardTest extends UnitTestCase {
->getMock();
$this->format->expects($this->any())
->method('getFilterTypes')
->will($this->returnValue(array(FilterInterface::TYPE_HTML_RESTRICTOR)));
$restrictions = array(
'allowed' => array(
->will($this->returnValue([FilterInterface::TYPE_HTML_RESTRICTOR]));
$restrictions = [
'allowed' => [
'p' => TRUE,
'a' => TRUE,
'*' => array(
'*' => [
'style' => FALSE,
'on*' => FALSE,
),
),
);
],
],
];
$this->format->expects($this->any())
->method('getHtmlRestrictions')
->will($this->returnValue($restrictions));
@ -49,130 +49,130 @@ class StandardTest extends UnitTestCase {
* @see \Drupal\Tests\editor\Unit\editor\EditorXssFilter\StandardTest::testFilterXss()
*/
public function providerTestFilterXss() {
$data = array();
$data[] = array('<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown>', '<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown>');
$data[] = array('<p style="color:red">Hello, world!</p><unknown>Pink Fairy Armadillo</unknown>', '<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown>');
$data[] = array('<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown><script>alert("evil");</script>', '<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown>alert("evil");');
$data[] = array('<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown><a href="javascript:alert(1)">test</a>', '<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown><a href="alert(1)">test</a>');
$data = [];
$data[] = ['<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown>', '<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown>'];
$data[] = ['<p style="color:red">Hello, world!</p><unknown>Pink Fairy Armadillo</unknown>', '<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown>'];
$data[] = ['<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown><script>alert("evil");</script>', '<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown>alert("evil");'];
$data[] = ['<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown><a href="javascript:alert(1)">test</a>', '<p>Hello, world!</p><unknown>Pink Fairy Armadillo</unknown><a href="alert(1)">test</a>'];
// All cases listed on https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
// No Filter Evasion.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#No_Filter_Evasion
$data[] = array('<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>', '');
$data[] = ['<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>', ''];
// Image XSS using the JavaScript directive.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Image_XSS_using_the_JavaScript_directive
$data[] = array('<IMG SRC="javascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">');
$data[] = ['<IMG SRC="javascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">'];
// No quotes and no semicolon.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#No_quotes_and_no_semicolon
$data[] = array('<IMG SRC=javascript:alert(\'XSS\')>', '<IMG>');
$data[] = ['<IMG SRC=javascript:alert(\'XSS\')>', '<IMG>'];
// Case insensitive XSS attack vector.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Case_insensitive_XSS_attack_vector
$data[] = array('<IMG SRC=JaVaScRiPt:alert(\'XSS\')>', '<IMG>');
$data[] = ['<IMG SRC=JaVaScRiPt:alert(\'XSS\')>', '<IMG>'];
// HTML entities.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#HTML_entities
$data[] = array('<IMG SRC=javascript:alert("XSS")>', '<IMG>');
$data[] = ['<IMG SRC=javascript:alert("XSS")>', '<IMG>'];
// Grave accent obfuscation.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Grave_accent_obfuscation
$data[] = array('<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>', '<IMG>');
$data[] = ['<IMG SRC=`javascript:alert("RSnake says, \'XSS\'")`>', '<IMG>'];
// Malformed A tags.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Malformed_A_tags
$data[] = array('<a onmouseover="alert(document.cookie)">xxs link</a>', '<a>xxs link</a>');
$data[] = array('<a onmouseover=alert(document.cookie)>xxs link</a>', '<a>xxs link</a>');
$data[] = ['<a onmouseover="alert(document.cookie)">xxs link</a>', '<a>xxs link</a>'];
$data[] = ['<a onmouseover=alert(document.cookie)>xxs link</a>', '<a>xxs link</a>'];
// Malformed IMG tags.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Malformed_IMG_tags
$data[] = array('<IMG """><SCRIPT>alert("XSS")</SCRIPT>">', '<IMG>alert("XSS")"&gt;');
$data[] = ['<IMG """><SCRIPT>alert("XSS")</SCRIPT>">', '<IMG>alert("XSS")"&gt;'];
// fromCharCode.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#fromCharCode
$data[] = array('<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>', '<IMG src="alert(String.fromCharCode(88,83,83))">');
$data[] = ['<IMG SRC=javascript:alert(String.fromCharCode(88,83,83))>', '<IMG src="alert(String.fromCharCode(88,83,83))">'];
// Default SRC tag to get past filters that check SRC domain.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Default_SRC_tag_to_get_past_filters_that_check_SRC_domain
$data[] = array('<IMG SRC=# onmouseover="alert(\'xxs\')">', '<IMG src="#">');
$data[] = ['<IMG SRC=# onmouseover="alert(\'xxs\')">', '<IMG src="#">'];
// Default SRC tag by leaving it empty.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Default_SRC_tag_by_leaving_it_empty
$data[] = array('<IMG SRC= onmouseover="alert(\'xxs\')">', '<IMG nmouseover="alert(&#039;xxs&#039;)">');
$data[] = ['<IMG SRC= onmouseover="alert(\'xxs\')">', '<IMG nmouseover="alert(&#039;xxs&#039;)">'];
// Default SRC tag by leaving it out entirely.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Default_SRC_tag_by_leaving_it_out_entirely
$data[] = array('<IMG onmouseover="alert(\'xxs\')">', '<IMG>');
$data[] = ['<IMG onmouseover="alert(\'xxs\')">', '<IMG>'];
// Decimal HTML character references.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Decimal_HTML_character_references
$data[] = array('<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>', '<IMG src="alert(&#039;XSS&#039;)">');
$data[] = ['<IMG SRC=&#106;&#97;&#118;&#97;&#115;&#99;&#114;&#105;&#112;&#116;&#58;&#97;&#108;&#101;&#114;&#116;&#40;&#39;&#88;&#83;&#83;&#39;&#41;>', '<IMG src="alert(&#039;XSS&#039;)">'];
// Decimal HTML character references without trailing semicolons.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Decimal_HTML_character_references_without_trailing_semicolons
$data[] = array('<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>', '<IMG src="&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041">');
$data[] = ['<IMG SRC=&#0000106&#0000097&#0000118&#0000097&#0000115&#0000099&#0000114&#0000105&#0000112&#0000116&#0000058&#0000097&#0000108&#0000101&#0000114&#0000116&#0000040&#0000039&#0000088&#0000083&#0000083&#0000039&#0000041>', '<IMG src="&amp;#0000106&amp;#0000097&amp;#0000118&amp;#0000097&amp;#0000115&amp;#0000099&amp;#0000114&amp;#0000105&amp;#0000112&amp;#0000116&amp;#0000058&amp;#0000097&amp;#0000108&amp;#0000101&amp;#0000114&amp;#0000116&amp;#0000040&amp;#0000039&amp;#0000088&amp;#0000083&amp;#0000083&amp;#0000039&amp;#0000041">'];
// Hexadecimal HTML character references without trailing semicolons.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Hexadecimal_HTML_character_references_without_trailing_semicolons
$data[] = array('<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>', '<IMG src="&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29">');
$data[] = ['<IMG SRC=&#x6A&#x61&#x76&#x61&#x73&#x63&#x72&#x69&#x70&#x74&#x3A&#x61&#x6C&#x65&#x72&#x74&#x28&#x27&#x58&#x53&#x53&#x27&#x29>', '<IMG src="&amp;#x6A&amp;#x61&amp;#x76&amp;#x61&amp;#x73&amp;#x63&amp;#x72&amp;#x69&amp;#x70&amp;#x74&amp;#x3A&amp;#x61&amp;#x6C&amp;#x65&amp;#x72&amp;#x74&amp;#x28&amp;#x27&amp;#x58&amp;#x53&amp;#x53&amp;#x27&amp;#x29">'];
// Embedded tab.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_tab
$data[] = array('<IMG SRC="jav ascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">');
$data[] = ['<IMG SRC="jav ascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">'];
// Embedded Encoded tab.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_Encoded_tab
$data[] = array('<IMG SRC="jav&#x09;ascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">');
$data[] = ['<IMG SRC="jav&#x09;ascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">'];
// Embedded newline to break up XSS.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_newline_to_break_up_XSS
$data[] = array('<IMG SRC="jav&#x0A;ascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">');
$data[] = ['<IMG SRC="jav&#x0A;ascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">'];
// Embedded carriage return to break up XSS.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Embedded_carriage_return_to_break_up_XSS
$data[] = array('<IMG SRC="jav&#x0D;ascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">');
$data[] = ['<IMG SRC="jav&#x0D;ascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">'];
// Null breaks up JavaScript directive.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Null_breaks_up_JavaScript_directive
$data[] = array("<IMG SRC=java\0script:alert(\"XSS\")>", '<IMG>');
$data[] = ["<IMG SRC=java\0script:alert(\"XSS\")>", '<IMG>'];
// Spaces and meta chars before the JavaScript in images for XSS.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Spaces_and_meta_chars_before_the_JavaScript_in_images_for_XSS
// @fixme This dataset currently fails under 5.4 because of
// https://www.drupal.org/node/1210798. Restore after it's fixed.
if (version_compare(PHP_VERSION, '5.4.0', '<')) {
$data[] = array('<IMG SRC=" &#14; javascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">');
$data[] = ['<IMG SRC=" &#14; javascript:alert(\'XSS\');">', '<IMG src="alert(&#039;XSS&#039;);">'];
}
// Non-alpha-non-digit XSS.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Non-alpha-non-digit_XSS
$data[] = array('<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '');
$data[] = array('<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>', '<BODY>');
$data[] = array('<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '');
$data[] = ['<SCRIPT/XSS SRC="http://ha.ckers.org/xss.js"></SCRIPT>', ''];
$data[] = ['<BODY onload!#$%&()*~+-_.,:;?@[/|\]^`=alert("XSS")>', '<BODY>'];
$data[] = ['<SCRIPT/SRC="http://ha.ckers.org/xss.js"></SCRIPT>', ''];
// Extraneous open brackets.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Extraneous_open_brackets
$data[] = array('<<SCRIPT>alert("XSS");//<</SCRIPT>', '&lt;alert("XSS");//&lt;');
$data[] = ['<<SCRIPT>alert("XSS");//<</SCRIPT>', '&lt;alert("XSS");//&lt;'];
// No closing script tags.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#No_closing_script_tags
$data[] = array('<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >', '');
$data[] = ['<SCRIPT SRC=http://ha.ckers.org/xss.js?< B >', ''];
// Protocol resolution in script tags.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Protocol_resolution_in_script_tags
$data[] = array('<SCRIPT SRC=//ha.ckers.org/.j>', '');
$data[] = ['<SCRIPT SRC=//ha.ckers.org/.j>', ''];
// Half open HTML/JavaScript XSS vector.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Half_open_HTML.2FJavaScript_XSS_vector
$data[] = array('<IMG SRC="javascript:alert(\'XSS\')"', '<IMG src="alert(&#039;XSS&#039;)">');
$data[] = ['<IMG SRC="javascript:alert(\'XSS\')"', '<IMG src="alert(&#039;XSS&#039;)">'];
// Double open angle brackets.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Double_open_angle_brackets
// @see http://ha.ckers.org/blog/20060611/hotbot-xss-vulnerability/ to
// understand why this is a vulnerability.
$data[] = array('<iframe src=http://ha.ckers.org/scriptlet.html <', '<iframe src="http://ha.ckers.org/scriptlet.html">');
$data[] = ['<iframe src=http://ha.ckers.org/scriptlet.html <', '<iframe src="http://ha.ckers.org/scriptlet.html">'];
// Escaping JavaScript escapes.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Escaping_JavaScript_escapes
@ -181,43 +181,43 @@ class StandardTest extends UnitTestCase {
// End title tag.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#End_title_tag
$data[] = array('</TITLE><SCRIPT>alert("XSS");</SCRIPT>', '</TITLE>alert("XSS");');
$data[] = ['</TITLE><SCRIPT>alert("XSS");</SCRIPT>', '</TITLE>alert("XSS");'];
// INPUT image.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#INPUT_image
$data[] = array('<INPUT TYPE="IMAGE" SRC="javascript:alert(\'XSS\');">', '<INPUT type="IMAGE" src="alert(&#039;XSS&#039;);">');
$data[] = ['<INPUT TYPE="IMAGE" SRC="javascript:alert(\'XSS\');">', '<INPUT type="IMAGE" src="alert(&#039;XSS&#039;);">'];
// BODY image.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BODY_image
$data[] = array('<BODY BACKGROUND="javascript:alert(\'XSS\')">', '<BODY background="alert(&#039;XSS&#039;)">');
$data[] = ['<BODY BACKGROUND="javascript:alert(\'XSS\')">', '<BODY background="alert(&#039;XSS&#039;)">'];
// IMG Dynsrc.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_Dynsrc
$data[] = array('<IMG DYNSRC="javascript:alert(\'XSS\')">', '<IMG dynsrc="alert(&#039;XSS&#039;)">');
$data[] = ['<IMG DYNSRC="javascript:alert(\'XSS\')">', '<IMG dynsrc="alert(&#039;XSS&#039;)">'];
// IMG lowsrc.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_lowsrc
$data[] = array('<IMG LOWSRC="javascript:alert(\'XSS\')">', '<IMG lowsrc="alert(&#039;XSS&#039;)">');
$data[] = ['<IMG LOWSRC="javascript:alert(\'XSS\')">', '<IMG lowsrc="alert(&#039;XSS&#039;)">'];
// List-style-image.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#List-style-image
$data[] = array('<STYLE>li {list-style-image: url("javascript:alert(\'XSS\')");}</STYLE><UL><LI>XSS</br>', 'li {list-style-image: url("javascript:alert(\'XSS\')");}<UL><LI>XSS</br>');
$data[] = ['<STYLE>li {list-style-image: url("javascript:alert(\'XSS\')");}</STYLE><UL><LI>XSS</br>', 'li {list-style-image: url("javascript:alert(\'XSS\')");}<UL><LI>XSS</br>'];
// VBscript in an image.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#VBscript_in_an_image
$data[] = array('<IMG SRC=\'vbscript:msgbox("XSS")\'>', '<IMG src=\'msgbox(&quot;XSS&quot;)\'>');
$data[] = ['<IMG SRC=\'vbscript:msgbox("XSS")\'>', '<IMG src=\'msgbox(&quot;XSS&quot;)\'>'];
// Livescript (older versions of Netscape only).
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Livescript_.28older_versions_of_Netscape_only.29
$data[] = array('<IMG SRC="livescript:[code]">', '<IMG src="[code]">');
$data[] = ['<IMG SRC="livescript:[code]">', '<IMG src="[code]">'];
// BODY tag.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BODY_tag
$data[] = array('<BODY ONLOAD=alert(\'XSS\')>', '<BODY>');
$data[] = ['<BODY ONLOAD=alert(\'XSS\')>', '<BODY>'];
// Event handlers.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Event_Handlers
$events = array(
$events = [
'onAbort',
'onActivate',
'onAfterPrint',
@ -321,71 +321,71 @@ class StandardTest extends UnitTestCase {
'onUndo',
'onUnload',
'onURLFlip',
);
];
foreach ($events as $event) {
$data[] = array('<p ' . $event . '="javascript:alert(\'XSS\');">Dangerous llama!</p>', '<p>Dangerous llama!</p>');
$data[] = ['<p ' . $event . '="javascript:alert(\'XSS\');">Dangerous llama!</p>', '<p>Dangerous llama!</p>'];
}
// BGSOUND.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BGSOUND
$data[] = array('<BGSOUND SRC="javascript:alert(\'XSS\');">', '<BGSOUND src="alert(&#039;XSS&#039;);">');
$data[] = ['<BGSOUND SRC="javascript:alert(\'XSS\');">', '<BGSOUND src="alert(&#039;XSS&#039;);">'];
// & JavaScript includes.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#.26_JavaScript_includes
$data[] = array('<BR SIZE="&{alert(\'XSS\')}">', '<BR size="">');
$data[] = ['<BR SIZE="&{alert(\'XSS\')}">', '<BR size="">'];
// STYLE sheet.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_sheet
$data[] = array('<LINK REL="stylesheet" HREF="javascript:alert(\'XSS\');">', '');
$data[] = ['<LINK REL="stylesheet" HREF="javascript:alert(\'XSS\');">', ''];
// Remote style sheet.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet
$data[] = array('<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">', '');
$data[] = ['<LINK REL="stylesheet" HREF="http://ha.ckers.org/xss.css">', ''];
// Remote style sheet part 2.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet_part_2
$data[] = array('<STYLE>@import\'http://ha.ckers.org/xss.css\';</STYLE>', '@import\'http://ha.ckers.org/xss.css\';');
$data[] = ['<STYLE>@import\'http://ha.ckers.org/xss.css\';</STYLE>', '@import\'http://ha.ckers.org/xss.css\';'];
// Remote style sheet part 3.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet_part_3
$data[] = array('<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">', '<META http-equiv="Link">; REL=stylesheet"&gt;');
$data[] = ['<META HTTP-EQUIV="Link" Content="<http://ha.ckers.org/xss.css>; REL=stylesheet">', '<META http-equiv="Link">; REL=stylesheet"&gt;'];
// Remote style sheet part 4.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Remote_style_sheet_part_4
$data[] = array('<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>', 'BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}');
$data[] = ['<STYLE>BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}</STYLE>', 'BODY{-moz-binding:url("http://ha.ckers.org/xssmoz.xml#xss")}'];
// STYLE tags with broken up JavaScript for XSS.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tags_with_broken_up_JavaScript_for_XSS
$data[] = array('<STYLE>@im\port\'\ja\vasc\ript:alert("XSS")\';</STYLE>', '@im\port\'\ja\vasc\ript:alert("XSS")\';');
$data[] = ['<STYLE>@im\port\'\ja\vasc\ript:alert("XSS")\';</STYLE>', '@im\port\'\ja\vasc\ript:alert("XSS")\';'];
// STYLE attribute using a comment to break up expression.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_attribute_using_a_comment_to_break_up_expression
$data[] = array('<IMG STYLE="xss:expr/*XSS*/ession(alert(\'XSS\'))">', '<IMG>');
$data[] = ['<IMG STYLE="xss:expr/*XSS*/ession(alert(\'XSS\'))">', '<IMG>'];
// IMG STYLE with expression.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_STYLE_with_expression
$data[] = array('exp/*<A STYLE=\'no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))\'>', 'exp/*<A>');
$data[] = ['exp/*<A STYLE=\'no\xss:noxss("*//*");
xss:ex/*XSS*//*/*/pression(alert("XSS"))\'>', 'exp/*<A>'];
// STYLE tag (Older versions of Netscape only).
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tag_.28Older_versions_of_Netscape_only.29
$data[] = array('<STYLE TYPE="text/javascript">alert(\'XSS\');</STYLE>', 'alert(\'XSS\');');
$data[] = ['<STYLE TYPE="text/javascript">alert(\'XSS\');</STYLE>', 'alert(\'XSS\');'];
// STYLE tag using background-image.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tag_using_background-image
$data[] = array('<STYLE>.XSS{background-image:url("javascript:alert(\'XSS\')");}</STYLE><A CLASS=XSS></A>', '.XSS{background-image:url("javascript:alert(\'XSS\')");}<A class="XSS"></A>');
$data[] = ['<STYLE>.XSS{background-image:url("javascript:alert(\'XSS\')");}</STYLE><A CLASS=XSS></A>', '.XSS{background-image:url("javascript:alert(\'XSS\')");}<A class="XSS"></A>'];
// STYLE tag using background.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#STYLE_tag_using_background
$data[] = array('<STYLE type="text/css">BODY{background:url("javascript:alert(\'XSS\')")}</STYLE>', 'BODY{background:url("javascript:alert(\'XSS\')")}');
$data[] = ['<STYLE type="text/css">BODY{background:url("javascript:alert(\'XSS\')")}</STYLE>', 'BODY{background:url("javascript:alert(\'XSS\')")}'];
// Anonymous HTML with STYLE attribute.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Anonymous_HTML_with_STYLE_attribute
$data[] = array('<XSS STYLE="xss:expression(alert(\'XSS\'))">', '<XSS>');
$data[] = ['<XSS STYLE="xss:expression(alert(\'XSS\'))">', '<XSS>'];
// Local htc file.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Local_htc_file
$data[] = array('<XSS STYLE="behavior: url(xss.htc);">', '<XSS>');
$data[] = ['<XSS STYLE="behavior: url(xss.htc);">', '<XSS>'];
// US-ASCII encoding.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#US-ASCII_encoding
@ -393,77 +393,77 @@ xss:ex/*XSS*//*/*/pression(alert("XSS"))\'>', 'exp/*<A>');
// META.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#META
$data[] = array('<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(\'XSS\');">', '<META http-equiv="refresh" content="alert(&#039;XSS&#039;);">');
$data[] = ['<META HTTP-EQUIV="refresh" CONTENT="0;url=javascript:alert(\'XSS\');">', '<META http-equiv="refresh" content="alert(&#039;XSS&#039;);">'];
// META using data.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#META_using_data
$data[] = array('<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">', '<META http-equiv="refresh" content="text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">');
$data[] = ['<META HTTP-EQUIV="refresh" CONTENT="0;url=data:text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">', '<META http-equiv="refresh" content="text/html base64,PHNjcmlwdD5hbGVydCgnWFNTJyk8L3NjcmlwdD4K">'];
// META with additional URL parameter
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#META
$data[] = array('<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(\'XSS\');">', '<META http-equiv="refresh" content="//;URL=javascript:alert(&#039;XSS&#039;);">');
$data[] = ['<META HTTP-EQUIV="refresh" CONTENT="0; URL=http://;URL=javascript:alert(\'XSS\');">', '<META http-equiv="refresh" content="//;URL=javascript:alert(&#039;XSS&#039;);">'];
// IFRAME.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IFRAME
$data[] = array('<IFRAME SRC="javascript:alert(\'XSS\');"></IFRAME>', '<IFRAME src="alert(&#039;XSS&#039;);"></IFRAME>');
$data[] = ['<IFRAME SRC="javascript:alert(\'XSS\');"></IFRAME>', '<IFRAME src="alert(&#039;XSS&#039;);"></IFRAME>'];
// IFRAME Event based.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IFRAME_Event_based
$data[] = array('<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>', '<IFRAME src="#"></IFRAME>');
$data[] = ['<IFRAME SRC=# onmouseover="alert(document.cookie)"></IFRAME>', '<IFRAME src="#"></IFRAME>'];
// FRAME.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#FRAME
$data[] = array('<FRAMESET><FRAME SRC="javascript:alert(\'XSS\');"></FRAMESET>', '<FRAMESET><FRAME src="alert(&#039;XSS&#039;);"></FRAMESET>');
$data[] = ['<FRAMESET><FRAME SRC="javascript:alert(\'XSS\');"></FRAMESET>', '<FRAMESET><FRAME src="alert(&#039;XSS&#039;);"></FRAMESET>'];
// TABLE.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#TABLE
$data[] = array('<TABLE BACKGROUND="javascript:alert(\'XSS\')">', '<TABLE background="alert(&#039;XSS&#039;)">');
$data[] = ['<TABLE BACKGROUND="javascript:alert(\'XSS\')">', '<TABLE background="alert(&#039;XSS&#039;)">'];
// TD.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#TD
$data[] = array('<TABLE><TD BACKGROUND="javascript:alert(\'XSS\')">', '<TABLE><TD background="alert(&#039;XSS&#039;)">');
$data[] = ['<TABLE><TD BACKGROUND="javascript:alert(\'XSS\')">', '<TABLE><TD background="alert(&#039;XSS&#039;)">'];
// DIV background-image.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_background-image
$data[] = array('<DIV STYLE="background-image: url(javascript:alert(\'XSS\'))">', '<DIV>');
$data[] = ['<DIV STYLE="background-image: url(javascript:alert(\'XSS\'))">', '<DIV>'];
// DIV background-image with unicoded XSS exploit.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_background-image_with_unicoded_XSS_exploit
$data[] = array('<DIV STYLE="background-image:\0075\0072\006C\0028\'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029\'\0029">', '<DIV>');
$data[] = ['<DIV STYLE="background-image:\0075\0072\006C\0028\'\006a\0061\0076\0061\0073\0063\0072\0069\0070\0074\003a\0061\006c\0065\0072\0074\0028.1027\0058.1053\0053\0027\0029\'\0029">', '<DIV>'];
// DIV background-image plus extra characters.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_background-image_plus_extra_characters
$data[] = array('<DIV STYLE="background-image: url(&#1;javascript:alert(\'XSS\'))">', '<DIV>');
$data[] = ['<DIV STYLE="background-image: url(&#1;javascript:alert(\'XSS\'))">', '<DIV>'];
// DIV expression.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#DIV_expression
$data[] = array('<DIV STYLE="width: expression(alert(\'XSS\'));">', '<DIV>');
$data[] = ['<DIV STYLE="width: expression(alert(\'XSS\'));">', '<DIV>'];
// Downlevel-Hidden block.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Downlevel-Hidden_block
$data[] = array('<!--[if gte IE 4]>
$data[] = ['<!--[if gte IE 4]>
<SCRIPT>alert(\'XSS\');</SCRIPT>
<![endif]-->', "\n alert('XSS');\n ");
<![endif]-->', "\n alert('XSS');\n "];
// BASE tag.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#BASE_tag
$data[] = array('<BASE HREF="javascript:alert(\'XSS\');//">', '<BASE href="alert(&#039;XSS&#039;);//">');
$data[] = ['<BASE HREF="javascript:alert(\'XSS\');//">', '<BASE href="alert(&#039;XSS&#039;);//">'];
// OBJECT tag.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#OBJECT_tag
$data[] = array('<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>', '');
$data[] = ['<OBJECT TYPE="text/x-scriptlet" DATA="http://ha.ckers.org/scriptlet.html"></OBJECT>', ''];
// Using an EMBED tag you can embed a Flash movie that contains XSS.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Using_an_EMBED_tag_you_can_embed_a_Flash_movie_that_contains_XSS
$data[] = array('<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>', '');
$data[] = ['<EMBED SRC="http://ha.ckers.org/xss.swf" AllowScriptAccess="always"></EMBED>', ''];
// You can EMBED SVG which can contain your XSS vector.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#You_can_EMBED_SVG_which_can_contain_your_XSS_vector
$data[] = array('<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>', '');
$data[] = ['<EMBED SRC="data:image/svg+xml;base64,PHN2ZyB4bWxuczpzdmc9Imh0dH A6Ly93d3cudzMub3JnLzIwMDAvc3ZnIiB4bWxucz0iaHR0cDovL3d3dy53My5vcmcv MjAwMC9zdmciIHhtbG5zOnhsaW5rPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5L3hs aW5rIiB2ZXJzaW9uPSIxLjAiIHg9IjAiIHk9IjAiIHdpZHRoPSIxOTQiIGhlaWdodD0iMjAw IiBpZD0ieHNzIj48c2NyaXB0IHR5cGU9InRleHQvZWNtYXNjcmlwdCI+YWxlcnQoIlh TUyIpOzwvc2NyaXB0Pjwvc3ZnPg==" type="image/svg+xml" AllowScriptAccess="always"></EMBED>', ''];
// XML data island with CDATA obfuscation.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XML_data_island_with_CDATA_obfuscation
$data[] = array('<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert(\'XSS\')"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>', '<XML id="xss"><I><B><IMG>cript:alert(\'XSS\')"&gt;</B></I></XML><SPAN datasrc="#xss" datafld="B" dataformatas="HTML"></SPAN>');
$data[] = ['<XML ID="xss"><I><B><IMG SRC="javas<!-- -->cript:alert(\'XSS\')"></B></I></XML><SPAN DATASRC="#xss" DATAFLD="B" DATAFORMATAS="HTML"></SPAN>', '<XML id="xss"><I><B><IMG>cript:alert(\'XSS\')"&gt;</B></I></XML><SPAN datasrc="#xss" datafld="B" dataformatas="HTML"></SPAN>'];
// Locally hosted XML with embedded JavaScript that is generated using an XML data island.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Locally_hosted_XML_with_embedded_JavaScript_that_is_generated_using_an_XML_data_island
@ -472,11 +472,11 @@ xss:ex/*XSS*//*/*/pression(alert("XSS"))\'>', 'exp/*<A>');
// HTML+TIME in XML.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#HTML.2BTIME_in_XML
$data[] = array('<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">', '&lt;?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"&gt;&lt;?import namespace="t" implementation="#default#time2"&gt;<t set attributename="innerHTML">alert("XSS")"&gt;');
$data[] = ['<?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"><?import namespace="t" implementation="#default#time2"><t:set attributeName="innerHTML" to="XSS<SCRIPT DEFER>alert("XSS")</SCRIPT>">', '&lt;?xml:namespace prefix="t" ns="urn:schemas-microsoft-com:time"&gt;&lt;?import namespace="t" implementation="#default#time2"&gt;<t set attributename="innerHTML">alert("XSS")"&gt;'];
// Assuming you can only fit in a few characters and it filters against ".js".
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Assuming_you_can_only_fit_in_a_few_characters_and_it_filters_against_.22.js.22
$data[] = array('<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>', '');
$data[] = ['<SCRIPT SRC="http://ha.ckers.org/xss.jpg"></SCRIPT>', ''];
// IMG Embedded commands.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#IMG_Embedded_commands
@ -485,7 +485,7 @@ xss:ex/*XSS*//*/*/pression(alert("XSS"))\'>', 'exp/*<A>');
// Cookie manipulation.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#Cookie_manipulation
$data[] = array('<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(\'XSS\')</SCRIPT>">', '<META http-equiv="Set-Cookie">alert(\'XSS\')"&gt;');
$data[] = ['<META HTTP-EQUIV="Set-Cookie" Content="USERID=<SCRIPT>alert(\'XSS\')</SCRIPT>">', '<META http-equiv="Set-Cookie">alert(\'XSS\')"&gt;'];
// UTF-7 encoding.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#UTF-7_encoding
@ -493,13 +493,13 @@ xss:ex/*XSS*//*/*/pression(alert("XSS"))\'>', 'exp/*<A>');
// XSS using HTML quote encapsulation.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#XSS_using_HTML_quote_encapsulation
$data[] = array('<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '" SRC="http://ha.ckers.org/xss.js"&gt;');
$data[] = array('<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '" SRC="http://ha.ckers.org/xss.js"&gt;');
$data[] = array('<SCRIPT a=">" \'\' SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '" \'\' SRC="http://ha.ckers.org/xss.js"&gt;');
$data[] = array('<SCRIPT "a=\'>\'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '\'" SRC="http://ha.ckers.org/xss.js"&gt;');
$data[] = array('<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '` SRC="http://ha.ckers.org/xss.js"&gt;');
$data[] = array('<SCRIPT a=">\'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '\'&gt;" SRC="http://ha.ckers.org/xss.js"&gt;');
$data[] = array('<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>', 'document.write("<SCRI>PT SRC="http://ha.ckers.org/xss.js"&gt;');
$data[] = ['<SCRIPT a=">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '" SRC="http://ha.ckers.org/xss.js"&gt;'];
$data[] = ['<SCRIPT =">" SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '" SRC="http://ha.ckers.org/xss.js"&gt;'];
$data[] = ['<SCRIPT a=">" \'\' SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '" \'\' SRC="http://ha.ckers.org/xss.js"&gt;'];
$data[] = ['<SCRIPT "a=\'>\'" SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '\'" SRC="http://ha.ckers.org/xss.js"&gt;'];
$data[] = ['<SCRIPT a=`>` SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '` SRC="http://ha.ckers.org/xss.js"&gt;'];
$data[] = ['<SCRIPT a=">\'>" SRC="http://ha.ckers.org/xss.js"></SCRIPT>', '\'&gt;" SRC="http://ha.ckers.org/xss.js"&gt;'];
$data[] = ['<SCRIPT>document.write("<SCRI");</SCRIPT>PT SRC="http://ha.ckers.org/xss.js"></SCRIPT>', 'document.write("<SCRI>PT SRC="http://ha.ckers.org/xss.js"&gt;'];
// URL string evasion.
// @see https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet#URL_string_evasion
@ -511,12 +511,12 @@ xss:ex/*XSS*//*/*/pression(alert("XSS"))\'>', 'exp/*<A>');
// @see \Drupal\editor\EditorXssFilter::filterXssDataAttributes()
// The following two test cases verify that XSS attack vectors are filtered.
$data[] = array('<img src="butterfly.jpg" data-caption="&lt;script&gt;alert();&lt;/script&gt;" />', '<img src="butterfly.jpg" data-caption="alert();" />');
$data[] = array('<img src="butterfly.jpg" data-caption="&lt;EMBED SRC=&quot;http://ha.ckers.org/xss.swf&quot; AllowScriptAccess=&quot;always&quot;&gt;&lt;/EMBED&gt;" />', '<img src="butterfly.jpg" data-caption="" />');
$data[] = ['<img src="butterfly.jpg" data-caption="&lt;script&gt;alert();&lt;/script&gt;" />', '<img src="butterfly.jpg" data-caption="alert();" />'];
$data[] = ['<img src="butterfly.jpg" data-caption="&lt;EMBED SRC=&quot;http://ha.ckers.org/xss.swf&quot; AllowScriptAccess=&quot;always&quot;&gt;&lt;/EMBED&gt;" />', '<img src="butterfly.jpg" data-caption="" />'];
// When including HTML-tags as visible content, they are double-escaped.
// This test case ensures that we leave that content unchanged.
$data[] = array('<img src="butterfly.jpg" data-caption="&amp;lt;script&amp;gt;alert();&amp;lt;/script&amp;gt;" />', '<img src="butterfly.jpg" data-caption="&amp;lt;script&amp;gt;alert();&amp;lt;/script&amp;gt;" />');
$data[] = ['<img src="butterfly.jpg" data-caption="&amp;lt;script&amp;gt;alert();&amp;lt;/script&amp;gt;" />', '<img src="butterfly.jpg" data-caption="&amp;lt;script&amp;gt;alert();&amp;lt;/script&amp;gt;" />'];
return $data;
}
@ -573,27 +573,27 @@ xss:ex/*XSS*//*/*/pression(alert("XSS"))\'>', 'exp/*<A>');
* - (optional) The disallowed HTML tags to be passed to \Drupal\Component\Utility\Xss::filter().
*/
public function providerTestBlackListMode() {
return array(
array(
return [
[
'<unknown style="visibility:hidden">Pink Fairy Armadillo</unknown><video src="gerenuk.mp4"><script>alert(0)</script>',
'<unknown>Pink Fairy Armadillo</unknown><video src="gerenuk.mp4">alert(0)',
'Disallow only the script tag',
array('script')
),
array(
['script']
],
[
'<unknown style="visibility:hidden">Pink Fairy Armadillo</unknown><video src="gerenuk.mp4"><script>alert(0)</script>',
'<unknown>Pink Fairy Armadillo</unknown>alert(0)',
'Disallow both the script and video tags',
array('script', 'video')
),
['script', 'video']
],
// No real use case for this, but it is an edge case we must ensure works.
array(
[
'<unknown style="visibility:hidden">Pink Fairy Armadillo</unknown><video src="gerenuk.mp4"><script>alert(0)</script>',
'<unknown>Pink Fairy Armadillo</unknown><video src="gerenuk.mp4"><script>alert(0)</script>',
'Disallow no tags',
array()
),
);
[]
],
];
}
}