Commit c9083e68 authored by webchick's avatar webchick

#276597 by sun: Coding style clean-ups for filter.test.

parent 7cc2218c
...@@ -14,13 +14,14 @@ class FilterAdminTestCase extends DrupalWebTestCase { ...@@ -14,13 +14,14 @@ class FilterAdminTestCase extends DrupalWebTestCase {
* Test filter administration functionality. * Test filter administration functionality.
*/ */
function testFilterAdmin() { function testFilterAdmin() {
$first_filter = 2; // URL filter. // URL filter.
$second_filter = 1; // Line filter. $first_filter = 2;
// Line filter.
$second_filter = 1;
// Create users. // Create users.
$admin_user = $this->drupalCreateUser(array('administer filters')); $admin_user = $this->drupalCreateUser(array('administer filters'));
$web_user = $this->drupalCreateUser(array('create page content')); $web_user = $this->drupalCreateUser(array('create page content'));
$this->drupalLogin($admin_user); $this->drupalLogin($admin_user);
list($filtered, $full) = $this->checkFilterFormats(); list($filtered, $full) = $this->checkFilterFormats();
...@@ -35,7 +36,7 @@ class FilterAdminTestCase extends DrupalWebTestCase { ...@@ -35,7 +36,7 @@ class FilterAdminTestCase extends DrupalWebTestCase {
// Add an additional tag. // Add an additional tag.
$edit = array(); $edit = array();
$edit['allowed_html_1'] = '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd>' . ' <quote>'; // Adding <quote> tag. $edit['allowed_html_1'] = '<a> <em> <strong> <cite> <code> <ul> <ol> <li> <dl> <dt> <dd> <quote>';
$this->drupalPost('admin/settings/formats/' . $filtered . '/configure', $edit, t('Save configuration')); $this->drupalPost('admin/settings/formats/' . $filtered . '/configure', $edit, t('Save configuration'));
$this->assertText(t('The configuration options have been saved.'), t('Allowed HTML tag added.')); $this->assertText(t('The configuration options have been saved.'), t('Allowed HTML tag added.'));
...@@ -103,7 +104,7 @@ class FilterAdminTestCase extends DrupalWebTestCase { ...@@ -103,7 +104,7 @@ class FilterAdminTestCase extends DrupalWebTestCase {
$this->drupalGet('node/add/page'); $this->drupalGet('node/add/page');
$this->assertRaw('<option value="' . $full . '">Full HTML</option>', t('Full HTML filter accessible.')); $this->assertRaw('<option value="' . $full . '">Full HTML</option>', t('Full HTML filter accessible.'));
// Use filtered HTML and see if it removes tags that arn't allowed. // Use filtered HTML and see if it removes tags that are not allowed.
$body = $this->randomName(); $body = $this->randomName();
$extra_text = 'text'; $extra_text = 'text';
...@@ -148,7 +149,8 @@ class FilterAdminTestCase extends DrupalWebTestCase { ...@@ -148,7 +149,8 @@ class FilterAdminTestCase extends DrupalWebTestCase {
/** /**
* Query the database to get the two basic formats. * Query the database to get the two basic formats.
* *
* @return Array Array containing filtered and full filter ids. * @return
* An array containing filtered and full filter ids.
*/ */
function checkFilterFormats() { function checkFilterFormats() {
$result = db_query('SELECT format, name FROM {filter_format}'); $result = db_query('SELECT format, name FROM {filter_format}');
...@@ -170,8 +172,10 @@ class FilterAdminTestCase extends DrupalWebTestCase { ...@@ -170,8 +172,10 @@ class FilterAdminTestCase extends DrupalWebTestCase {
/** /**
* Get filter by name. * Get filter by name.
* *
* @param string $name Name of filter to find. * @param $name
* @return object Filter object. * Name of filter to find.
* @return
* A filter object.
*/ */
function getFilter($name) { function getFilter($name) {
return db_query("SELECT * FROM {filter_format} WHERE name = :name", array(':name' => $name))->fetchObject(); return db_query("SELECT * FROM {filter_format} WHERE name = :name", array(':name' => $name))->fetchObject();
...@@ -200,7 +204,6 @@ class FilterTestCase extends DrupalWebTestCase { ...@@ -200,7 +204,6 @@ class FilterTestCase extends DrupalWebTestCase {
* Test the line break filter. * Test the line break filter.
*/ */
function testLineBreakFilter() { function testLineBreakFilter() {
// Single line breaks should be changed to <br /> tags, while paragraphs // Single line breaks should be changed to <br /> tags, while paragraphs
// separated with double line breaks should be enclosed with <p></p> tags. // separated with double line breaks should be enclosed with <p></p> tags.
$f = _filter_autop("aaa\nbbb\n\nccc"); $f = _filter_autop("aaa\nbbb\n\nccc");
...@@ -226,14 +229,15 @@ class FilterTestCase extends DrupalWebTestCase { ...@@ -226,14 +229,15 @@ class FilterTestCase extends DrupalWebTestCase {
/** /**
* Test limiting allowed tags, XSS prevention and adding 'nofollow' to links. * Test limiting allowed tags, XSS prevention and adding 'nofollow' to links.
* XSS tests assume that script is dissallowed on default and src is allowed on default, but on* and style are dissallowed. *
* XSS tests assume that script is dissallowed on default and src is allowed
* on default, but on* and style are dissallowed.
* *
* Script injection vectors mostly adopted from http://ha.ckers.org/xss.html. * Script injection vectors mostly adopted from http://ha.ckers.org/xss.html.
* *
* Relevant CVEs: * Relevant CVEs:
* CVE-2002-1806, ~CVE-2005-0682, ~CVE-2005-2106, CVE-2005-3973, * - CVE-2002-1806, ~CVE-2005-0682, ~CVE-2005-2106, CVE-2005-3973,
* CVE-2006-1226 (= rev. 1.112?), CVE-2008-0273, CVE-2008-3740. * CVE-2006-1226 (= rev. 1.112?), CVE-2008-0273, CVE-2008-3740.
*
*/ */
function testHtmlFilter() { function testHtmlFilter() {
// Tag stripping, different ways to work around removal of HTML tags. // Tag stripping, different ways to work around removal of HTML tags.
...@@ -268,8 +272,8 @@ class FilterTestCase extends DrupalWebTestCase { ...@@ -268,8 +272,8 @@ class FilterTestCase extends DrupalWebTestCase {
$f = filter_xss('<script src=http://www.example.com/a.js?<b>'); $f = filter_xss('<script src=http://www.example.com/a.js?<b>');
$this->assertNoNormalized($f, 'script', t('HTML tag stripping evasion -- no closing tag.')); $this->assertNoNormalized($f, 'script', t('HTML tag stripping evasion -- no closing tag.'));
// DRUPAL-SA-2008-047 (rev. 1.219) This doesn't seem exploitable, but the // DRUPAL-SA-2008-047: This doesn't seem exploitable, but the filter should
// filter should work consistently. // work consistently.
$f = filter_xss('<script>>'); $f = filter_xss('<script>>');
$this->assertNoNormalized($f, 'script', t('HTML tag stripping evasion -- double closing tag.')); $this->assertNoNormalized($f, 'script', t('HTML tag stripping evasion -- double closing tag.'));
...@@ -320,7 +324,7 @@ class FilterTestCase extends DrupalWebTestCase { ...@@ -320,7 +324,7 @@ class FilterTestCase extends DrupalWebTestCase {
$f = filter_xss("<img o\0nfocus\0=alert(0)>", array('img')); $f = filter_xss("<img o\0nfocus\0=alert(0)>", array('img'));
$this->assertNoNormalized($f, 'focus', t('HTML filter attributes removal evasion -- breaking with nulls.')); $this->assertNoNormalized($f, 'focus', t('HTML filter attributes removal evasion -- breaking with nulls.'));
// Only whitelisted scheme names in allowed attributes. // Only whitelisted scheme names allowed in attributes.
$f = filter_xss('<img src="javascript:alert(0)">', array('img')); $f = filter_xss('<img src="javascript:alert(0)">', array('img'));
$this->assertNoNormalized($f, 'javascript', t('HTML scheme clearing -- no evasion.')); $this->assertNoNormalized($f, 'javascript', t('HTML scheme clearing -- no evasion.'));
...@@ -388,8 +392,9 @@ class FilterTestCase extends DrupalWebTestCase { ...@@ -388,8 +392,9 @@ class FilterTestCase extends DrupalWebTestCase {
$f = filter_xss('<br size="&{alert(0)}">', array('br')); $f = filter_xss('<br size="&{alert(0)}">', array('br'));
$this->assertNoNormalized($f, 'alert', t('Netscape 4.x javascript entities.')); $this->assertNoNormalized($f, 'alert', t('Netscape 4.x javascript entities.'));
// Invalid UTF-8, these only work as reflected XSS with Internet Explorer 6. // DRUPAL-SA-2008-006: Invalid UTF-8, these only work as reflected XSS with
$f = filter_xss("<p arg=\"\xe0\">\" style=\"background-image: url(javascript:alert(0));\"\xe0<p>", array('p')); // DRUPAL-SA-2008-006 // Internet Explorer 6.
$f = filter_xss("<p arg=\"\xe0\">\" style=\"background-image: url(javascript:alert(0));\"\xe0<p>", array('p'));
$this->assertNoNormalized($f, 'style', t('HTML filter -- invalid UTF-8.')); $this->assertNoNormalized($f, 'style', t('HTML filter -- invalid UTF-8.'));
$f = filter_xss("\xc0aaa"); $f = filter_xss("\xc0aaa");
...@@ -399,16 +404,16 @@ class FilterTestCase extends DrupalWebTestCase { ...@@ -399,16 +404,16 @@ class FilterTestCase extends DrupalWebTestCase {
/** /**
* Test filter settings, defaults, access restrictions and similar. * Test filter settings, defaults, access restrictions and similar.
* *
* TODO: This is for functions like filter_filter and check_markup, whose * @todo This is for functions like filter_filter and check_markup, whose
* functionality is not completely focused on filtering. Some ideas: * functionality is not completely focused on filtering. Some ideas:
* restricting formats according to user permissions, proper cache * restricting formats according to user permissions, proper cache
* handling, defaults -- allowed tags/attributes/protocols. * handling, defaults -- allowed tags/attributes/protocols.
* *
* TODO: It is possible to add script, iframe etc. to allowed tags, but * @todo It is possible to add script, iframe etc. to allowed tags, but this
* this makes HTML filter completely ineffective. * makes HTML filter completely ineffective.
* *
* TODO: Class, id, name and xmlns should be added to disallowed attributes, * @todo Class, id, name and xmlns should be added to disallowed attributes,
* or better a whitelist approach should be used for that too. * or better a whitelist approach should be used for that too.
*/ */
function testFilter() { function testFilter() {
// Check that access restriction really works. // Check that access restriction really works.
...@@ -483,8 +488,9 @@ class FilterTestCase extends DrupalWebTestCase { ...@@ -483,8 +488,9 @@ class FilterTestCase extends DrupalWebTestCase {
} }
/** /**
* Test the HTML escaping filter. Here we test only whether check_plain() * Test the HTML escaping filter.
* does what it should. *
* Here we test only whether check_plain() does what it should.
*/ */
function testNoHtmlFilter() { function testNoHtmlFilter() {
// Test that characters that have special meaning in XML are changed into // Test that characters that have special meaning in XML are changed into
...@@ -567,7 +573,7 @@ class FilterTestCase extends DrupalWebTestCase { ...@@ -567,7 +573,7 @@ class FilterTestCase extends DrupalWebTestCase {
// Even though a dot at the end of a URL can indicate a fully qualified // Even though a dot at the end of a URL can indicate a fully qualified
// domain name, such usage is rare compared to using a link at the end // domain name, such usage is rare compared to using a link at the end
// of a sentence, so remove the dot from the link. // of a sentence, so remove the dot from the link.
// name. It can also be used at the end of a filename or a query string // @todo It can also be used at the end of a filename or a query string.
$f = _filter_url('www.example.com.', 'f'); $f = _filter_url('www.example.com.', 'f');
$this->assertEqual($f, '<a href="http://www.example.com" title="www.example.com">www.example.com</a>.', t('Converting URLs -- do not recognize a dot at the end of a domain name (FQDNs).')); $this->assertEqual($f, '<a href="http://www.example.com" title="www.example.com">www.example.com</a>.', t('Converting URLs -- do not recognize a dot at the end of a domain name (FQDNs).'));
...@@ -581,7 +587,7 @@ class FilterTestCase extends DrupalWebTestCase { ...@@ -581,7 +587,7 @@ class FilterTestCase extends DrupalWebTestCase {
/** /**
* Test the HTML corrector. * Test the HTML corrector.
* *
* TODO: This test could really use some validity checking function. * @todo This test could really use some validity checking function.
*/ */
function testHtmlCorrector() { function testHtmlCorrector() {
// Tag closing. // Tag closing.
...@@ -614,14 +620,12 @@ class FilterTestCase extends DrupalWebTestCase { ...@@ -614,14 +620,12 @@ class FilterTestCase extends DrupalWebTestCase {
function deleteFormat($format) { function deleteFormat($format) {
if ($format !== NULL) { if ($format !== NULL) {
// Delete new filter.
$this->drupalPost('admin/settings/formats/delete/' . $format->format, array(), t('Delete')); $this->drupalPost('admin/settings/formats/delete/' . $format->format, array(), t('Delete'));
} }
} }
/** /**
* Asserts that a text transformed to lowercase with HTML entities decoded * Asserts that a text transformed to lowercase with HTML entities decoded does contains a given string.
* does contains a given string.
* *
* Otherwise fails the test with a given message, similar to all the * Otherwise fails the test with a given message, similar to all the
* SimpleTest assert* functions. * SimpleTest assert* functions.
...@@ -645,8 +649,7 @@ class FilterTestCase extends DrupalWebTestCase { ...@@ -645,8 +649,7 @@ class FilterTestCase extends DrupalWebTestCase {
} }
/** /**
* Asserts that text transformed to lowercase with HTML entities decoded does * Asserts that text transformed to lowercase with HTML entities decoded does not contain a given string.
* not contain a given string.
* *
* Otherwise fails the test with a given message, similar to all the * Otherwise fails the test with a given message, similar to all the
* SimpleTest assert* functions. * SimpleTest assert* functions.
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment