Skip to content

Commit ad0c62c

Browse files
dmsnelldmsnell
committed
HTML API: Add tests asserting rejection of invalid HTML attribute names.
1 parent f79de34 commit ad0c62c

File tree

1 file changed

+62
-0
lines changed

1 file changed

+62
-0
lines changed

tests/phpunit/tests/html-api/wpHtmlTagProcessor.php

Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -311,6 +311,68 @@ public function test_set_attribute_is_case_insensitive() {
311311
$this->assertSame( '<div data-enabled="abc">Test</div>', $processor->get_updated_html(), 'A case-insensitive set_attribute call did not update the existing attribute' );
312312
}
313313

314+
/**
315+
* Ensures that set_attribute doesn’t allow setting an
316+
* attribute with an invalid name and thus break syntax.
317+
*
318+
* @ticket {TICKET_NUMBER}
319+
*
320+
* @expectedIncorrectUsage WP_HTML_Tag_Processor::set_attribute
321+
*
322+
* @dataProvider data_invalid_attribute_names
323+
*
324+
* @param string $invalid_name Invalid attribute name.
325+
*/
326+
public function test_set_attribute_rejects_invalid_names( $invalid_name ) {
327+
$processor = new WP_HTML_Tag_Processor( '<div>' );
328+
$processor->next_tag();
329+
330+
$this->assertFalse(
331+
$processor->set_attribute( $invalid_name, true ),
332+
'Should have rejected invalid attribute name.'
333+
);
334+
}
335+
336+
/**
337+
* Data provider.
338+
*
339+
* @return array[]
340+
*/
341+
public static function data_invalid_attribute_names() {
342+
$invalid_names = array(
343+
'Empty' => array( '' ),
344+
);
345+
346+
// Syntax-like characters.
347+
foreach ( str_split( '"\'>&</ =' ) as $c ) {
348+
$invalid_names[ $c ] = array( "too{$c}late" );
349+
}
350+
351+
// C0 controls.
352+
for ( $i = 0; $i <= 0x1F; $i++ ) {
353+
$c = chr( $i );
354+
$invalid_names[ "C0 Controls: {$i}" ] = array( "shut{$c}down" );
355+
}
356+
357+
// Noncharacters.
358+
for ( $i = 0xFDD0; $i <= 0xFDEF; $i++ ) {
359+
$h = dechex( $i );
360+
$c = mb_chr( $i );
361+
$invalid_names[ "Noncharacter: U+{$h}" ] = array( "shut{$c}down" );
362+
}
363+
364+
for ( $b = 0; $b <= 16; $b++ ) {
365+
for ( $x = 0xFFFE; $x <= 0xFFFF; $x++ ) {
366+
$i = ( $b << 16 ) + $x;
367+
$h = dechex( $i );
368+
$c = mb_chr( $i );
369+
$invalid_names[ "Noncharacter: U+{$h}" ] = array( "shut{$c}down" );
370+
}
371+
}
372+
373+
return $invalid_names;
374+
}
375+
314376
/**
315377
* @ticket 56299
316378
*

0 commit comments

Comments
 (0)