Skip to content

Commit 705e65a

Browse files
sirrealsirreal
committed
Improve and add tests
1 parent 316fb32 commit 705e65a

File tree

1 file changed

+22
-25
lines changed

1 file changed

+22
-25
lines changed

tests/phpunit/tests/html-api/wpHtmlTagProcessorModifiableText.php

Lines changed: 22 additions & 25 deletions
Original file line numberDiff line numberDiff line change
@@ -448,13 +448,14 @@ public static function data_tokens_with_basic_modifiable_text_updates() {
448448
* the structure of the containing element, such as in a script or comment.
449449
*
450450
* @ticket 61617
451+
* @ticket 62797
451452
*
452453
* @dataProvider data_unallowed_modifiable_text_updates
453454
*
454455
* @param string $html_with_nonempty_modifiable_text Will be used to find the test element.
455456
* @param string $invalid_update Update containing possibly-compromising text.
456457
*/
457-
public function test_rejects_updates_with_unallowed_substrings( string $html_with_nonempty_modifiable_text, string $invalid_update ) {
458+
public function test_rejects_dangerous_updates( string $html_with_nonempty_modifiable_text, string $invalid_update ) {
458459
$processor = new WP_HTML_Tag_Processor( $html_with_nonempty_modifiable_text );
459460

460461
while ( '' === $processor->get_modifiable_text() && $processor->next_token() ) {
@@ -486,22 +487,17 @@ public function test_rejects_updates_with_unallowed_substrings( string $html_wit
486487
*/
487488
public static function data_unallowed_modifiable_text_updates() {
488489
return array(
489-
'Comment with -->' => array( '<!-- this is a comment -->', 'Comments end in -->' ),
490-
'Comment with --!>' => array( '<!-- this is a comment -->', 'Invalid but legitimate comments end in --!>' ),
491-
'XML type SCRIPT' => array( '<script type="text/xml">Replace me</script>', 'Just a </script>' ),
492-
'Non-JavaSript SCRIPT' => array( '<script language="plaintext">Replace me</script>', 'before</script id=sneak>after' ),
493-
494-
// We can handle these now!
495-
//'SCRIPT with </script>' => array( '<script>Replace me</script>', 'Just a </script>' ),
496-
//'SCRIPT with </script attributes>' => array( '<script>Replace me</script>', 'before</script id=sneak>after' ),
497-
//'SCRIPT with "<script " opener' => array( '<script>Replace me</script>', '<!--<script ' ),
498-
499-
490+
'Comment with -->' => array( '<!-- this is a comment -->', 'Comments end in -->' ),
491+
'Comment with --!>' => array( '<!-- this is a comment -->', 'Invalid but legitimate comments end in --!>' ),
492+
'Non-JS SCRIPT with <script>' => array( '<script type="text/html">Replace me</script>', '<!-- Just a <script>' ),
493+
'Non-JS SCRIPT with </script>' => array( '<script type="text/html">Replace me</script>', 'Just a </script>' ),
494+
'Non-JS SCRIPT with <script attributes>' => array( '<script language="text">Replace me</script>', '<!-- <script sneaky>after' ),
495+
'Non-JS SCRIPT with </script attributes>' => array( '<script language="text">Replace me</script>', 'before</script sneaky>after' ),
500496
);
501497
}
502498

503499
/**
504-
* Ensures that script tag contents are safely updated.
500+
* Ensures that JavaScript script tag contents are safely updated.
505501
*
506502
* @ticket 62797
507503
*
@@ -511,7 +507,7 @@ public static function data_unallowed_modifiable_text_updates() {
511507
* @param string $update Update containing possibly-compromising text.
512508
* @param string $expected Expected result.
513509
*/
514-
public function test_safely_updates_dangerous_JavaScript_script_tag_contents( string $html, string $update, string $expected ) {
510+
public function test_safely_updates_script_tag_contents( string $html, string $update, string $expected ) {
515511
$processor = new WP_HTML_Tag_Processor( $html );
516512
$this->assertTrue( $processor->next_tag( 'SCRIPT' ) );
517513
$this->assertTrue( $processor->set_modifiable_text( $update ) );
@@ -525,17 +521,18 @@ public function test_safely_updates_dangerous_JavaScript_script_tag_contents( st
525521
*/
526522
public static function data_script_tag_text_updates(): array {
527523
return array(
528-
'Simple update' => array( '<script></script>', '{}', '<script>{}</script>' ),
529-
'Needs no replacement' => array( '<script></script>', '<!--<scriptish>', '<script><!--<scriptish></script>' ),
530-
'var script;1<script>0' => array( '<script></script>', 'var script;1<script>0', '<script>var script;1<\u0073cript>0</script>' ),
531-
'1</script>/' => array( '<script></script>', '1</script>/', '<script>1</\u0073cript>/</script>' ),
532-
'var SCRIPT;1<SCRIPT>0' => array( '<script></script>', 'var SCRIPT;1<SCRIPT>0', '<script>var SCRIPT;1<\u0053CRIPT>0</script>' ),
533-
'1</SCRIPT>/' => array( '<script></script>', '1</SCRIPT>/', '<script>1</\u0053CRIPT>/</script>' ),
534-
'"</script>"' => array( '<script></script>', '"</script>"', '<script>"</\u0073cript>"</script>' ),
535-
'"</ScRiPt>"' => array( '<script></script>', '"</ScRiPt>"', '<script>"</\u0053cRiPt>"</script>' ),
536-
'Module tag' => array( '<script type="module"></script>', '"<script>"', '<script type="module">"<\u0073cript>"</script>' ),
537-
'Tag with type' => array( '<script type="text/javascript"></script>', '"<script>"', '<script type="text/javascript">"<\u0073cript>"</script>' ),
538-
'Tag with language' => array( '<script language="javascript"></script>', '"<script>"', '<script language="javascript">"<\u0073cript>"</script>' ),
524+
'Simple update' => array( '<script></script>', '{}', '<script>{}</script>' ),
525+
'Needs no replacement' => array( '<script></script>', '<!--<scriptish>', '<script><!--<scriptish></script>' ),
526+
'var script;1<script>0' => array( '<script></script>', 'var script;1<script>0', '<script>var script;1<\u0073cript>0</script>' ),
527+
'1</script>/' => array( '<script></script>', '1</script>/', '<script>1</\u0073cript>/</script>' ),
528+
'var SCRIPT;1<SCRIPT>0' => array( '<script></script>', 'var SCRIPT;1<SCRIPT>0', '<script>var SCRIPT;1<\u0053CRIPT>0</script>' ),
529+
'1</SCRIPT>/' => array( '<script></script>', '1</SCRIPT>/', '<script>1</\u0053CRIPT>/</script>' ),
530+
'"</script>"' => array( '<script></script>', '"</script>"', '<script>"</\u0073cript>"</script>' ),
531+
'"</ScRiPt>"' => array( '<script></script>', '"</ScRiPt>"', '<script>"</\u0053cRiPt>"</script>' ),
532+
'Module tag' => array( '<script type="module"></script>', '"<script>"', '<script type="module">"<\u0073cript>"</script>' ),
533+
'Tag with type' => array( '<script type="text/javascript"></script>', '"<script>"', '<script type="text/javascript">"<\u0073cript>"</script>' ),
534+
'Tag with language' => array( '<script language="javascript"></script>', '"<script>"', '<script language="javascript">"<\u0073cript>"</script>' ),
535+
'Non-JS script, save HTML-like content' => array( '<script type="text/html"></script>', '<h1>This & that</h1>', '<script type="text/html"><h1>This & that</h1></script>' ),
539536
);
540537
}
541538
}

0 commit comments

Comments
 (0)