Skip to content

Commit 529afad

Browse files
sirrealsirreal
committed
Improve and add tests
1 parent ed22488 commit 529afad

File tree

1 file changed

+23
-18
lines changed

1 file changed

+23
-18
lines changed

tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php

Lines changed: 23 additions & 18 deletions
Original file line numberDiff line numberDiff line change
@@ -448,13 +448,14 @@ public static function data_tokens_with_basic_modifiable_text_updates() {
448448
* the structure of the containing element, such as in a script or comment.
449449
*
450450
* @ticket 61617
451+
* @ticket 62797
451452
*
452453
* @dataProvider data_unallowed_modifiable_text_updates
453454
*
454455
* @param string $html_with_nonempty_modifiable_text Will be used to find the test element.
455456
* @param string $invalid_update Update containing possibly-compromising text.
456457
*/
457-
public function test_rejects_updates_with_unallowed_substrings( string $html_with_nonempty_modifiable_text, string $invalid_update ) {
458+
public function test_rejects_dangerous_updates( string $html_with_nonempty_modifiable_text, string $invalid_update ) {
458459
$processor = new WP_HTML_Tag_Processor( $html_with_nonempty_modifiable_text );
459460

460461
while ( '' === $processor->get_modifiable_text() && $processor->next_token() ) {
@@ -486,15 +487,18 @@ public function test_rejects_updates_with_unallowed_substrings( string $html_wit
486487
*/
487488
public static function data_unallowed_modifiable_text_updates() {
488489
return array(
489-
'Comment with -->' => array( '<!-- this is a comment -->', 'Comments end in -->' ),
490-
'Comment with --!>' => array( '<!-- this is a comment -->', 'Invalid but legitimate comments end in --!>' ),
491-
'SCRIPT with </script>' => array( '<script type="text/xml">Replace me</script>', 'Just a </script>' ),
492-
'SCRIPT with </script attributes>' => array( '<script language="plaintext">Replace me</script>', 'before</script id=sneak>after' ),
490+
'Comment with -->' => array( '<!-- this is a comment -->', 'Comments end in -->' ),
491+
'Comment with --!>' => array( '<!-- this is a comment -->', 'Invalid but legitimate comments end in --!>' ),
492+
'Non-JS SCRIPT with <script>' => array( '<script type="text/html">Replace me</script>', '<!-- Just a <script>' ),
493+
'Non-JS SCRIPT with </script>' => array( '<script type="text/html">Replace me</script>', 'Just a </script>' ),
494+
'Non-JS SCRIPT with <script attributes>' => array( '<script language="text">Replace me</script>', '<!-- <script sneaky>after' ),
495+
'Non-JS SCRIPT with </script attributes>' => array( '<script language="text">Replace me</script>', 'before</script sneaky>after' ),
496+
493497
);
494498
}
495499

496500
/**
497-
* Ensures that script tag contents are safely updated.
501+
* Ensures that JavaScript script tag contents are safely updated.
498502
*
499503
* @ticket 62797
500504
*
@@ -504,7 +508,7 @@ public static function data_unallowed_modifiable_text_updates() {
504508
* @param string $update Update containing possibly-compromising text.
505509
* @param string $expected Expected result.
506510
*/
507-
public function test_safely_updates_dangerous_JavaScript_script_tag_contents( string $html, string $update, string $expected ) {
511+
public function test_safely_updates_script_tag_contents( string $html, string $update, string $expected ) {
508512
$processor = new WP_HTML_Tag_Processor( $html );
509513
$this->assertTrue( $processor->next_tag( 'SCRIPT' ) );
510514
$this->assertTrue( $processor->set_modifiable_text( $update ) );
@@ -518,17 +522,18 @@ public function test_safely_updates_dangerous_JavaScript_script_tag_contents( st
518522
*/
519523
public static function data_script_tag_text_updates(): array {
520524
return array(
521-
'Simple update' => array( '<script></script>', '{}', '<script>{}</script>' ),
522-
'Needs no replacement' => array( '<script></script>', '<!--<scriptish>', '<script><!--<scriptish></script>' ),
523-
'var script;1<script>0' => array( '<script></script>', 'var script;1<script>0', '<script>var script;1<\u0073cript>0</script>' ),
524-
'1</script>/' => array( '<script></script>', '1</script>/', '<script>1</\u0073cript>/</script>' ),
525-
'var SCRIPT;1<SCRIPT>0' => array( '<script></script>', 'var SCRIPT;1<SCRIPT>0', '<script>var SCRIPT;1<\u0053CRIPT>0</script>' ),
526-
'1</SCRIPT>/' => array( '<script></script>', '1</SCRIPT>/', '<script>1</\u0053CRIPT>/</script>' ),
527-
'"</script>"' => array( '<script></script>', '"</script>"', '<script>"</\u0073cript>"</script>' ),
528-
'"</ScRiPt>"' => array( '<script></script>', '"</ScRiPt>"', '<script>"</\u0053cRiPt>"</script>' ),
529-
'Module tag' => array( '<script type="module"></script>', '"<script>"', '<script type="module">"<\u0073cript>"</script>' ),
530-
'Tag with type' => array( '<script type="text/javascript"></script>', '"<script>"', '<script type="text/javascript">"<\u0073cript>"</script>' ),
531-
'Tag with language' => array( '<script language="javascript"></script>', '"<script>"', '<script language="javascript">"<\u0073cript>"</script>' ),
525+
'Simple update' => array( '<script></script>', '{}', '<script>{}</script>' ),
526+
'Needs no replacement' => array( '<script></script>', '<!--<scriptish>', '<script><!--<scriptish></script>' ),
527+
'var script;1<script>0' => array( '<script></script>', 'var script;1<script>0', '<script>var script;1<\u0073cript>0</script>' ),
528+
'1</script>/' => array( '<script></script>', '1</script>/', '<script>1</\u0073cript>/</script>' ),
529+
'var SCRIPT;1<SCRIPT>0' => array( '<script></script>', 'var SCRIPT;1<SCRIPT>0', '<script>var SCRIPT;1<\u0053CRIPT>0</script>' ),
530+
'1</SCRIPT>/' => array( '<script></script>', '1</SCRIPT>/', '<script>1</\u0053CRIPT>/</script>' ),
531+
'"</script>"' => array( '<script></script>', '"</script>"', '<script>"</\u0073cript>"</script>' ),
532+
'"</ScRiPt>"' => array( '<script></script>', '"</ScRiPt>"', '<script>"</\u0053cRiPt>"</script>' ),
533+
'Module tag' => array( '<script type="module"></script>', '"<script>"', '<script type="module">"<\u0073cript>"</script>' ),
534+
'Tag with type' => array( '<script type="text/javascript"></script>', '"<script>"', '<script type="text/javascript">"<\u0073cript>"</script>' ),
535+
'Tag with language' => array( '<script language="javascript"></script>', '"<script>"', '<script language="javascript">"<\u0073cript>"</script>' ),
536+
'Non-JS script, save HTML-like content' => array( '<script type="text/html"></script>', '<h1>This & that</h1>', '<script type="text/html"><h1>This & that</h1></script>' ),
532537
);
533538
}
534539
}

0 commit comments

Comments
 (0)